For Context: This answer was written before any more infos on the incident were available. At the time, it was uncertain whether this was a common configuration issue, a vulnerability in Laravel itself or a commonly used module.
As it is impossible for us to tell what could be the cause for this exploitation. There are several possibilities, such as a zero-day exploit in Laravel itself or a related module, or a widespread configuration issue.
Here are some steps you can take:
1. Take your App Offline. NOW!
Your application is compromised and so an attacker can do as they wish on your server. That includes stealing all your data, compromising all your user data and generally endangering your users.
Take the application offline. NOW!
2. Inform your Users
Inform your users that a security incident occurred and that it is possible, likely even, that user data was stolen. If some of your users are affected by GDPR, you may need to file a Notification of a personal data breach to the supervisory authority.
3. Contact a Professional Forensics Specialist
I know that this step will sting financially, but depending on your setup, contacting a forensics specialist may be a way to find out how they gained entry, what they did and the full extent of the damage.
At any rate, you need to find the source of the breach before you put the application back online. It's as if a fuse burned out - just replacing it won't fix the underlying problem. If you just replaced the fuse and turned on the power again, the next fuse will burn out again immediately.
4. Fix the Vulnerability
Depending on the nature of the vulnerability, this could be done through an update, through a configuration change or any number of ways. The important part is that just removing the web shell won't fix the issue!. That web shell got there for a reason, so before that reason is addressed, don't put the server back online.
5. Wipe your Server Clean
That means full reinstall from a known-good backup, then applying all the necessary fixed before re-deploying your application.
Yes, it sucks, but it's the only way to be sure. Attempting to "doctor around" will likely result in an attacker having continued access to your server. Remember: They tricked you once - there is no reason to assume they can't trick you again.