Executive Summary
Laravel-Lang packages were compromised through rewritten Git tags, causing Composer installs that trusted historical version tags to resolve to malicious commits. StepSecurity confirmed four affected repositories and specific tag rewrite windows beginning on 2026-05-22, while Socket reported broader Laravel-Lang impact across roughly 700+ historical package versions StepSecurity opens in a new tab Socket opens in a new tab.
The malicious commits added src/helpers.php and registered it through Composer autoload.files, so execution occurred when a PHP application loaded vendor/autoload.php. Hosts or CI runners that installed affected tags during the exposure window should be treated as potentially compromised because the payload fetched second-stage code, dropped temporary loaders under /tmp, and targeted local secrets and CI/cloud credentials StepSecurity opens in a new tab Socket opens in a new tab.
Maintainers closed the four public incident issues as fixed on 2026-05-23, and Packagist currently exposes post-incident releases for the affected packages. That restoration does not retroactively make cached malicious artifacts or lockfiles safe; defenders must compare locked source SHAs and rebuild dependency caches GitHub incident issue opens in a new tab Packagist metadata opens in a new tab.