Cybersecurity researchers have uncovered malicious PHP packages on Packagist that impersonate legitimate Laravel utilities while secretly deploying a cross platform remote access trojan capable of running on Windows, macOS, and Linux systems.
The packages, published under the vendor namespace nhattuanbl, include:
- nhattuanbl/lara-helper
- nhattuanbl/simple-queue
- nhattuanbl/lara-swagger
According to findings from Socket, the lara-swagger package does not directly contain malicious code. Instead, it declares lara-helper as a Composer dependency, which results in the automatic installation of the embedded RAT.
Despite their malicious nature, the packages remained available on Packagist at the time of disclosure.
Obfuscation Techniques to Evade Detection
Both lara-helper and simple-queue include a PHP file located at src/helper.php that contains heavily obfuscated code.
The malware uses multiple evasion techniques, including:
- Control flow obfuscation
- Encoded domain names, file paths, and command strings
- Randomized variable and function identifiers
These tactics complicate static code analysis and help the payload avoid detection during casual inspection.
Remote Access Trojan Functionality
Once executed, the malware connects to a command and control server at helper.leuleu[.]net on port 2096 using PHP’s stream_socket_client() over TCP.
After establishing communication, it transmits system reconnaissance data and waits for instructions, effectively granting the operator full remote control over the infected host.
Supported commands include:
- ping, sends a heartbeat every 60 seconds
- info, collects system reconnaissance details
- cmd, executes a shell command
- powershell, runs a PowerShell command
- run, executes background shell commands
- screenshot, captures the screen via imagegrabscreen
- download, reads files from disk
- upload, writes files to disk and assigns read, write, and execute permissions to all users
- stop, terminates the socket connection
For command execution, the RAT checks PHP’s disable_functions configuration and selects the first available execution method from popen, proc_open, exec, shell_exec, system, or passthru. This fallback logic allows it to bypass common PHP hardening measures.
Although the C2 server is currently unresponsive, the malware continuously retries connection attempts every 15 seconds in a persistent loop, maintaining its threat potential.
Supply Chain Tactics to Build Trust
In addition to the malicious packages, the threat actor also published several clean libraries:
- nhattuanbl/lara-media
- nhattuanbl/snooze
- nhattuanbl/syslog
Researchers believe these legitimate packages were intended to establish credibility within the developer community and increase trust before introducing the malicious components.
Security Impact on Laravel Applications
Any Laravel application that installed lara-helper or simple-queue is considered compromised. Because the RAT executes during application boot through service providers or autoload mechanisms, it runs within the same process as the web application.
This grants the attacker access to:
- Database credentials
- API keys
- Environment variables stored in .env files
- Full filesystem permissions available to the web process
Security experts advise affected users to:
- Immediately remove the malicious packages
- Rotate all secrets and credentials accessible from the application
- Audit outbound traffic for connections to helper.leuleu[.]net
- Conduct a full security review of the affected environment
The incident underscores the growing risks within open source software supply chains, where malicious dependencies can silently introduce persistent remote access into production systems.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
