A new cybersecurity threat has been discovered involving fake Laravel packages uploaded to the Packagist repository. These packages pretend to be useful development tools but secretly install malware on a developer’s system. Because Packagist is widely used by PHP developers through Composer, this attack can affect many projects. The malware works across Windows, macOS, and Linux, making it a cross-platform threat.
Security researchers from the company Socket identified these malicious packages during their investigation. The attackers designed them to look like normal Laravel utilities so developers would install them without suspicion. Once installed, the packages quietly deploy a Remote Access Trojan (RAT) on the system. This allows attackers to remotely control the infected machine.
Researchers found three packages connected to the attack: nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger. The first two packages directly contain the malicious code. The third package does not include malware itself but installs the malicious lara-helper package as a dependency. Because of this, a developer might unknowingly install the RAT while installing another package.
The malicious code is hidden inside a file called helper.php located in the package’s source folder. The attackers used different obfuscation techniques to hide the real purpose of the code. These include encoded commands, confusing control flow, and randomly generated variable names. Such techniques make the malware harder to detect during normal code review.
After installation, the malware attempts to connect to a command-and-control (C2) server controlled by the attacker. It communicates with the server using PHP’s network functions. Once the connection is established, the infected system sends basic information about itself. The malware then waits for further instructions from the attacker.
The RAT can execute several commands on the compromised system. It can run shell commands, collect system information, and maintain communication with the attacker using heartbeat signals. The malware also supports running PowerShell commands, executing tasks in the background, and capturing screenshots. These capabilities allow attackers to monitor and control the victim’s system.
The malware can also download files from the infected computer or upload new files to it. This means attackers can steal sensitive data or install additional malicious tools. To ensure command execution works even if restrictions exist, the malware tries different PHP functions like exec, system, popen, and passthru. This makes the attack more reliable across different server environments.
Researchers also noticed that the same developer account had uploaded other packages that appear clean. These include nhattuanbl/lara-media, nhattuanbl/snooze, and nhattuanbl/syslog. Experts believe these packages may have been published to build trust before releasing the malicious ones. The incident highlights the growing risk of software supply chain attacks targeting open-source repositories.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
