CYBERSECURITY researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) usable on Windows, macOS and Linux. The packages cited are nhattuanbl/lara-helper (37 downloads), nhattuanbl/simple-queue (29 downloads) and nhattuanbl/lara-swagger (49 downloads); according to Socket, lara-swagger does not embed malicious code itself but lists lara-helper as a Composer dependency, causing the RAT to be installed.
The trojan’s PHP file, src/helper[.]php, uses obfuscation techniques and randomised identifiers to hinder static analysis, and once loaded, connects to a C2 server at helper.leuleu[.]net:2096 to exfiltrate system information and accept commands. The RAT’s command set includes ping, info, cmd, powershell, run, screenshot, download, upload and stop, and it is configured to retry the connection every 15 seconds in a persistent loop.
Although the C2 server is currently non-responsive, the campaign remains active, with three additional libraries published to build credibility for the malicious ones. The guidance from researchers emphasises removing the packages, rotating secrets, and auditing outbound traffic to the C2 server.