Laravel Lang packages hijacked to deploy credential-stealing malware

Published on May 23, 2026

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. [...]

Continue reading on website
Other news

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

May 23, 2026
GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation.Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve