Attackers compromised the Laravel-Lang GitHub organization between May 22-23, 2026, injecting malicious code into 700+ version tags across four widely used PHP packages. Any PHP application that pulled these packages via Composer autoloading will execute the embedded payload on startup, exfiltrating cloud credentials, CI/CD tokens, cryptocurrency wallets, browser passwords, and SSH keys to an attacker-controlled server. No CVE has been assigned; no clean patch exists from the maintainers — remediation requires pinning to confirmed pre-compromise commits and treating all credentials on affected systems as compromised.