Four widely used Laravel Lang Composer packages were compromised via a GitHub tag-rewriting attack that silently redirected up to 700 historical version references to malicious credential-stealing code. Version pinning via composer.lock provides no protection against this technique. Any developer or CI/CD environment that installed these packages before Packagist remediation on 2026-05-23 should be treated as fully compromised and all reachable credentials rotated immediately.