Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.
Laravel-Lang compromise tagged 700+ versions on May 22–23, 2026, triggering PHP stealers that exfiltrate credentials.
Some results have been hidden because they may be inaccessible to you
Show inaccessible results