
Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT
A sophisticated supply chain attack targets PHP developers. Discover how malicious Packagist packages disguised as Laravel utilities install a cross-platform RAT, granting attackers full remote access.
The integrity of the open-source software supply chain is under constant assault. Recently, cybersecurity researchers have identified a sophisticated campaign distributing a cross-platform Remote Access Trojan (RAT) via compromised Composer dependencies. This attack highlights the critical need for vigilance when integrating third-party libraries into enterprise applications.
Researchers at Socket have detailed how malicious Packagist packages disguised as Laravel utilities are being used to compromise Windows, macOS, and Linux systems.
1 The Threat Profile: Deceptive Packages
The threat actor, tracked as nhattuanbl, published several packages to the PHP package registry. To build credibility, they initially released clean libraries before introducing the malicious ones. The key packages involved in this campaign are:
nhattuanbl/lara-helper(Contains the RAT payload)nhattuanbl/simple-queue(Contains the RAT payload)nhattuanbl/lara-swagger(Clean code, but acts as a vector)
The most insidious aspect of this attack is the dependency chain vector. The package lara-swagger contains no malicious code itself. However, its composer.json file explicitly requires nhattuanbl/lara-helper at dev-master. Installing the seemingly benign lara-swagger silently pulls the RAT into the victim's environment, bypassing superficial security reviews.
2 Technical Deep Dive: Obfuscation and Execution
The malicious payload resides in a file deceptively named src/helper.php. This file employs three layered techniques to thwart static analysis:
-
Goto Spaghetti Logic: Control flow is aggressively fractured into hundreds of labeled jumps, destroying readable top-to-bottom execution paths.
-
String Encoding: Vital indicators like domain names and commands are encoded using hex and octal escape sequences.
-
Randomized Identifiers: Variables and functions utilize randomly generated names, further confusing analysts and automated scanners.
Activation Mechanisms
The payload is designed to execute seamlessly without requiring manual intervention from the developer. In lara-helper, it leverages Laravel's service provider auto-discovery, running the malicious code on every application boot. In simple-queue, the inclusion sits at the file scope, meaning the moment PHP's autoloader resolves the class (even during a simple type-hint check), the payload is triggered.
Upon execution, it spawns a detached background process and creates a temporary lock file to prevent multiple instances, allowing normal application execution to continue unnoticed.
3 C2 Communication and Capabilities
The RAT connects to a Command and Control (C2) server over raw TCP. To evade detection, all traffic is encrypted using AES-128-CTR with a hardcoded key. It persistently attempts to connect, retrying every 15 seconds if it fails.
The RAT boasts extensive capabilities, receiving JSON-formatted commands from the C2 server to execute actions such as:
| Command | Functionality |
|---|---|
| info | Transmits system reconnaissance data (OS, hostname, UID, permissions). |
| cmd / powershell | Executes arbitrary shell or PowerShell commands. |
| screenshot | Captures the screen using PHP's imagegrabscreen(). |
| upload / download | Reads or writes files to disk, modifying permissions as needed. |
Crucially, the RAT dynamically probes PHP's disable_functions directive and cycles through execution functions (popen, proc_open, exec, shell_exec, system, passthru) until it finds an available method, making it highly resilient to common server hardening configurations.
4 Business Impact and Remediation
The impact of installing these packages is severe. Because the RAT runs within the context of the web application, the attacker gains full access to the environment variables, including highly sensitive data such as database credentials, API keys, and .env file contents. They possess persistent remote shell access across Windows, macOS, and Linux platforms.
Immediate Actions for Affected Organizations:
- Assume Compromise: Treat any host that installed these packages as fully compromised.
- Rotate Secrets: Immediately rotate all credentials accessible from the application environment.
- Remove Packages: Uninstall the malicious dependencies and delete the
helper.phppayload. - Audit Traffic: Review outbound network logs for connections to the C2 domain (
helper.leuleu[.]net:2096).
Secure Your Software Supply Chain
Proactive DevSecOps Consulting
This attack underscores the dangers of transitive dependencies and the risks of using dev-master versions in production environments. Traditional vulnerability scanners often miss obfuscated, logic-based malware embedded deep within dependency trees.
At Adayptus Consulting, we integrate robust DevSecOps practices to safeguard your software development lifecycle. From advanced static and dynamic analysis to architectural security reviews, we help you build resilient applications.
Adayptus Threat Intelligence
Strategic Intelligence Division
Adayptus Consulting is a premier provider of enterprise cybersecurity solutions, specializing in Managed SOC, Penetration Testing, and GRC strategy. Our intelligence division regularly publishes research to help CISOs navigate the evolving threat landscape.
Executive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.


