A malicious artifact has been identified in the widely used intercom/intercom-php Packagist package (version 5.0.2), confirming that the ongoing Mini Shai-Hulud supply chain campaign has expanded beyond npm into the PHP ecosystem,making it one of the most significant cross-ecosystem software supply chain attacks of 2026.
On April 30, 2026, AI Scanner flagged intercom/intercom-php@5.0.2 as known malware after detecting a maliciously modified artifact on Packagist. The threat actor altered the package twice within minutes: the first modification pointed version 5.0.2 to commit e8a812c5ea7d8c7ed642b0d82754ced6a99025b0 at 20:51:09 UTC.
Followed by a second change at 20:53:12 UTC, redirecting it to e69bf4b3e84e7951a7b4ded8fee8822c57630cf8. AI scanner detected the malicious code just 14 minutes after release and reported the artifact to Packagist, which swiftly removed it.
Intercom PHP Package Hijack
The compromise spans three major package ecosystems. A local installation of pyannote-audio introduced a compromised lightning package as a transitive dependency, triggering the PyPI-to-npm chain that first corrupted intercom-client@7.0.4 and subsequently led to the Packagist artifact for intercom/intercom-php@5.0.2.
This cross-ecosystem propagation model is consistent with how Mini Shai-Hulud has operated throughout its documented history. intercom/intercom-php is a widely deployed PHP SDK with over 20.7 million lifetime installs, approximately 285,000 installs in the last 30 days, and an estimated 12,700 daily installs across all versions.
With roughly 700 targeting version 5.0.2 specifically. The package is integral to customer messaging integrations in Laravel applications, SaaS back-ends, and enterprise CI/CD pipelines, making it a prime target for credential-harvesting operations.
This scale indicates that the compromised 5.0.2 artifact had direct exposure to high-value developer machines and automated build environments for a very short window before removal.
How the Attack Works
The malicious artifact weaponizes Composer’s plugin system for install-time execution, a technique that bypasses conventional security controls by triggering malicious code during composer install or composer update, before any application code is ever imported.
The attack chain works as follows:
- The tampered
composer.jsonreclassifies the package ascomposer-pluginand registersIntercom\ComposerPluginas the plugin entry point - The plugin class at
src/composerPlugin.phpsubscribes to thepost-install-cmdandpost-update-cmdhooks - On trigger, it resolves the package path and executes
setup-intercom.sh - The shell script downloads Bun 1.3.13 from GitHub Releases, selecting the correct Linux or macOS binary
- Run then executes the 11.7 MB obfuscated payload:
router_runtime.js
This mirrors the npm attack pattern, where intercom-client@7.0.4 used a malicious preinstall hook to execute the same style of Bun-based router_runtime.js payload. The only difference is the delivery vehicle npm’s preinstall hook replaced by Composer’s plugin API.
Credential Theft and Exfiltration Capabilities
Static analysis of router_runtime.js reveals a comprehensive credential and secrets harvester. The payload targets an extensive range of sensitive assets across developer environments:
- Identity & VCS tokens: GitHub CLI tokens, npm tokens, Git credentials, SSH private keys
- Cloud platforms: AWS credentials (IAM, SSM Parameter Store, Secrets Manager, STS), Azure credentials and Key Vault, GCP credentials and Secret Manager
- Container & orchestration: Docker credentials, Kubernetes config, service account tokens
- Secrets management: HashiCorp Vault tokens
- Application secrets:
.envfiles,.npmrc,.pypirc, shell history,wp-config.php
Stolen data is encrypted using AES-256-GCM, with the AES key wrapped using RSA-OAEP/SHA-256, then exfiltrated to the primary hardcoded C2 endpoint: https://zero[.]masscan[.]cloud:443/v1/telemetry.
If direct exfiltration fails, the malware falls back to GitHub-based exfiltration using any stolen GitHub tokens, creating repositories with the description “A Mini Shai-Hulud has Appeared”.
