502 Tags Rewritten in 90 Minutes
On May 22, 2026 at 22:32 UTC, an attacker with push access to the Laravel-Lang GitHub organization began rewriting every existing version tag across four widely used PHP localization packages: laravel-lang/lang (the flagship, with 502 tags), laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. By 00:00 UTC — 88 minutes later — every historical tag across all four packages pointed to malicious code.
The technique is devastatingly simple. Git tags are mutable references. Rewriting a tag does not change the version number — it changes what code that version number points to. Every developer or CI/CD pipeline that ran composer update or performed a fresh install after 22:32 UTC received the backdoored code under a version number they already trusted.
The Payload: Autoload Credential Theft
The malicious commits added src/helpers.php to the Composer autoload.files map. In PHP's Composer ecosystem, autoload files execute automatically when any application includes vendor/autoload.php — which every Laravel and Symfony application does on startup. The moment the application boots, the malware runs.
The payload exfiltrates cloud provider keys (AWS, GCP, Azure), infrastructure tokens, developer secrets, browser-stored passwords, and cryptocurrency wallets. It is designed to run silently — no errors, no warnings, no visible behavior change. The application functions normally while its environment is being harvested.
The PHP Supply Chain Enters the Chat
Until Laravel-Lang, the supply chain worm conversation was dominated by npm (Shai-Hulud, Miasma, IronWorm) and PyPI (Hades). Composer — PHP's package manager — was considered lower risk because its ecosystem is smaller and its packages are typically maintained by known organizations. Laravel-Lang was maintained by a known organization. The attacker had push access.
Git tag rewriting is not specific to Composer. The same technique works against any package manager that resolves versions via git tags — including Go modules. The Laravel-Lang attack is a proof of concept that applies to every language ecosystem that trusts git references. Version pinning, the standard defense against supply chain attacks, is defeated when the version itself is rewritten.
Framework Exposure
Laravel is the most widely deployed PHP framework, powering millions of applications. The laravel-lang packages provide translation files for 120+ languages — they are a standard dependency for any internationalized Laravel application. The 5,561 backdoored repositories represent a fraction of the total Laravel ecosystem exposure.
WordPress sites — running on PHP but not using Composer — were not affected by this specific attack. But WordPress's plugin supply chain has its own trust problems: plugins installed from the WordPress.org directory have no provenance verification, no lockfile integrity, and no audit trail for ownership transfers. The attack vector is different. The architectural vulnerability — trusting third-party code with production access — is identical.
