โ ๏ธ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux โ researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec
๐ฆ Malicious packages identified:
โข nhattuanbl/lara-helper (37 downloads)
โข nhattuanbl/simple-queue (29 downloads)
โข nhattuanbl/lara-swagger (49 downloads)
๐งต ๐
๐งฉ lara-swagger itself is clean but lists lara-helper as a #Composer dependency โ silently pulling in the RAT during installation
๐ The payload in helper.php uses heavy obfuscation: control flow manipulation, encoded domain names, randomized variable/function identifiers to bypass static analysis
๐ Once loaded, the RAT connects to C2 server helper.leuleu[.]net:2096, sends system reconnaissance data and awaits commands โ full remote access granted to the attacker
๐ป Supported RAT commands: ping (heartbeat every 60s), info (system recon), cmd, powershell, run (background shell), screenshot, download, upload, stop
๐ก๏ธ Shell execution probes disable_functions and picks first available method from: popen, proc_open, exec, shell_exec, system, passthru โ resilient against common #PHP hardening
๐ C2 connection retries every 15 seconds in a persistent loop โ even if C2 is currently offline, the RAT keeps trying
๐ญ Threat actor also published 3 clean packages (lara-media, snooze, syslog) to build credibility before deploying malicious ones โ classic supply chain deception
๐ Impact: Full remote shell access, arbitrary file read/write, harvesting of .env contents including database credentials & API keys โ RAT runs at app boot with same permissions as the web app
โ If you installed lara-helper or simple-queue: assume compromise, remove packages immediately, rotate ALL secrets, audit outbound traffic to C2 server
https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
michabbb