Embedded Malicious Code Affecting laravel-lang/http-statuses package, versions >=0.0.0
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-LARAVELLANGHTTPSTATUSES-16801060
- published23 May 2026
- disclosed22 May 2026
- creditIlyas Makari
Introduced: 22 May 2026
New Malicious CVE NOT AVAILABLE CWE-506 Â (opens in a new tab)How to fix?
Avoid using laravel-lang/http-statuses altogether.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a remote code execution backdoor and an advanced credential stealer. A malicious actor exploited remapped historical tags to commit malicious commits, retroactively compromising over 700 versions of some laravel-lang packages. The malicious commits introduced a src/helpers.php file that was added to autoload.files in composer.json, causing the code to execute automatically during normal application runtime whenever Composer’s autoloader runs.
Note: The repeated reassigning of tags could result in confusion regarding potential impact. We recommend reviewing our blog for indicators of compromise and remediation suggestions.
Changelog
2026-06-24 Update: As part of their incident response, the maintainers have reverted the compromised version tags to non-malicious commits, re-introducing those on packagist.org.
2026-06-23: All tagged versions of the affected packages have been removed from packagist.org, leaving only branch references that link to the maintainer's code.
RAT Behavior
The initial payload dynamically constructs its command-and-control hostname to evade static analysis and fetches a second-stage payload from an external server. This second stage is a comprehensive, cross-platform credential-harvesting framework designed to systematically steal secrets from cloud infrastructure (AWS, Kubernetes, Azure), SSH keys, browser login data, cryptocurrency wallets, and CI/CD tokens. The stolen data is then encrypted and exfiltrated, after which the malware deletes itself to limit forensic evidence.
Additional Information:
- This attack targets historical versions of the packages, meaning you could be compromised even if you haven't updated to a "new" version recently.
- The malware creates a unique per-host marker in the system's temporary directory to ensure the payload only triggers once per machine, allowing it to remain stealthy.