Malicious Packagist PHP Packages

Cybersecurity analysts have identified malicious PHP packages on Packagist that impersonate legitimate Laravel helper libraries while covertly deploying a cross-platform Remote Access Trojan (RAT). The malware operates seamlessly across Windows, macOS, and Linux environments, creating significant risk for affected systems.

The identified packages include:

• nhattuanbl/lara-helper (37 downloads)
• nhattuanbl/simple-queue (29 downloads)
• nhattuanbl/lara-swagger (49 downloads)

Although nhattuanbl/lara-swagger does not directly contain malicious code, it lists nhattuanbl/lara-helper as a Composer dependency, which results in the installation of the embedded RAT. Despite public disclosure, these packages remain accessible in the repository and should be removed immediately from any affected environment.

Obfuscation Tactics Conceal Malicious Intent

Detailed code analysis shows that both lara-helper and simple-queue contain a file named src/helper.php engineered to evade detection. The malware incorporates advanced obfuscation strategies, including control flow manipulation, encoded domain names and command strings, concealed file paths, and randomized variable and function identifiers.

These techniques significantly complicate static analysis and help the malicious payload bypass conventional code review and automated security scanning tools.

Command-and-Control Infrastructure Enables Full Host Takeover

Once executed, the RAT establishes a connection to a command-and-control (C2) server at helper.leuleu.net on port 2096. It transmits system reconnaissance data and enters a persistent listening state, awaiting further instructions. Communication occurs over TCP using PHP’s stream_socket_client() function.

The backdoor supports a broad range of operator-issued commands, enabling full system control. Capabilities include:

• Automated heartbeat signals every 60 seconds via ping.
• Transmission of system profiling data through info.
• Shell command execution (cmd).
• PowerShell command execution (powershell).
• Background command execution (run).
• Screen capture using imagegrabscreen() (screenshot).
• File exfiltration (download).
• Arbitrary file upload with read, write, and execute permissions granted to all users (upload).
• Connection termination and exit (stop).

To maximize reliability, the RAT checks the PHP disable_functions configuration and selects the first available execution method from the following: popen, proc_open, exec, shell_exec, system, or passthru. This adaptive approach allows it to bypass common PHP hardening measures.

Persistent Reconnection Mechanism Increases Risk

Although the identified C2 server is currently unresponsive, the malware is programmed to retry connections every 15 seconds in a continuous loop. This persistence mechanism ensures that compromised systems remain exposed should the attacker restore server availability.

Any Laravel application that installed lara-helper or simple-queue is effectively operating with an embedded RAT. The threat actor gains full remote shell access, the ability to read and modify arbitrary files, and continuous visibility into system-level details for each infected host.

Execution Context Amplifies Impact

Activation occurs automatically during application boot via a service provider or through class autoloading in the case of simple-queue. As a result, the RAT executes within the same process as the web application, inheriting identical filesystem permissions and environment variables.

This execution context grants the attacker access to sensitive assets such as database credentials, API keys, and contents of the .env file. The compromise therefore extends beyond system-level control to full exposure of application secrets and infrastructure access.

Credibility-Building Strategy Through Clean Packages

Further investigation reveals that the same publisher released additional packages - nhattuanbl/lara-media, nhattuanbl/snooze, and nhattuanbl/syslog - which do not contain malicious code. These appear to serve as reputation-building artifacts designed to increase trust and encourage adoption of the weaponized packages.

Immediate Mitigation and Response Measures

Organizations that installed any of the malicious packages should presume compromise. Required response actions include immediate removal of the affected libraries, rotation of all credentials accessible from the application environment, and a thorough audit of outbound network traffic for attempted connections to the identified C2 infrastructure.

Failure to respond decisively may leave systems vulnerable to renewed attacker access if the command-and-control infrastructure becomes operational again.