Technical Analysis: The Laravel-Lang 'Ghost Tag' Supply Chain Attack
May 25, 2026 | Application Security | 2 Min. Lesedauer
On May 22, 2026, the Laravel-Lang GitHub organization was targeted in a sophisticated supply chain attack. Unlike typical attacks that involve malicious pull requests or direct commits to a primary branch, this incident utilized "Ghost Injection" via GitHub tag manipulation to distribute a credential-stealing framework. This incident is part of the broader "Mini Shai-Hulud" campaign identified by Wiz Research.
Affected Packages
The attack compromised the release process for several major repositories. Attackers manipulated 233 version tags, effectively poisoning over 700 historical versions.
| Repository | Impact Description |
|---|---|
| Main localization repository containing core language strings. |
| Translation files for HTTP status codes and headers. |
| Localized validation attributes and field names. |
| Translations for common Laravel application actions. |
Chain of Events
| Time (UTC) | Phase | Event Detail |
|---|---|---|
May 22, 23:41 | Initial Access | Attackers gain access to organization-level credentials or automation tokens. |
May 22, 23:45 | Tag Rewriting | Automated script updates tags to point to a malicious fork hosted on an attacker-controlled account. |
May 22, 23:55 | Payload Injection | Malicious |
May 23, 01:00 | Execution | Users running |
May 23, 08:30 | Detection | |
May 23, 10:15 | Containment | Packagist unlists packages; maintainers delete malicious tags and rotate secrets. |
Technical Payload Analysis
The attack followed a two-stage delivery model, starting with a lightweight dropper followed by a full-featured exfiltration engine.
Stage 1: The Dropper & Fingerprinting
Host Fingerprinting: Generates a unique ID based on architecture, hostname, and path.
Persistence: Creates a
.lockfile in/tmp/to prevent redundant stage-2 downloads.Callback: Initiates encrypted connection to
flipboxstudio[.]infoC2 server.
Stage 2: The 'Mini Shai-Hulud' Stealer
The second stage consists of a ~5,900 line PHP script with specialized modules for data theft:
| Target Category | Specific Assets Stolen |
|---|---|
Cloud Providers | AWS, GCP, Azure, DigitalOcean, Vercel, and Netlify tokens. |
Infrastructure | Kubernetes config files, Docker tokens, and HashiCorp Vault secrets. |
Developer Credentials | SSH private keys, |
Local Storage | Saved passwords and cookies from 17 Chromium-based browsers. |
Indicators of Compromise (IOCs)
| Type | Indicator / Value |
|---|---|
C2 Domain |
|
File Pattern |
|
System Artifact |
|
Network | Outbound HTTP/S traffic to non-standard ports on the C2 IP. |
Remediation Steps
Credential Rotation: Rotate all secrets (AWS, DB, API) reachable from affected environments.
Lock File Audit: Verify
composer.lockhashes against known-good commits from the official organization.Cleanup: Delete the vendor directory and run
composer installfrom a clean state.Rebuild: Re-deploy cloud instances and CI/CD runners if the malicious code was executed.
Defend Your Supply Chain
Supply chain attacks can hit even the most trusted ecosystems. CellWall SiteWall monitors third-party script behavior in real-time, blocking unauthorized data exfiltration and detecting malicious runtime modifications before they reach your customers.
