Laravel-Lang Packages Poisoned for Malware Delivery
Published within a 15-minute window, the malicious tags introduced backdoors to exfiltrate CI secrets. The post Laravel-Lang Packages Poisoned for Malware Delivery appeared first on SecurityWeek.
Four popular Composer packages maintained by the Laravel-Lang organization were poisoned with malware after hackers rewrote all their Git tags, security researchers warn.
The affected packages, namely laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, are third-party localization libraries used by Laravel applications.
The Laravel-Lang supply chain attack started on May 22. During a 15-minute window, the attackers published malicious version tags across three of the packages, StepSecurity says. By 00:00 UTC, May 23, all four packages had been poisoned.
Source: https://www.securityweek.com/laravel-lang-packages-poisoned-for-malware-delivery/
Related breach coverage
- Supply Chain Attack Hits 32 Red Hat NPM Packages2026-06-02
Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud. The post Supply Chain Attack Hits 32 Red Hat NPM Packages appeared first on SecurityWeek.
- ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems2026-05-27
Malicious repositories and disguised symlinks can trick AI coding agents into silently installing attacker-controlled MCP servers capable of stealing secrets, compromising CI pipelines, and deploying malicious code. The post ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems appeared first on SecurityWeek.
- The Zero-Knowledge Threat Actor and the End of Responsible Disclosure2026-06-02
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. The post The Zero-Knowledge Threat Actor and the End of Responsible Disclosure appeared first on SecurityWeek.
- Exploit Code Published for Critical Flowise RCE Vulnerability2026-05-30
The one-click vulnerability allows attackers to execute arbitrary code on self-hosted Flowise servers by tricking users into importing a malicious chatflow. The post Exploit Code Published for Critical Flowise RCE Vulnerability appeared first on SecurityWeek.