Six PHP packages published on Packagist under the name “nhattuanbl” have been identified as a coordinated supply chain attack, with three of them deploying a cross-platform remote access trojan capable of running on Windows, macOS, and Linux. The malicious packages masquerade as Laravel utilities to blend into legitimate development workflows.
Researchers at Socket discovered the campaign, led by security researcher Kush Pandya. The packages “nhattuanbl/lara-swagger,” “nhattuanbl/lara-helper,” and “nhattuanbl/simple-queue” form the attack chain, while three additional packages — “nhattuanbl/lara-media,” “nhattuanbl/snooze,” and “nhattuanbl/syslog” — appear clean and were likely published to build credibility before directing developers toward the harmful ones.
How the Attack Works
The entry point is subtle. The package “nhattuanbl/lara-swagger” contains no malicious code itself, but lists “nhattuanbl/lara-helper” as a Composer dependency, so installing it pulls in the trojan automatically. Both lara-helper and simple-queue contain a PHP file at “src/helper.php” that deploys multiple techniques to resist static analysis, including control flow obfuscation, encoded domain names and file paths, and randomized variable and function names.
Once loaded, the payload connects to a command-and-control server at helper.leuleu[.]net:2096 over TCP using PHP’s stream_socket_client(). It then transmits system reconnaissance data and waits for operator instructions. If the C2 server is unreachable, the RAT retries the connection every 15 seconds in a persistent loop.
“For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru,” Pandya noted. “This makes it resilient to common PHP hardening configurations.”
Scope of Access
The RAT activates at application boot through a service provider, or via class autoloads in the case of simple-queue. Either way, it runs inside the same process as the web application, inheriting identical filesystem permissions and environment variables. That means database credentials, API keys, and the contents of .env files are all exposed.
More Read
Socket described the full extent of the risk plainly: “The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host.” The C2 server is currently non-responsive, but the package registry has not removed the libraries, and all packages remain available for download.
What Affected Developers Should Do
Developers who installed any of the malicious packages should treat the affected environment as compromised. Recommended steps include:
- Removing the packages immediately
- Rotating all secrets accessible from the application environment
- Auditing outbound network traffic for connections to helper.leuleu[.]net:2096
- Reviewing filesystem changes made during the period the package was active
The campaign illustrates a recurring tactic in open-source supply chain attacks: using a mix of clean and malicious packages under the same publisher identity to manufacture trust before the payload is triggered.
Photo by Bernd 📷 Dittrich on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
