Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

Socket's Threat Research Team has discovered a remote access trojan (RAT) embedded in several PHP packages on Packagist, authored by the threat actor associated with the email [email protected]. The packages, nhattuanbl/lara-helper and nhattuanbl/simple-queue, contain an identical malicious payload in a file named helper.php, while a third package, nhattuanbl/lara-swagger, indirectly includes the RAT by depending on lara-helper. Once the RAT is activated, it connects to a command-and-control (C2) server, sending system data and awaiting instructions, which grants the operator full remote access to the affected host. The payload employs obfuscation techniques to resist detection and initiates upon application boot or class autoload, affecting systems running on Windows, macOS, and Linux. The threat actor's clean packages, with similar naming conventions, may lend legitimacy to the malicious ones, and the infection can persist as the RAT continually attempts to connect to the C2 server. Security recommendations include treating affected hosts as compromised, rotating secrets, and scrutinizing transitive dependencies for potential risks, as highlighted by Socket's monitoring tools.