A sophisticated supply chain attack has been discovered targeting the PHP developer community via Packagist, the official package repository for PHP and Laravel projects. A threat actor known as “nhattuanbl” published several malicious packages disguised as legitimate Laravel utility libraries. These packages deployed a fully functional PHP Remote Access Trojan (RAT), enabling attackers to gain silent and persistent control over compromised systems.
The attack, identified by Socket.dev analysts, leveraged a cunning strategy of blending in with legitimate software. The threat actor released six packages between June and December 2024 under the same author name. While three were clean, two packages, `nhattuanbl/lara-helper` and `nhattuanbl/simple-queue`, contained an identical malicious payload hidden within a file named `src/helper.php`. A third package, `nhattuanbl/lara-swagger`, acted as a carrier, silently incorporating `nhattuanbl/lara-helper` as a hard dependency, thereby masquerading a harmful payload within a seemingly innocuous setup.
Malicious Packages Deploy PHP RAT via Packagist
The discovered malicious packages allowed a remote access trojan to be distributed throughout the PHP ecosystem. Once installed, the payload attempts to establish a connection to a command-and-control (C2) server located at `helper[.]leuleu[.]net` on port 2096. Upon successful connection, it transmits a comprehensive system profile to the attacker and awaits further instructions. This grants the operator complete remote control over the compromised host, a significant threat to web applications and their underlying infrastructure.
Researchers have submitted takedown requests to the Packagist team, though the malicious packages remained accessible at the time of this report. The implications of this campaign are far-reaching, as any Laravel application that incorporated these packages now harbors a persistent RAT operating within the same process as the web application. This provides direct access to sensitive information such as environment variables, database credentials, and API keys stored in `.env` files.
The threat is cross-platform, functioning effectively on Windows, macOS, and Linux systems, demonstrating a wide potential reach. Even if the C2 server becomes unavailable, the threat persists. The RAT is configured to retry its connection every 15 seconds indefinitely, allowing attackers to redirect it to a new host at any time without altering the malicious code itself. The RAT-bearing packages operate silently in the background from the moment the infected application starts.
Inside the Infection Mechanism and Impact
The infection mechanism is designed for maximum stealth. The malicious file, `helper.php`, is obfuscated to prevent easy detection. It is delivered as a single, continuous line of code following the opening `
The activation process varies depending on the specific infected package installed. In `nhattuanbl/lara-helper`, a Laravel service provider is registered via Composer’s auto-discovery, causing the `helper.php` file to load on every application boot. For `nhattuanbl/simple-queue`, the malicious include resides at the file scope level, meaning the payload executes as soon as PHP’s autoloader resolves the class. This can occur through a type-hint or a simple `class_exists()` check.
Once triggered, the RAT spawns a detached background process of itself, passing a `helper` argument. The parent process then resumes normal execution, ensuring the application exhibits no visible signs of infection. A lock file is utilized to prevent duplicate instances, with an expiration period of 15 minutes. Communication between the RAT and its C2 server is encrypted using AES-128-CTR, secured by a hardcoded 16-byte key (`esCAmxUoJkIjTV0n`) embedded within the payload. The C2 server can issue JSON commands to the RAT, instructing it to execute shell commands, capture screenshots, upload or download files, and exfiltrate system reconnaissance data, including hostname, OS version, user privileges, and a unique machine ID.
Any development team that has installed `nhattuanbl/lara-helper`, `nhattuanbl/simple-queue`, or `nhattuanbl/lara-swagger` should assume the affected host is fully compromised. It is imperative to immediately rotate all secrets accessible from the application environment, including database passwords, API keys, and `.env` values. Furthermore, the malicious packages and the `helper.php` file must be removed. A thorough audit of files with `chmod 0777` permissions is recommended, and the lock file located at `{sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock` should be deleted.
Teams should also review outbound network traffic for connections to `helper[.]leuleu[.]net:2096`. Auditing transitive dependencies and avoiding the use of `dev-master` constraints in production environments is crucial, as these constraints bypass version pinning entirely and can introduce unexpected vulnerabilities. Future monitoring will focus on the response from Packagist and the potential emergence of similar supply chain attacks targeting the open-source software ecosystem.