Supply Chain Attack on Laravel Lang Localization Packages Exposes Developers to Credential-Stealing Malware

A recent supply chain attack has targeted the Laravel Lang localization packages, putting developers at risk of falling victim to a sophisticated credential-stealing malware campaign. This attack was orchestrated by abusing GitHub version tags to distribute malicious code through Composer packages.

On Friday, security firms StepSecurity, Aikido Security, and Socket issued warnings about the compromise, highlighting that attackers had manipulated GitHub tags across four repositories maintained by the Laravel Lang organization instead of creating entirely new malicious versions.

The impacted packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and potentially laravel-lang/actions. It is important to note that these Laravel Lang packages are third-party localization packages and are not part of the official Laravel project.

According to reports from Aikido, the attackers compromised 233 versions across three repositories, while Socket estimated that around 700 historical versions may have been affected.

What sets this attack apart is that the attackers did not modify the actual source code of the project to include malicious code. Instead, they exploited a GitHub feature that allows tags to point to commits in forks of the same repository.

StepSecurity explained, “Rather than publishing a new malicious version, the attacker rewrote every existing git tag in each repository to point at a new malicious commit.” The attack spanned from laravel-lang/lang to laravel-lang/actions, with all repositories sharing a common fake author identity and modified files.

This tactic enabled the attackers to create what seemed like legitimate release tags for the project, leading unsuspecting developers to download malicious commits stored in an attacker-controlled fork of the repository.

Execution of a Credential-Stealer

Upon further investigation, researchers discovered that the malicious releases introduced a file named ‘src/helpers.php’ that was automatically loaded by Composer.

The injected code served as a dropper, fetching a second payload from the attacker’s command and control server at flipboxstudio[.]info.

The downloaded PHP payload was revealed to be a multi-platform credential stealer for Linux, macOS, and Windows. It is capable of harvesting various sensitive data such as cloud credentials, Kubernetes secrets, Git credentials, browser data, cryptocurrency wallets, and more.

For Windows systems, the PHP payload also extracts a base64-encoded executable embedded within the file, which is subsequently written to the %TEMP% folder as a random .exe filename and executed.

Analysis of the Windows infostealer, named ‘DebugElevator,’ indicates its focus on targeting Chrome, Brave, and Edge browsers to extract App-Bound Encryption keys for decrypting stored browser credentials.

Furthermore, an embedded PDB path references the Windows account name ‘Mero’ and includes ‘claude,’ hinting at possible AI involvement in developing the Windows malware.

After extracting sensitive data, the malware encrypts it and transmits it back to the attacker’s command and control server.

Following the incident report, Packagist promptly removed the malicious versions and temporarily delisted the affected packages to prevent further installations.

Developers utilizing Laravel Lang packages are strongly urged to review installed package versions, rotate exposed credentials, examine systems for signs of compromise, and monitor historical outbound connections to flipboxstudio[.]info if feasible.

See also  Protecting Australia's EV Charging Infrastructure: A Solution to Vandalism and Theft

Automated pentesting tools offer significant value but are primarily focused on determining whether an attacker can navigate the network. This guide delves into the 6 critical areas that require validation beyond network traversal.

Download Now