Vulnerability DatabaseMSC-2026-5762
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
MSC-2026-5762
Published:June 01, 2026
Updated:June 01, 2026
On May 22, 2026, attackers carried out a supply chain attack against three popular Laravel-Lang Composer packages (laravel-lang/lang, laravel-lang/attributes, and laravel-lang/http-statuses) by abusing GitHub's tag system to point 233 version tags at commits in malicious forks rather than the legitimate repos. The injected src/helpers.php dropper auto-loaded via Composer, fingerprinted the host, and pulled down a ~5,900-line PHP credential stealer that harvested cloud credentials (AWS/GCP/Azure), SSH keys, browser passwords, crypto wallets, VPN configs, and chat tokens before encrypting, exfiltrating, and self-destructing. Packagist removed the malicious versions and temporarily delisted the
Related Resources (4)
https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer
https://github.com/Laravel-Lang/attributes/blob/d59561727927117e65b35f0183cae131baad19fe/src/helpers.php
https://github.com/Laravel-Lang/lang/commit/a5ea2e8fa92ccf29cdb1d2dadbeb27722b2bff37
https://github.com/Laravel-Lang/common/issues/257
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH