incident
Laravel-Lang PHP Supply Chain Attack Delivers Credential Stealer via 233 Malicious Packagist VersionsLaravel-Lang Supply Chain Attack
Four Laravel-Lang PHP localization packages were compromised in a supply chain attack, publishing 233 malicious versions on Packagist. The attacker exploited GitHub's tag system to point to a malicious fork, delivering a custom credential stealer targeting cloud keys, CI/CD tokens, and browser passwords. The attack window was May 22-23, 2026, and affected systems should be considered fully compromised.