Type
Campaign
Actors
Pub. date
July 16, 2026
Initial access
1-day vulnerability
Impact
Data exfiltration
Observed techniques
Targeted technologies
Status
Finalized
Last edited
Jul 16, 2026 1:52 PM
A large-scale credential theft campaign exploiting CVE-2025-54068, a critical unauthenticated remote code execution vulnerability in Laravel Livewire v3. Attackers used PHP deserialization to execute a Bash-based credential stealer that harvested sensitive application secrets from vulnerable servers. Analysis of the attackers' recovered infrastructure revealed credentials stolen from 6,167 applications, including thousands of production database credentials, cloud credentials, API keys, and more than 1,850 database dumps, demonstrating that the stolen credentials were actively used following initial compromise. Attribution indicators suggest the campaign was conducted by a likely Indonesian-origin threat actor.