Researchers at Socket and Aikido Security have confirmed a live supply chain attack on the Laravel-Lang organisation, as reported by The Hacker News on 23 May. More than 700 historical versions across four widely-used Laravel-Lang packages (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions) were re-tagged with a credential-stealing backdoor. The malicious code runs automatically the next time anyone installs or updates the package via Composer.

The blast radius is wider than it sounds. Laravel-Lang is a localisation library, so it’s bundled into hundreds of Australian-built PHP apps — booking systems, donor portals, member sites, client dashboards, e-commerce back-ends. Once installed, the dropper pulls a 5,900-line PHP stealer that grabs AWS, Azure and Google Cloud keys, Kubernetes tokens, .env files, SSH keys, browser passwords and crypto wallets — then deletes itself. If you’re a hospitality venue, NFP or wealth firm running anything on Laravel, your developer’s laptop and your production server are both in scope under the Privacy Act’s notifiable breaches scheme.

What to do today: ask whoever maintains your PHP applications to (1) check composer.lock for any laravel-lang/* packages, (2) avoid running composer install or composer update until Packagist confirms the affected versions are pinned to safe releases, (3) rotate any credentials that the build server or developer machines have touched in the last week — cloud keys, deploy keys, .env secrets — and (4) block outbound traffic to flipboxstudio.info at the firewall. If you don’t have a developer on call, ring your hosting provider and ask them to check.

If you’re not sure what’s actually running under the bonnet of your website or business apps, that’s the bigger issue worth fixing this week. Our cybersecurity team can audit your software supply chain — what’s installed, where it came from, and what would happen if any of it went rogue.