Malware Attack! Probably from plugins vendor | Filament | Page 1

pseudo sluice Feb 2, 2026, 10:39 AM

#

Recently I've faced malware attack on couple of my websites developed using filament v3 and livewire.

My website has no file upload feature from the frontend but I see so many php files inside the public folders even in the root of the project.

After digging deeper I found no hole in the application and doubting the vendor. The applications are not same where one is ecommerce (virtual product) and another is URL shortener.

I am sharing the packages list and installed version as well.

dusty depotBOT Feb 2, 2026, 10:39 AM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

pseudo sluice Feb 2, 2026, 10:40 AM

#

ecommerce:

"php": "^8.2",
"artesaos/seotools": "^1.3",
"awcodes/filament-curator": "^3.5",
"awcodes/filament-tiptap-editor": "^3.0",
"awcodes/overlook": "^2.2",
"bezhansalleh/filament-shield": "^3.2",
"datlechin/filament-menu-builder": "^0.6.0",
"davidhsianturi/blade-bootstrap-icons": "^1.5",
"digimax/dot-env-editor": "^1.2",
"filament/filament": "^3.2",
"filament/spatie-laravel-tags-plugin": "^3.2",
"flowframe/laravel-trend": "^0.2.0",
"gehrisandro/tailwind-merge-laravel": "^1.2",
"irazasyed/telegram-bot-sdk": "^3.14",
"laravel-notification-channels/fcm": "^4.3",
"laravel-notification-channels/telegram": "^5.0",
"laravel/breeze": "^2.0",
"laravel/framework": "^11.0",
"laravel/octane": "^2.8",
"laravel/tinker": "^2.9",
"livewire/livewire": "^3.4",
"livewire/volt": "^1.0",
"marvinosswald/filament-input-select-affix": "^0.2.0",
"masmerise/livewire-toaster": "^2.2",
"php-imap/php-imap": "^5.0",
"secondnetwork/blade-tabler-icons": "^3.24",
"spatie/laravel-backup": "^9.2",
"spatie/laravel-google-fonts": "^1.4",
"spatie/laravel-image-optimizer": "^1.8",
"spatie/laravel-sitemap": "^7.3",
"spiral/roadrunner-cli": "^2.6.0",
"spiral/roadrunner-http": "^3.3.0",
"squirephp/countries-en": "^3.5",
"squirephp/currencies-en": "^3.5",
"wire-elements/modal": "^2.0"

stable oasis Feb 2, 2026, 10:41 AM

#

What's the actual LW version of those apps? ⁨composer show livewire/livewire | grep version⁩

#

It might be related to that old CVE in Livewire
#💫┊announcements message

pseudo sluice Feb 2, 2026, 10:42 AM

#

I am thinking the same, let me check the version

#

@stable oasis LW v3.6.1

stable oasis Feb 2, 2026, 10:45 AM

#

pseudo sluice <@357908684904595466> LW v3.6.1

Yep. That one is vulnerable

#

You should update your sites, wipe your server or reset all credentials.

pseudo sluice Feb 2, 2026, 10:47 AM

#

Yeah, I am going to do it.

dusty depotBOT Feb 2, 2026, 10:48 AM

#

stable oasis It might be related to that old CVE in Livewire https://discord.com/channels/883...

Thank you for marking this question as solved!

Learn more

https://answeroverflow.com/about

#Malware Attack! Probably from plugins vendor