A large-scale cyber campaign targeting Laravel Livewire applications has been uncovered, with attackers exploiting a critical remote code execution (RCE) flaw to steal sensitive credentials from thousands of systems worldwide.
Security researchers at Imperva first observed the activity on May 24, 2026, when their Cloud Web Application Firewall blocked suspicious deserialization attacks that were later linked to active exploitation of CVE-2025-54068.
The vulnerability affects Laravel Livewire v3 versions up to 3.6.3 and stems from improper validation during the framework’s hydration process.
When the application state is restored from user input, the framework fails to verify data integrity before deserialization. This flaw allows unauthenticated attackers to inject malicious serialized PHP objects, ultimately enabling arbitrary command execution on vulnerable servers.
Analysis of captured attack traffic shows that attackers leveraged PHPGGC gadget chains to construct payloads that execute remote shell commands.
Laravel Livewire Apps Compromised
In observed cases, compromised systems were instructed to download a malicious Bash script from a command-and-control server and execute it silently in the background.
This script, identified as “shoc.enz,” is a credential-harvesting tool designed to locate and extract sensitive configuration data from Laravel environments.
Once deployed, the malware scans the entire file system for .env files, which store critical application secrets such as database credentials, API keys, and encryption values.
It extracts key fields including database hostnames, usernames, passwords, and application keys, then stages and compresses the data before exfiltrating it through multiple channels. To evade detection, the script removes traces of its activity after execution.
According to researchers at Imperva, attackers used a multi-channel exfiltration setup involving an FTP server, the Telegram API, and the cloud storage platform GoFile.
The FTP server alone contained thousands of stolen files, including over 1,850 full database dumps. In total, credentials from 6,167 unique applications were recovered, spanning sectors such as e-commerce, healthcare, finance, education, and government.
Further analysis revealed the scale of the breach. Among the stolen data were more than 14,000 valid database passwords, 188 live Stripe payment keys, 381 AWS credentials, and thousands of OAuth secrets and SMTP credentials.
Many of these belonged to production environments, significantly increasing the risk of follow-on attacks such as financial fraud, data theft, and account takeover. Attribution indicators suggest the campaign is linked to an Indonesian-origin threat actor.
Evidence includes Indonesian-language comments embedded in the malware, infrastructure associated with the Asia/Jakarta timezone, and connections to a Telegram account linked to the operation.
The domain hosting the malicious payload masqueraded as a legitimate anti-bot service, further aiding in deception. The attack campaign appears to rely on indiscriminate internet-wide scanning to identify vulnerable Laravel deployments.
Targets spanned a wide range of industries and geographic regions, with no clear preference for either private enterprises or public-sector organizations. Even widely used open-source Laravel applications were found among the victims.
Security experts warn that this campaign demonstrates how a single unpatched vulnerability can enable mass-scale credential harvesting. Organizations using Laravel Livewire are strongly advised to upgrade to version 3.6.4 or later to mitigate the flaw.
Additionally, restricting outbound connections, monitoring unusual API traffic, and rotating compromised credentials are critical steps to reduce risk and prevent further exploitation.
