Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Multiple popular Composer packages in the Laravel-Lang organization; any developer running composer update or fresh installs of affected packages
Ecosystems
Other
Attack vectors
Account takeoverMalicious commit
Affected entities
  • laravel-lang/http-statuses
  • laravel-lang/actions
  • laravel-lang/attributes

On May 22, 2026, an attacker compromised the Laravel-Lang GitHub organization and exploited push access to rewrite git tags across multiple popular Composer packages within a 15-minute window. The compromised packages—laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes—were modified to include malicious payloads designed to steal CI secrets.

The malicious payloads were configured to exfiltrate stolen CI secrets to a typosquatted attacker-controlled domain. Any developer running composer update or performing fresh installations against the affected packages would pull the compromised versions automatically.

StepSecurity confirmed end-to-end exploitation in an isolated runner environment and filed security issues across all affected repositories. The attack demonstrates the severe risk of account compromise within high-trust package maintainer accounts, where a single compromised credential can affect thousands of downstream consumers.

Remediation

  • Revoke and regenerate any CI secrets (API keys, tokens, credentials) that may have been exposed
  • Audit all CI/CD workflows and recent actions for unauthorized access or exfiltration
  • Update to patched versions of laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes once released
  • Enable two-factor authentication (2FA) and review access controls for high-privilege accounts in the Laravel-Lang GitHub organization
  • Review git history and tags across all Laravel-Lang repositories for other unauthorized changes
  • Consider signing commits and tags with GPG to detect future tampering
  • Monitor for any connections to the typosquatted attacker domain mentioned in the incident report

Sources

  1. Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets · StepSecurity

Cite this entry

"Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed May 22, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/laravel-lang-supply-chain-attack-every-tag-across-multiple-composer-packages-rew-h0akan

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activehigh

    Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign

    A coordinated supply chain campaign dubbed "prt-scan" involved a single attacker controlling six GitHub accounts to exploit the pull_request_target GitHub Actions trigger. The campaign represents a follow-up to the earlier hackerbot-claw campaign, targeting CI/CD workflows with AI-powered attack methods.

    prt-scanOtherMalicious commitAccount takeover
  2. containedcritical

    xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning

    The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, via stolen maintainer credentials. An attacker injected a C2 reverse shell backdoor and moved the mutable v5 tag to the malicious commit, silently affecting all workflows referencing @v5. The v5 tag remained poisoned as of March 9, 2026.

    OtherAccount takeoverMalicious commit
  3. containedcritical

    Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents

    On June 5, 2026, the Miasma worm campaign compromised Microsoft's Azure GitHub organizations by pushing a malicious commit to the Azure/durabletask repository using a compromised contributor account. GitHub disabled 73 repositories across four Microsoft organizations after configuration files were planted to harvest credentials when developers opened repositories in AI coding agents like Claude Code, Gemini CLI, Cursor, or VS Code.

    MiasmaAI agents & skillsMalicious commitAccount takeover
  4. activehigh

    Axios NPM Distribution Compromised in Supply Chain Attack

    A compromised axios maintainer account led to malicious npm releases affecting projects with active dependencies on the package. The incident involved unauthorized releases propagated through the npm distribution network.

    UNC1069npmAccount takeoverMalicious commit