Security Alert: Fake Laravel Packages Infect Systems With Cross-Platform RAT

Security researchers have uncovered several malicious packages on the Packagist PHP repository that pretend to be useful Laravel development tools but actually install a dangerous remote access trojan (RAT).

The infected packages were designed to look like legitimate utilities for Laravel developers. However, once installed, they secretly deploy malware capable of giving attackers full control of the infected system across Windows, macOS, and Linux environments.

The following packages have been identified as part of the campaign:

  • nhattuanbl/lara-helper
  • nhattuanbl/simple-queue
  • nhattuanbl/lara-swagger

Although the package lara-swagger itself does not directly include malicious code, it depends on lara-helper, which triggers the installation of the RAT when the package is installed through Composer.

Despite the discovery, the packages were still accessible through the Packagist registry at the time of reporting.

Obfuscation Techniques Used to Hide Malware

Researchers analyzing the packages found that both lara-helper and simple-queue include a suspicious PHP file located at:

src/helper.php

This file contains heavily obfuscated code designed to avoid detection during security analysis.

Several techniques were used to hide the malicious functionality, including:

  • Control flow obfuscation to confuse code analysis
  • Encoded domain names and file paths
  • Hidden command instructions
  • Randomized names for variables and functions

These techniques make it difficult for automated scanners and developers to immediately recognize the malware embedded in the packages.

Malware Connects to Command-and-Control Server

Once the malicious code is executed, it connects to a remote command-and-control (C2) server located at:

helper.leuleu[.]net:2096

The malware gathers system details from the infected machine and sends them to the attacker. After establishing the connection, the RAT waits for commands from the operator.

Communication between the compromised system and the attacker occurs over TCP using PHP’s stream_socket_client() function.

Capabilities of the Remote Access Trojan

The RAT supports several commands that allow attackers to control infected systems remotely.

These commands include the ability to:

  • Send periodic heartbeat signals to the attacker
  • Collect system information from the infected device
  • Execute shell commands
  • Run PowerShell commands
  • Launch commands in the background
  • Capture screenshots from the infected machine
  • Download files from the system
  • Upload files and grant full permissions
  • Terminate the connection

To ensure reliability, the malware checks which PHP functions are available on the system and selects whichever command-execution method is permitted. It can use functions such as:

  • exec
  • system
  • shell_exec
  • passthru
  • proc_open
  • popen

This technique helps the RAT bypass common PHP security restrictions.

Persistent Connection Attempts Increase Risk

Even if the command server becomes unreachable, the malware is programmed to repeatedly attempt reconnection every 15 seconds.

This persistent connection loop allows the malware to remain active on infected machines and reconnect if the attacker’s server becomes available again.

Because of this behavior, any system that installed the affected packages should be treated as potentially compromised.

Additional Packages Used to Build Trust

Researchers also discovered that the same developer account uploaded several other packages to Packagist that appear harmless.

These include:

  • nhattuanbl/lara-media
  • nhattuanbl/snooze
  • nhattuanbl/syslog

These clean packages may have been published intentionally to create credibility and make the malicious libraries appear trustworthy.

Laravel Applications at Risk

Any Laravel project that installed lara-helper or simple-queue may already be running the RAT in the same process as the web application.

Because the malware executes within the application environment, attackers may gain access to sensitive data including:

  • database credentials
  • API keys
  • application configuration files
  • environment variables stored in .env files

This level of access allows attackers to manipulate files, execute commands, and monitor system activity on compromised servers.

What Developers Should Do Immediately

Developers and organizations who may have installed these packages should take immediate action:

  • Remove the malicious packages from their projects
  • Rotate all exposed credentials and API keys
  • Review application logs and server activity
  • Monitor outgoing connections to suspicious domains
  • Audit systems for signs of unauthorized access

Taking these steps can help limit potential damage and prevent attackers from maintaining access to compromised environments.