Laravel-Lang Packages Poisoned to Exfiltrate CI Secrets

Attackers published malicious tags to Laravel-Lang packages within a compressed 15-minute window, injecting backdoors designed to exfiltrate CI secrets from any pipeline that consumed the affected versions.

The rapid publication window appears intended to slip past monitoring that looks for gradual, suspicious changes. Any CI/CD environment that pulled a Laravel-Lang update during the affected period should be treated as compromised: rotate all secrets, tokens, and credentials accessible from those pipelines immediately.