Cybersecurity researchers have discovered malicious PHP packages on the Packagist registry that pose as legitimate Laravel utilities to infect systems with a cross-platform remote access trojan. These packages, specifically targeting Windows, macOS, and Linux, allow attackers to execute commands, steal files, and maintain persistent access to the compromised server.
Security experts have identified several specific libraries including lara-helper and simple-queue that contain hidden code designed to bypass standard security filters. While some associated packages appear clean to build a false sense of developer trust, they often list the malicious components as hidden dependencies. Once these packages are integrated into a project, they automatically execute a script that obfuscates its behavior to avoid detection by static analysis tools.
The primary payload establishes a persistent connection to a command and control server, where it sends detailed reconnaissance data about the host system. The malware communicates over a dedicated port and remains in a constant loop, attempting to reconnect every fifteen seconds if the initial link is broken. This ensures that the attacker maintains a steady grip on the application environment regardless of temporary network interruptions or server reboots.
Once the connection is active, the operator can perform a wide range of invasive actions including running shell commands, executing PowerShell scripts, and capturing screenshots of the host. The trojan is specifically designed to be resilient against hardened server configurations by probing for various PHP execution methods and selecting whichever one is not disabled. It can also upload new files with full read and write permissions or download sensitive data directly from the disk.
Because the malicious code is triggered during the standard application boot process or class autoloading, it runs with the same high-level permissions as the web application itself. This gives the attacker immediate access to sensitive environment variables, database credentials, and secret API keys stored within the system. The high level of integration means that the threat actor effectively shares the same filesystem and process space as the legitimate software.
Users who have interacted with these specific packages are urged to treat their environments as fully compromised and take immediate remedial action. This includes deleting the malicious libraries, auditing all outbound network traffic for signs of data exfiltration, and rotating every password or secret key accessible to the application. Given the persistent nature of the remote access trojan, simply removing the package may not be enough if the attacker has already used their access to install additional backdoors.
Source: Fake Laravel Packages On Packagist Deploy RAT Across Windows, macOS, And Linux