Laravel-Lang Packages Poisoned for Malware Delivery

Monday, May 25, 2026 at 10:41 AM UTC·Source: SecurityWeek

Updated: Monday, May 25, 2026 at 11:00 AM UTC

Executive Summary

Published within a 15-minute window, the malicious tags introduced backdoors to exfiltrate CI secrets. The post Laravel-Lang Packages Poisoned for Malware Delivery appeared first on SecurityWeek .

Analysis

Published within a 15-minute window, the malicious tags introduced backdoors to exfiltrate CI secrets. The post Laravel-Lang Packages Poisoned for Malware Delivery appeared first on SecurityWeek .

Source Attribution

Originally published by SecurityWeek on May 25, 2026.

Related Threats

MEDIUMSupply ChainNEW

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

TeamPCP now operates across three package ecosystems in parallel, it reached GitHub&&#x23;x26;&#x23;39;s own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.

51m agoSANS ISC

LOWSupply Chain

As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free

As AI coding assistants accelerate software development, one OWASP-backed open-source project is arguing that dependency security tooling still arrives too late to be truly useful. CVE Lite CLI , a JavaScript and TypeScript dependency vulnerability scanner focused on local lockfile analysis, is positioning itself around a simple idea. Developers should see dependency risks while they are still wri

2h agoCSO Online

LOWSupply Chain

Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

Fake automated commits injected GitHub Actions workflows containing payloads to steal credentials, CI secrets, keys, and tokens. The post Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack appeared first on SecurityWeek .

6h agoSecurityWeek