Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

Malicious PHP packages masquerading as Laravel utilities have been discovered on Packagist, deploying a cross-platform RAT that compromises Windows, macOS, and Linux systems through sophisticated obfuscation techniques.

Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting Laravel developers through malicious packages on Packagist, the official PHP package registry. The attack involves three deceptive packages that deploy a cross-platform remote access trojan (RAT) capable of compromising systems across Windows, macOS, and Linux environments.

The Malicious Packages

The identified packages are:

nhattuanbl/lara-helper (37 Downloads)
nhattuanbl/simple-queue (29 Downloads)
nhattuanbl/lara-swagger (49 Downloads)

According to security researcher Kush Pandya, the "nhattuanbl/lara-swagger" package doesn't contain malicious code directly but lists "nhattuanbl/lara-helper" as a Composer dependency, creating a dependency chain that installs the RAT. All three packages remain available for download from Packagist.

Sophisticated Obfuscation Techniques

The malicious payload employs multiple layers of obfuscation to evade detection:

Control flow obfuscation to complicate static analysis
Encoding of domain names, command names, and file paths
Randomized identifiers for variables and function names
A PHP file named "src/helper.php" containing the core malicious functionality

RAT Capabilities and Command Structure

Once installed, the RAT establishes communication with a command-and-control (C2) server at helper.leuleu[.]net:2096 using PHP's stream_socket_client() over TCP. The malware performs system reconnaissance and waits for commands, providing attackers with full remote access to compromised hosts.

Supported commands include:

ping: Sends automatic heartbeat every 60 seconds
info: Transmits system reconnaissance data to C2
cmd: Executes shell commands
powershell: Runs PowerShell commands
run: Executes shell commands in background
screenshot: Captures screen using imagegrabscreen()
download: Reads files from disk
upload: Writes files to disk with full permissions
stop: Closes socket and exits

Resilience Against Security Measures

The RAT demonstrates sophisticated evasion capabilities by probing PHP's disable_functions configuration and selecting the first available execution method from: popen, proc_open, exec, shell_exec, system, and passthru. This approach makes it resilient to common PHP hardening configurations.

Persistence and Risk Factors

Despite the C2 server currently being non-responsive, the RAT is configured to retry connections every 15 seconds in a persistent loop, maintaining its security risk. The malware activates during application boot through service providers or class autoloads, running in the same process as the web application with identical filesystem permissions and environment variables.

This includes access to:

Database credentials
API keys
.env file contents
Application secrets

Threat Actor's Credibility-Building Strategy

In addition to the three malicious packages, the threat actor has published three clean libraries: "nhattuanbl/lara-media," "nhattuanbl/snooze," and "nhattuanbl/syslog." This strategy appears designed to build credibility and trick developers into installing the malicious packages.

Mitigation and Response

Users who have installed any of these packages should take immediate action:

Assume system compromise
Remove the malicious packages immediately
Rotate all secrets accessible from the application environment
Audit outbound traffic to the C2 server
Monitor for suspicious activity

Broader Implications

This attack highlights the ongoing risks in open-source supply chains and the sophistication of modern malware campaigns. The cross-platform nature of the RAT, combined with its persistence mechanisms and comprehensive access capabilities, makes it particularly dangerous for development environments and production systems alike.

The incident serves as a reminder for developers to: