Four popular Composer packages maintained by the Laravel-Lang organization were poisoned with malware after hackers rewrote all their Git tags, security researchers warn.
The affected packages, namely laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, are third-party localization libraries used by Laravel applications.
The Laravel-Lang supply chain attack started on May 22. During a 15-minute window, the attackers published malicious version tags across three of the packages, StepSecurity says. By 00:00 UTC, May 23, all four packages had been poisoned.
“The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization’s release process, rather than a single malicious package version,” Socket notes.
According to the supply chain security firm, the malicious tags were published across over 700 historical versions of the four packages, potentially impacting all applications that fetched updates for them or installed them fresh.
