Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux
Source: The Hacker News
Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross‑platform remote access trojan (RAT) functional on Windows, macOS, and Linux systems.
Packages
The malicious packages are published under the user nhattuanbl on Packagist:
nhattuanbl/lara-helper(37 downloads)nhattuanbl/simple-queue(29 downloads)nhattuanbl/lara-swagger(49 downloads) – this package does not contain malicious code itself but listsnhattuanbl/lara-helperas a Composer dependency, causing the RAT to be installed.
All three packages remain available for download from the PHP package registry.
RAT Functionality
Both lara-helper and simple-queue contain a PHP file src/helper.php that employs several obfuscation techniques (control‑flow obfuscation, encoded domain names, randomized identifiers, etc.) to hinder static analysis.
Once loaded, the payload:
- Connects to a C2 server at
helper.leuleu[.]net:2096via TCP using PHP’sstream_socket_client(). - Sends system reconnaissance data.
- Waits for commands, giving the operator full remote access to the host.
Supported Commands
| Command | Description |
|---|---|
| ping | Sends a heartbeat automatically every 60 seconds |
| info | Sends system reconnaissance data to the C2 server |
| cmd | Executes a shell command |
| powershell | Executes a PowerShell command |
| run | Executes a shell command in the background |
| screenshot | Captures the screen using imagegrabscreen() |
| download | Reads a file from disk and returns its contents |
| upload | Writes a file to disk and grants read/write/execute permissions to all users |
| stop | Closes the socket and exits |
For command execution, the RAT probes disable_functions and uses the first available function from the following list: popen, proc_open, exec, shell_exec, system, passthru. This makes it resilient against common PHP hardening configurations.
The C2 server is currently non‑responsive, but the RAT is configured to retry the connection every 15 seconds in a persistent loop, posing a continuous security risk.
Mitigation
- Assume compromise if any of the listed packages have been installed.
- Remove the malicious packages from your project (
composer remove nhattuanbl/lara-helper nhattuanbl/simple-queue). - Rotate all secrets accessible from the application environment (e.g., database credentials, API keys,
.envvalues). - Audit outbound traffic for connections to
helper.leuleu.net(port 2096). - Review your codebase for the presence of
src/helper.phpor suspicious obfuscated PHP files.
Additional Packages from the Same Author
The threat actor also published three clean libraries, likely to build credibility:
nhattuanbl/lara-medianhattuanbl/snoozenhattuanbl/syslog
These packages do not contain malicious code but should be scrutinized before use, given the actor’s history.