What Happened
A software supply chain attack struck the Laravel-Lang PHP localization ecosystem on May 22–23, 2026. Attackers abused GitHub’s version tag mechanism — which allows tags to point to commits in repository forks — to inject malicious code into 233 package versions across 700 GitHub repositories. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions.
The malicious code was never committed to the official repositories. Instead, attackers created version tags in attacker-controlled forks. Composer resolves version tags without validating which fork a commit originates from, so any project installing or updating one of the affected package versions during the exposure window received the malicious payload.
The injected payload is a 5,900-line PHP credential stealer organized into fifteen specialist collection modules. It targets AWS access keys and session tokens, GCP application credentials, Azure access tokens, DigitalOcean, Heroku, Vercel, Netlify, Railway, and Fly.io tokens, saved passwords from 17 Chromium-based browsers including Chrome, Edge, Brave, and Opera, and local developer configuration files. Results are AES-256 encrypted and sent to a remote server, then the stealer deletes itself from disk to limit forensic evidence. Packagist removed the malicious versions after disclosure. BleepingComputer | The Hacker News
Why This Matters for Canadian Organizations
Laravel is one of the most widely used PHP frameworks in Canada, deployed across web agencies, SaaS startups, e-commerce operators, government digital services, and enterprise application teams. The laravel-lang packages provide localization support and are installed in a significant share of Canadian Laravel projects.
Any team that ran composer install or composer update between May 22 and May 23, 2026 — and pulled one of the affected package versions — received the credential stealer. The impact is cloud-first: AWS, GCP, and Azure credentials harvested from developer environments give attackers a direct path into production infrastructure, CI/CD pipelines, and hosted databases containing customer personal information.
Under PIPEDA, a breach of cloud credentials that results in unauthorized access to personal data held in AWS S3 buckets, cloud databases, or API endpoints triggers mandatory breach notification to the Office of the Privacy Commissioner and affected individuals. For Canadian organizations subject to OSFI B-13 (financial sector), this constitutes a third-party technology risk incident requiring timely reporting.
The attack vector — Composer tag resolution without fork validation — is not unique to Laravel-Lang. Other PHP ecosystems and other Composer-resolved packages share the same structural risk.
What to Do
Check your project’s composer.lock for any of the affected packages: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. If a version installed between May 22 and May 23, 2026 is present, treat the environment as compromised.
Rotate all cloud credentials that were present in the environment at the time of the potential compromise: AWS access keys, GCP service account credentials, Azure service principals, and any other cloud access tokens. Revoke existing sessions and review cloud provider access logs for unauthorized API calls starting May 22, 2026.
Audit browser-saved passwords for developer accounts if the infected environment ran a Chromium-based browser. Check CI/CD pipelines and secrets managers for tokens that the affected environment had access to. Update the affected packages to their clean versions and verify the new package hashes against known-good checksums.
