Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux  Ravie Lakshmanan  Mar 04, 2026 Threat Intelligence / Application Security Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on Windows, macOS, and Linux systems. The names of the packages are listed below - nhattuanbl/lara-helper (37 Downloads) nhattuanbl/simple-queue (29 Downloads) nhattuanbl/lara-swagger (49 Downloads) According to Socket, the package "nhattuanbl/lara-swagger" does not directly embed malicious code, lists "nhattuanbl/lara-helper" as a Composer dependency , causing it to install the RAT. The packages are still available for download from the PHP package registry. Both lara-helper and simple-queue have been found to contain a PHP file named "src/helper.php," which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names. "Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands -- giving the operator full remote access to the host," security researcher Kush Pandya said. This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP's stream_socket_client() . The list of supported commands is below - ping , to send a heartbeat automatically every 60 seconds info , to send system reconnaissance data to the C2 server cmd , to run a shell command powershell , to run a PowerShell command run , to run a shell command in the background screenshot , to capture the screen using imagegrabscreen() download , to read a file from disk upload , to a file on disk and grant it read, write, and execute permissions to all users stop , to the socket, and exit "For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru," Pandya said. 'This makes it resilient to common PHP hardening configurations." While the C2 server is currently non-responsive, the RAT is configured such that it retries the connection every 15 seconds in a persistent loop, making it a security risk. Users who have installed the packages are advised to assume compromise, remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server. Besides the aforementioned three packages, the threat actor behind the operation has published three other libraries ("nhattuanbl/lara-media," "nhattuanbl/snooze," and "nhattuanbl/syslog") that are clean, likely in an effort to build credibility and trick users into installing the malicious ones. "Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT. The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host," Socket said. "Because activation happens at application boot (via service provider) or class autoloads (via simple-queue), the RAT runs in the same process as the web application with the same filesystem permissions and environment variables, including database credentials, API keys, and .env contents." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Application Security , cybersecurity , Laravel , Malware , Open Source Security , Packagist , PHP , Remote Access Trojan , supply chain attack , Threat Intelligence Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research