ON May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization compromised three popular Composer packages by rewriting every git tag in a 15-minute window. This allowed malicious payloads to be executed upon installation, targeting CI secrets. The affected packages include `laravel-lang/http-statuses`, `laravel-lang/actions`, and `laravel-lang/attributes`.
The attack leveraged Composer's autoload functionality to execute hidden PHP code that exfiltrates sensitive environment data to a typosquatted domain. All existing tags across these packages were modified, leaving no safe versions. Recovery steps include auditing affected systems, revoking access, and cleaning up compromised environments.