216.73.217.80

Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

· Published 01/05/2026 10:50 · Modified 04/05/2026 14:30

Export JSON

Essential information

Published
01/05/2026 10:50
Modified
04/05/2026 14:30
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
credential theft intercom mini shai-hulud packagist compromise supply chain attack
Tags
2026-05-01 credential-theft intercom mini shai hulud packagist compromise supply chain attack
Related entities
7 indicators, 7 observables, 1 malware, 2 others

Description

A malicious artifact of the widely-used /-php package version 5.0.2 was discovered on Packagist, representing an expansion of the from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime and execute an obfuscated credential-stealing payload during installation. The malicious code harvests sensitive credentials including GitHub tokens, cloud provider credentials, SSH keys, Kubernetes tokens, and HashiCorp Vault secrets from developer machines and CI/CD environments. Stolen data is encrypted using AES-256-GCM and exfiltrated to attacker-controlled infrastructure. The payload also contains propagation logic to modify GitHub repositories and npm packages using stolen credentials. With approximately 12,700 daily installs, the compromised artifact potentially reached numerous high-value development environments before removal.

External references