What happened
Security researchers have uncovered malicious PHP packages on the Packagist repository that masquerade as helpful Laravel utilities but install a persistent remote access trojan (RAT) when included as dependencies.
Who is affected
Developers and organizations using Laravel who have installed nhattuanbl/lara-helper, nhattuanbl/simple-queue, or nhattuanbl/lara-swagger in their applications are at risk, as these packages either contain or pull in the RAT payload.
Why CISOs should care
This incident represents a software supply chain compromise where trusted package repositories are leveraged to deliver malware. A successful install gives attackers full remote control over affected hosts, access to environment variables (including credentials), and persistence across platforms (Windows, macOS, Linux), posing a severe operational and data security risk.Â
3 practical actions
- Audit dependencies: Immediately scan Laravel projects for the identified malicious packages and any transitive dependencies that may pull them in, removing them from codebases and build pipelines.
- Assume compromise & remediate: For systems that installed the packages, treat them as compromised; rotate all secrets (API keys, database credentials, .env variables) and review network logs for outbound connections to suspicious command-and-control domains.
- Improve supply chain controls: Enforce strict package vetting in CI/CD workflows, avoid unpinned dev-master dependencies in production, and integrate automated security scanning tools to catch malicious or obfuscated code before it reaches production.