intercom-php - isotope¹³

Incident Summary

Intercom PHP SDK Compromise (Mini Shai-Hulud)

The Mini Shai-Hulud campaign expanded into the PHP ecosystem by compromising the official intercom/intercom-php package on Packagist. Attackers compromised a maintainer account to overwrite existing legitimate versions. The malicious code was converted into a Composer plugin to execute automatically during installation, downloading the Bun runtime to execute an obfuscated payload that exfiltrated GitHub tokens, SSH keys, cloud credentials, and .env files to zero.masscan.cloud.

Date: 2026-04-30
Category: Open Source
Target Surface: Distribution
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package intercom-php

LanguagePHP

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain packagist.org

Repository github.com/intercom/intercom-php

Compromised Versions

5.0.2

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: No
User Impact: 0
Observed Duration: 0 days

External References

semgrep.dev/blog/2026/malicious-intercom-php-package-spreads-mini-shai-hulud-attack-to-packagist-via-composer-plugin

Source Data

Source record: oss/intercom-php/meta.yaml