Laravel-Lang Composer tag-rewrite Supply Chain Attack

A tag‑rewrite supply‑chain attack (2026-05-22 into 2026-05-23) targeted four Laravel‑Lang Composer packages (laravel-lang/lang, attributes, http-statuses, actions), adding an autoload.files entry and src/helpers.php that executes on vendor/autoload.php. The helpers.php dropper fetches a stage‑two PHP credential stealer from https://flipboxstudio.info/payload, which harvests cloud metadata, Kubernetes tokens, Vault/Jenkins secrets, local process data, and developer credentials, XOR‑encrypts exfiltrated data, and posts to https://flipboxstudio.info/exfil; the report provides IOCs, analysis, and mitigation steps (block domain, audit/pin lockfiles to known-good SHAs, remove artifacts, rotate credentials).