Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems.

Published:

30 april 2026 om 21:31:43

Alert date:

30 april 2026 om 23:01:48

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Mini Shai-Hulud campaign expanded from npm to PHP ecosystem, compromising Intercom's PHP package on Packagist. The malicious intercom/intercom-php@5.0.2 uses Composer plugin execution to download Bun runtime and execute obfuscated JavaScript payload for credential theft. Attack targets GitHub tokens, AWS/Azure/GCP credentials, SSH keys, and CI/CD secrets. Payload includes supply chain propagation capabilities and encrypted exfiltration via zero.masscan.cloud. Same operational pattern as previous npm compromise but adapted for PHP/Composer ecosystem. Socket detected malicious code 14 minutes after release.

Technical details

The malicious intercom/intercom-php@5.0.2 package uses Composer plugin execution to download Bun JavaScript runtime and execute an obfuscated credential-stealing payload. The package type was changed to 'composer-plugin' with composer-plugin-api requirement, registering Intercom\\ComposerPlugin as entry point. The plugin subscribes to post-install-cmd and post-update-cmd events, executing setup-intercom.sh which downloads Bun 1.3.13 and runs router_runtime.js - an 11.7MB obfuscated JavaScript payload. The payload steals credentials from GitHub CLI, npm, SSH keys, AWS/Azure/GCP credentials, Docker, Kubernetes, Vault tokens, .env files, and more. It encrypts stolen data using AES-256-GCM with RSA-OAEP/SHA-256 key wrapping before exfiltration to https://zero.masscan.cloud:443/v1/telemetry or GitHub repositories as fallback.

Mitigation steps:

Audit all environments for installation of intercom/intercom-php@5.0.2
Review Composer logs for execution of setup-intercom.sh or messages such as 'Running Intercom setup script'
Check whether Composer plugin execution was allowed for intercom/intercom-php
Remove the malicious artifact and reinstall only from a known-good source
Rotate credentials that may have been present on affected developer machines or CI runners, prioritizing: GitHub tokens, npm tokens, SSH keys, AWS/Azure/GCP credentials, Kubernetes tokens, Vault tokens, Docker registry credentials, application secrets in .env files
Review GitHub repositories for unauthorized commits, new workflow files, .claude/ or .vscode/ payload files, and suspicious public repositories
Review npm packages controlled by affected maintainers for unauthorized releases or install-time script changes

Affected products:

intercom/intercom-php version 5.0.2
intercom-client version 7.0.4
PHP/Composer ecosystem
npm ecosystem

Related CVE's:

Related threat actors:

Mini Shai-Hulud

IOC's:

intercom/intercom-php v.5.0.2, composer.json, setup-intercom.sh, router_runtime.js, src/composerPlugin.php, 66664a49edbcee0ed0d8365839707916e92d3aa06e7f26f33c9dcc58e5fc1ef3, 907aec5b1288057a3e0885226918b6930a62a0f348ce23de026a683238c7903e, 50212a875643520353df158196b9b3be4595094125ad8d2d2c48bdd9cb04ce1f, 832a976d1a8d54e296e8479aedbd89fa24baa02b8409a78bf06d4d03340881bd, b084743bd16043461e68b604dde80a8b386b405eae6f66c1103fb4fd6831d4a7, zero[.]masscan[.]cloud, https://zero[.]masscan[.]cloud:443/v1/telemetry, Running Intercom setup script..., Intercom setup complete., Intercom\\ComposerPlugin, A Mini Shai-Hulud has Appeared, EveryBoiWeBuildIsAWormyBoi, Exiting as russian language detected!, chore: update dependencies, claude@users.noreply.github.com, package-updated.tgz, /tmp/tmp.987654321.lock, .claude/router_runtime.js, .claude/setup.mjs, .claude/settings.json, .vscode/setup.mjs, .vscode/tasks.json, results/results-*.json

This article was created with the assistance of AI technology by Perceptive.