On May 22, 2026, a supply chain attack was detected targeting the Laravel-Lang packages, which involved the injection of credential-stealing code into three popular repositories. The attacker cleverly deployed malicious version tags that pointed to a fork containing the hazardous code without committing it to the official repositories. This approach exploited GitHub's functionality allowing version tags to be linked to different commits, enabling the execution of malicious code via Composer's autoloader feature.