Supply Chain Propagation Logic
One of the most dangerous aspects of this payload is its self-propagating architecture. Using stolen npm tokens, the malware can silently modify and republish npm packages, injecting install-time scripts.
It also writes payload files into repository paths, including .claude/router_runtime.js, .vscode/setup.mjs, and .vscode/tasks.json paths that blend into normal developer tooling directories.
Commit messages are designed to evade detection, using innocuous strings like chore: update dependencies, paired with spoofed author metadata such as claude <claude@users.noreply.github.com> to mimic legitimate automation workflows.
This self-replicating behavior closely mirrors the broader Shai-Hulud worm model, which has previously propagated malicious code across hundreds of npm packages simultaneously.
Organizations should hunt for the following artifacts across developer machines and CI/CD runners:
| Category | Indicator |
|---|---|
| Package hash (zip) | 66664a49edbcee0ed0d8365839707916e92d3aa06e7f26f33c9dcc58e5fc1ef3 |
router_runtime.js SHA256 | 50212a875643520353df158196b9b3be4595094125ad8d2d2c48bdd9cb04ce1f |
| C2 endpoint | zero[.]masscan[.]cloud:443/v1/telemetry |
| Suspicious string | Running Intercom setup script... |
| Propagation marker | A Mini Shai-Hulud has Appeared |
| Suspicious path | .claude/router_runtime.js, .vscode/setup.mjs |
| Lock file artifact | /tmp/tmp.987654321.lock |
Remediation
Any organization that installed or updated intercom/intercom-php@5.0.2 should treat the affected environment as potentially compromised and take the following steps immediately:
- Audit all environments for the installation of
intercom/intercom-php@5.0.2viacomposer showor Composer lock file review - Check Composer logs for the execution of
setup-intercom.shor strings likeRunning Intercom setup script - Remove the malicious artifact and reinstall from a verified, known-good source
- Rotate all exposed credentials, prioritize GitHub tokens, npm tokens, SSH keys, AWS/Azure/GCP credentials, Kubernetes tokens, Vault tokens, and Docker credentials
- Audit GitHub repositories for unauthorized commits, new
.github/workflows/files,.claude/or.vscode/payload files, and suspicious public repository activity - Review npm packages controlled by affected maintainers for unauthorized publish events or injected preinstall scripts
The Mini Shai-Hulud campaign’s expansion into Packagist marks a critical shift: this threat actor is no longer constrained to a single ecosystem. With confirmed compromises across PyPI, npm, and Packagist in a single coordinated chain, it demonstrates a mature operational model capable of exploiting ecosystem trust boundaries.
The use of Packagist’s mutable tag system, where Git tags can be force-updated without changing version numbers, is a particularly stealthy technique that exposes a structural vulnerability in how PHP’s dependency ecosystem handles package integrity.
Security teams should treat this as a signal: supply chain attacks will increasingly target multi-ecosystem environments simultaneously, leveraging transitive dependencies to bridge between PyPI, npm, and Packagist in ways that are difficult to trace and even harder to contain, Socket said.
FAQ
Q1: What is the Mini Shai-Hulud campaign?
Mini Shai-Hulud is an ongoing software supply chain attack campaign that uses Bun-based, obfuscated JavaScript payloads to steal developer credentials and CI/CD secrets across npm, PyPI, and Packagist ecosystems.
Q2: Does importing intercom/intercom-php the application code trigger the malware?
No, the malicious payload executes at install or update time via Composer’s plugin system, meaning exposure occurs even if the PHP library is never imported or called in application code.
Q3: How did Packagist allow a version to be silently replaced without changing the version number?
Packagist mirrors Git tags from upstream repositories, and Git tags are mutable; they can be force-pushed to point to a different commit, effectively replacing a version’s contents without incrementing the version string.
Q4: What should developers do if they have installed intercom/intercom-php@5.0.2?
Immediately remove the package, rotate all credentials accessible on the affected machine or CI runner, audit GitHub repositories for unauthorized changes, and review npm packages under the same maintainer for suspicious publish activity.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
