Malicious Laravel Packages on Packagist Deploy Cross-Platform RAT Targeting PHP Developers
Three malicious Packagist packages disguised as Laravel utilities deploy a fully featured PHP remote access trojan on Windows, macOS, and Linux — running in the same process as the web application with access to database credentials, API keys, and .env secrets.
Cybersecurity researchers have flagged three malicious packages on Packagist — PHP's primary package repository — that masqueraded as Laravel utility libraries while deploying a fully featured cross-platform remote access trojan (RAT) capable of compromising Windows, macOS, and Linux development environments.
The Malicious Packages
The three packages — nhattuanbl/lara-helper (37 downloads), nhattuanbl/simple-queue (29 downloads), and nhattuanbl/lara-swagger (49 downloads) — were published by the same author. One package was completely clean and served as a credibility builder, while two carried an identical malicious payload buried inside a file named src/helper.php. The packages presented themselves as common Laravel utilities — a helper library, a queue manager, and a Swagger documentation generator — the types of packages that developers frequently install without extensive code review.
How the RAT Works
Once loaded, the payload connects to a command-and-control server at helper[.]leuleu[.]net:2096, sends system reconnaissance data (hostname, OS, PHP version, environment variables), and waits for commands. Because activation happens at application boot via Laravel's service provider mechanism or through class autoloading, the RAT runs in the same process as the web application — with the same filesystem permissions and access to environment variables, including database credentials, API keys, and .env contents.
Capabilities and Impact
Socket's analysis identifies the payload as a fully featured backdoor with an encrypted C2 channel, remote shell execution, file upload and download, and screen capture capabilities. The attack is particularly insidious because PHP developers routinely install Composer packages as part of their development workflow, and Packagist does not perform automated security scanning of uploaded packages. Developers are advised to audit their Composer dependencies, remove any packages from the nhattuanbl author, and rotate credentials if any of the affected packages were installed in their projects.
Related Articles
Redis 8.4 Brings Hybrid Search, Atomic Multi-Key Operations, and Auto-Repair AOF
Redis 8.4 is now generally available, delivering hybrid search that combines full-text and vector queries using Reciprocal Rank Fusion, new atomic string commands like MSETEX and DELEX, and automatic repair for corrupted append-only files. Lookahead prefetching and JSON memory optimizations round out a performance-focused release.
Deno 2.7 Stabilizes Temporal API and Ships Native Windows ARM Builds
Deno 2.7 has stabilized the TC39 Temporal API, bringing immutable, timezone-aware date and time objects to replace the legacy JavaScript Date API. The release also delivers official Windows ARM builds for Surface and Snapdragon devices, npm overrides support, and global install compilation for standalone executables.
Laravel 13 Ships with PHP Attributes, Passkeys, and Zero Breaking Changes
Taylor Otwell unveiled Laravel 13 at Laracon EU, delivering PHP 8 Attributes as an alternative to class properties, built-in passkey authentication in starter kits, and a new Reverb database driver for horizontal WebSocket scaling. The release requires PHP 8.3+ and promises the smoothest upgrade path in Laravel history.