Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

Staff Editor 2026-03-04
Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html

Publish Date: 2026-03-04 04:37:00

Source Domain: thehackernews.com

Ravie LakshmananMar 04, 2026Threat Intelligence / Application Security

Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that’s functional on Windows, macOS, and Linux systems.

The names of the packages are listed below –

  • nhattuanbl/lara-helper (37 Downloads)
  • nhattuanbl/simple-queue (29 Downloads)
  • nhattuanbl/lara-swagger (49 Downloads)

According to Socket, the package “nhattuanbl/lara-swagger” does not directly embed malicious code, lists “nhattuanbl/lara-helper” as a Composer dependency, causing it to install the RAT. The packages are still available for download from the PHP package registry.

Both lara-helper and simple-queue have been found to contain a PHP file named “src/helper.php,” which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names. 

“Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands — giving the operator full remote access to the host,” security researcher Kush Pandya said.

This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP’s stream_socket_client(). The list of supported commands is below –

  • ping, to send a heartbeat automatically every 60 seconds
  • info, to send system reconnaissance data to the C2 server
  • cmd, to run a shell command
  • powershell, to run a PowerShell command
  • run, to run a shell command in the background
  • screenshot, to capture the screen using imagegrabscreen()
  • download, to read a file from disk
  • upload, to a file on disk and grant it read, write, and execute permissions to all users
  • stop, to the socket, and…

Source

More Stories

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Staff Editor 2026-06-06
Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Staff Editor 2026-06-06
OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy