Add policy: detect compromised Laravel-Lang Composer packages

[fleetdm-bot]

Context

On May 22, 2026, Socket and Aikido disclosed a supply chain attack against the Laravel-Lang ecosystem — 233 package versions across 700 GitHub repositories were backdoored with credential-stealing malware delivered via Composer's autoloader. Affected packages: laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions.

An ad-hoc live query confirmed no current hits across responding hosts, but ~72 workstations were offline at scan time. This PR adds a continuous Fleet policy so any host that pulls a compromised package (now or later) is flagged automatically.

Changes

• New policy lib/all/policies/laravel-lang-supply-chain-compromised-packages.yml — fails when vendor/laravel-lang/*/composer.json is found under common project locations on macOS, Linux, or Windows.
• Wired into fleets/workstations.yml and fleets/servers.yml.

Detection logic

Uses the osquery file table with path LIKE patterns covering:

• macOS: /Users/%/.../vendor/laravel-lang/%/composer.json (up to 4 levels deep)
• Linux: /home/%, /var/www/%, /opt/%, /srv/% paths
• Windows: C:\Users\%\...\vendor\laravel-lang\%\composer.json

Policy passes when the query returns zero rows.

Resolution (if failing)

1. Identify the affected project and remove vendor/laravel-lang/* directories.
2. Pin a known-good version in composer.json and composer.lock, then composer install.
3. Rotate everything the malware targets: cloud provider credentials, K8s SA tokens, Vault tokens, CI/CD secrets, GitHub/GitLab tokens, SSH keys, database credentials, and Laravel APP_KEY.
4. Rebuild affected containers, hosts, and CI runners from known-good images.