Severity: Critical
CVSS Score: 9.3
### Impact On April 30, 2026, a malicious commit was pushed to the intercom/intercom-php repository and tagged as version 5.0.2, using a compromised service account (github-management-service). This occurred as part of the same supply chain attack that affected intercom-client on npm. The malicious version contained a Composer plugin that acted as a dropper, downloading the Bun JavaScript runtime (version 1.3.13) and executing an obfuscated credential-harvesting payload. The payload targeted cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets. The malicious tag was live between approximately 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted to a clean commit. This compromise is part of the "Mini Shai-Hulud" supply chain campaign tracked by Wiz and Socket. To check if a consuming project is affected, run: `composer show intercom/intercom-php --version`. If the project installed or updated between 20:53 and 22:37 UTC on April 30, it may have received the malicious version. The malicious commit hash was `e69bf4b3`. The clean commit is `9371eba9`. Check `composer.lock` to verify which version the consuming project is using. ### Patches Version 5.0.1 and all prior versions are unaffected. The 5.0.2 tag has been reverted to a clean commit. Downgrade to 5.0.1 or run `composer clear-cache` and reinstall to get the clean 5.0.2. ### Workarounds If a project installed version 5.0.2 during the affected window, treat all credentials accessible from that environment as compromised and rotate them. Clear the Composer cache with `composer clear-cache` and check `composer.lock` for the commit hash to confirm whether you have the malicious or clean version. ### Resources - https://www.intercomstatus.com/us-hosting/incidents/01KQFN6VS6ARP1XBR1K1SBYY59 - https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm