Laravel-Lang软件包被恶意软件污染
Read, Watch or Listen
United States-based security researchers reported that four popular Laravel-Lang Composer packages were surreptitiously poisoned with malware after attackers manipulated Git tags to redirect users to malicious code, according to a SecurityWeek article published Monday. The affected PHP localization libraries are laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, which are widely used by Laravel applications. Investigators from StepSecurity, Socket, and Aikido Security said the attack began on May 22, when attackers rewrote version tags across hundreds of historical releases to point to attacker-controlled commits in a fork, without altering the official GitHub repositories. By 00:00 UTC on May 23, all four packages had been poisoned, meaning both new installations and routine updates could have pulled in the compromised versions. United States security analysts said the malicious tags introduced a file named src/helpers.php that posed as a normal Laravel localization helper, but instead fingerprinted systems and contacted the command-and-control domain flipboxstudio[.]info to download and run a PHP-based credential stealer. Researchers reported that the malware targeted a wide range of secrets and configuration data on Windows, Linux, and macOS systems, including cloud keys for Amazon Web Services, Google Cloud Platform, and Microsoft Azure, as well as Docker and Kubernetes configurations, HashiCorp Vault tokens, SSH private keys, browser-stored credentials, password manager data, cryptocurrency wallets, communication tools, VPN configurations, CI/CD secrets, .env files, and other sensitive local application files. Security experts advised organizations and individual users to block the affected packages, treat any systems that installed the compromised versions as potentially breached, and rotate exposed credentials and tokens across cloud infrastructure, development environments, and source-control platforms.
Prepared by Jonathan Pierce and reviewed by editorial team.
Timeline of Events
- 5月22日 攻击者开始重写Git标签
- 5月22日 15分钟内出现恶意发布
- 5月23日 00:00 UTC前 所有四个Laravel-Lang包被投毒
- 2024年5月下旬 研究人员检测到大规模标签操纵
- 2024年5月下旬 超过700个历史版本被恶意重标记
- 2024年5月下旬 Aikido确认无官方仓库提交
- 2024年5月下旬 Socket链接危及发布流程
- 周一 SecurityWeek 发布协调研究发现
Why This Matters to You
您的 Laravel 应用程序可能面临风险。受污染的软件包可能会窃取您的敏感数据,从云密钥到 SSH 私钥。如果您自 5 月 22 日以来安装或更新了这些软件包,您的系统可能已被泄露。立即检查您的 Laravel 应用程序。
The Bottom Line
这次恶意软件攻击是一个警钟。它表明攻击者可以利用甚至广泛使用的软件程序。始终保持对更新和安装的警惕。如果您使用了这些 Laravel 程序包,请更改您的凭据并阻止受影响的程序包。如果您认识使用 Laravel 的人,值得转发。
- Articles Published:
- 1
- Right Leaning:
- 0
- Left Leaning:
- 0
- Neutral:
- 1
- Distribution:
- Left 0%, Center 100%, Right 0%
源未指定。
未在源中指定。
Coverage of Story:
From Left
No left-leaning sources found for this story.
From Right
No right-leaning sources found for this story.
Comments