CometSoul

make IT easy

  • Bahasa Indonesia
  • English

    • Fake Laravel Packages on Packagist Install RAT Malware on Windows, macOS, and Linux

    by

    Juni Artawan
    in

    Cybersecurity researchers have discovered malicious Laravel packages on Packagist that secretly install a Remote Access Trojan (RAT) capable of infecting Windows, macOS, and Linux systems. These packages appear to be helpful Laravel utilities but are actually designed to give attackers remote control over compromised servers.

    The malicious packages include:

    • nhattuanbl/lara-helper
    • nhattuanbl/simple-queue
    • nhattuanbl/lara-swagger

    Security researchers from Socket reported that the package lara-swagger does not contain malicious code directly, but it installs lara-helper as a dependency through Composer, which then deploys the RAT. Despite the discovery, these packages remained available on Packagist at the time of the report.

    Obfuscated Code Used to Hide Malware

    Both lara-helper and simple-queue contain a PHP file named src/helper.php that hides malicious functionality using several obfuscation techniques. These include control flow obfuscation, encoded domain names, encoded command strings, randomized function names, and hidden file paths to avoid detection during static analysis.

    Once the malicious code runs, it connects to a command-and-control (C2) server at helper.leuleu[.]net:2096. The infected system sends reconnaissance data to the attacker and waits for further instructions, effectively giving the threat actor full remote access to the compromised host.

    RAT Capabilities and Commands

    The malware communicates with the C2 server using TCP connections via PHP’s stream_socket_client() function. It supports several commands that allow attackers to control the system remotely, including:

    • ping – send heartbeat every 60 seconds
    • info – collect system information
    • cmd – execute shell commands
    • powershell – run PowerShell commands
    • run – execute commands in the background
    • screenshot – capture screen images
    • download – retrieve files from the system
    • upload – upload files and grant execution permissions
    • stop – terminate the connection

    To ensure command execution works even on hardened PHP environments, the RAT checks available functions and uses the first working method from popen, proc_open, exec, shell_exec, system, or passthru.

    Persistent Backdoor Risk

    Although the command server is currently inactive, the malware continuously attempts to reconnect every 15 seconds, creating a persistent security risk for affected systems.

    Security experts recommend that any organization that installed these packages should assume system compromise, remove the packages immediately, rotate credentials such as database passwords and API keys, and monitor outbound network traffic for connections to the known C2 server.

    Attackers Published Legitimate Packages to Build Trust

    Researchers also found that the same developer published several other packages that appear legitimate, including:

    • nhattuanbl/lara-media
    • nhattuanbl/snooze
    • nhattuanbl/syslog

    These clean packages were likely released to build credibility and trick developers into installing the malicious ones.

    Because the RAT runs during application startup or class autoloading, it operates within the same process as the Laravel application. This means attackers can access sensitive information such as database credentials, API keys, environment variables, and application files.

    Developers are advised to carefully review dependencies from third-party sources and regularly audit installed packages to prevent supply chain attacks.

    Source: https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html