Malicious Laravel Packagist Packages Deploy Cross-Platform RAT

The PHP ecosystem is currently facing a targeted Supply Chain Attack involving malicious packages uploaded to Packagist, the primary repository for PHP libraries. According to The Hacker News, researchers have flagged several packages masquerading as legitimate Laravel utilities. These packages are designed to deliver a C2-linked remote access trojan (RAT) capable of infecting Windows, macOS, and Linux environments.

The packages identified include:

• nhattuanbl/lara-helper
• nhattuanbl/simple-queue
• nhattuanbl/lara-swagger

While the download counts remain relatively low, the cross-platform nature of the payload indicates a sophisticated level of development. This attack highlights the persistent risk of typosquatting and brand impersonation within the developer toolchain.

Malicious Laravel package analysis and detection

Attackers often leverage the popularity of the Laravel framework to distribute malware. In this instance, the uploader “nhattuanbl” utilized naming conventions that mimic common community-driven helper libraries. When a developer adds one of these packages to their project, the installation process triggers a malicious script. This script acts as a downloader for a cross-platform RAT.

The TTP observed involves the use of PHP installation hooks within the composer.json file. This allows the malware to execute automatically upon installation without requiring the developer to call any specific functions from the library. Once active, the RAT establishes a connection to a remote server to receive instructions, exfiltrate data, or deploy additional stages of malware.

Security teams should prioritize Packagist PHP package malware detection by auditing their composer.lock files for any references to the “nhattuanbl” namespace. The cross-platform capabilities of this specific threat mean that even SOC analysts monitoring non-Windows environments must remain vigilant. The malicious packages were designed to be functional across different kernels, making them a versatile tool for gaining initial access to diverse infrastructure.

Technical Impact Across Operating Systems

The ability of a single malicious package to compromise Windows, macOS, and Linux systems is a significant development in PHP-based supply chain threats. Most PHP malware historically targeted Linux servers to build botnets or install web shells. However, this campaign specifically targets the developer’s workstation. By gaining access to a developer’s machine, attackers can perform Lateral Movement within a corporate network, steal source code, or access cloud credentials stored in environment files.

Implementing cross-platform RAT mitigation for PHP requires a multi-layered approach. Because the malware executes at the user level, it may bypass traditional server-side security controls. Analysts should look for unusual outbound connections from the php or composer processes, which may indicate C2 communication. Monitoring for the execution of encoded shell commands or the creation of hidden directories in the user’s home folder is also recommended.

Actionable Recommendations

To defend against these threats, organizations should implement the following IoC monitoring and prevention strategies:

1. Dependency Auditing: Run composer audit regularly to identify known vulnerable or malicious packages. Note that new Supply Chain Attack vectors may not be immediately flagged in public databases.
2. Namespace Validation: Restrict the use of third-party packages to known, trusted maintainers. Avoid packages from unknown accounts with low download counts and no linked GitHub repository.
3. EDR Configuration: Ensure that EDR solutions are configured to monitor the behavior of development tools. Suspicious child processes spawned by Composer should trigger immediate alerts for the SOC.
4. Code Review: Manually inspect the composer.json and source code of new, low-reputation packages before integrating them into the codebase. Look specifically for scripts, post-install-cmd, or pre-install-cmd entries.

By maintaining a Zero Trust posture regarding third-party dependencies, organizations can significantly reduce the risk of successful supply chain compromise.