Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise
Essential information
- Published
- 01/05/2026 10:50
- Modified
- 04/05/2026 14:30
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential theft intercom mini shai-hulud packagist compromise supply chain attack
- Tags
- 2026-05-01 credential-theft intercom mini shai hulud packagist compromise supply chain attack
- Related entities
- 7 indicators, 7 observables, 1 malware, 2 others
Description
A malicious artifact of the widely-used intercom/intercom-php package version 5.0.2 was discovered on Packagist, representing an expansion of the Mini Shai-Hulud supply chain attack from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime and execute an obfuscated credential-stealing payload during installation. The malicious code harvests sensitive credentials including GitHub tokens, cloud provider credentials, SSH keys, Kubernetes tokens, and HashiCorp Vault secrets from developer machines and CI/CD environments. Stolen data is encrypted using AES-256-GCM and exfiltrated to attacker-controlled infrastructure. The payload also contains propagation logic to modify GitHub repositories and npm packages using stolen credentials. With approximately 12,700 daily installs, the compromised artifact potentially reached numerous high-value development environments before removal.