Cybersecurity researchers have identified several malicious PHP packages hosted on Packagist that impersonate legitimate Laravel utilities and secretly deploy a cross platform remote access trojan capable of running on Windows, macOS, and Linux systems. The discovery highlights the ongoing risks within open source ecosystems where attackers disguise harmful code as useful development tools. According to researchers, the packages were designed to appear like legitimate Laravel helpers but instead function as a backdoor that grants remote control of compromised systems.
The malicious packages identified include nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger. Download statistics show that lara-helper was downloaded 37 times, simple-queue 29 times, and lara-swagger 49 times at the time the activity was documented. Researchers from Socket reported that the lara-swagger package itself does not directly contain malicious code. Instead, it lists lara-helper as a Composer dependency, which triggers the installation of the remote access trojan once developers install the package. Despite the findings, the packages were still available for download from the Packagist PHP package registry when the issue was reported, raising concerns about the exposure of developers who unknowingly integrate the libraries into their applications.
Analysis revealed that both lara-helper and simple-queue contain a suspicious PHP file named src/helper.php. The file includes several techniques designed to complicate detection and static analysis. These techniques include control flow obfuscation, encoded domain names, hidden command names, concealed file paths, and randomly generated identifiers for variables and functions. According to security researcher Kush Pandya, once the malicious payload becomes active it connects to a command and control server located at helper.leuleu[.]net using port 2096. After establishing the connection, the malware sends system reconnaissance information and waits for instructions from the remote operator, effectively granting full remote access to the compromised host.
The remote access trojan communicates with its command infrastructure using TCP connections through PHP’s stream_socket_client function. After connecting, the malware is capable of executing multiple commands issued by the attacker. These commands allow operators to collect system information, run shell commands, execute PowerShell instructions, capture screenshots, download files from the system, upload new files with full permissions, and run background processes. The malware also includes a heartbeat mechanism that sends a signal to the command server every 60 seconds to confirm that the infected system remains active. For command execution, the trojan checks the PHP disable_functions configuration and automatically selects an available execution method such as popen, proc_open, exec, shell_exec, system, or passthru. Researchers noted that this design allows the malware to remain effective even in environments that use standard PHP security hardening measures.
Although the command server linked to the malware is currently not responding, the RAT continues attempting to reconnect every 15 seconds in a persistent loop. This behavior keeps infected systems exposed if the command infrastructure becomes active again. Security researchers warn that developers who installed any of these packages should assume their systems may have been compromised. They recommend removing the packages immediately, rotating all sensitive credentials available in the application environment, and monitoring outbound network traffic for communication attempts with the command server.
Investigators also found that the threat actor responsible for publishing the malicious libraries uploaded additional packages to Packagist including nhattuanbl/lara-media, nhattuanbl/snooze, and nhattuanbl/syslog. These packages appear to be clean and likely serve to establish credibility for the developer account before distributing malicious code. Researchers noted that any Laravel application that installed lara-helper or simple-queue effectively runs a persistent remote access trojan within the same process as the web application. Because the malware operates with the same filesystem permissions and environment variables as the application itself, attackers could potentially access sensitive data such as database credentials, API keys, and configuration information stored in environment files.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
