{
  "name": "Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise",
  "slug": "mini-shai-hulud-spreads-to-packagist-malicious-intercom-php-package-follows-npm-compromise",
  "description": "A malicious artifact of the widely-used intercom/intercom-php package version 5.0.2 was discovered on Packagist, representing an expansion of the Mini Shai-Hulud supply chain attack from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime and execute an obfuscated credential-stealing payload during installation. The malicious code harvests sensitive credentials including GitHub tokens, cloud provider credentials, SSH keys, Kubernetes tokens, and HashiCorp Vault secrets from developer machines and CI/CD environments. Stolen data is encrypted using AES-256-GCM and exfiltrated to attacker-controlled infrastructure. The payload also contains propagation logic to modify GitHub repositories and npm packages using stolen credentials. With approximately 12,700 daily installs, the compromised artifact potentially reached numerous high-value development environments before removal.",
  "published": "2026-05-01T08:50:53.821000+00:00",
  "created_at": "2026-05-04T14:30:17.971000+00:00",
  "modified_at": "2026-05-04T12:30:18+00:00",
  "created_at_opencti": "2026-05-04T14:30:17.971000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "credential theft",
    "intercom",
    "mini shai-hulud",
    "packagist compromise",
    "supply chain attack"
  ],
  "tags": [
    "2026-05-01",
    "credential-theft",
    "intercom",
    "mini shai hulud",
    "packagist compromise",
    "supply chain attack"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "7bed10c0-d737-4680-aab9-bc9502085b6e",
        "name": "907aec5b1288057a3e0885226918b6930a62a0f348ce23de026a683238c7903e"
      },
      {
        "id": "0c808e75-01a4-4871-9b93-f2877fef638a",
        "name": "832a976d1a8d54e296e8479aedbd89fa24baa02b8409a78bf06d4d03340881bd"
      },
      {
        "id": "d5764cc4-79c2-4837-93d9-02888220afe2",
        "name": "66664a49edbcee0ed0d8365839707916e92d3aa06e7f26f33c9dcc58e5fc1ef3"
      },
      {
        "id": "b4d17218-7194-4e65-8259-61f099995fb5",
        "name": "https://zero.masscan.cloud:443/v1/telemetry"
      },
      {
        "id": "1d4928df-0bec-4b2d-bc17-2685bb836b31",
        "name": "50212a875643520353df158196b9b3be4595094125ad8d2d2c48bdd9cb04ce1f"
      },
      {
        "id": "e79e0f83-7daf-4a93-95ef-e85031f4ace6",
        "name": "b084743bd16043461e68b604dde80a8b386b405eae6f66c1103fb4fd6831d4a7"
      },
      {
        "id": "5f11dbaf-6566-4d1c-8a18-65451168f593",
        "name": "zero.masscan.cloud"
      }
    ],
    "malware": [
      {
        "id": "31dd38d0-b2c6-49c2-86db-6c2f90fcbe4a",
        "name": "router_runtime.js",
        "slug": "router_runtimejs"
      }
    ],
    "observables": [
      {
        "id": "e0680e9a-fef6-4452-956e-d6088e87a2a3",
        "name": "zero.masscan.cloud"
      },
      {
        "id": "8a8c889d-24bb-4e88-b987-8c4440d99747",
        "name": "https://zero.masscan.cloud:443/v1/telemetry"
      },
      {
        "id": "",
        "name": "907aec5b1288057a3e0885226918b6930a62a0f348ce23de026a683238c7903e"
      },
      {
        "id": "",
        "name": "832a976d1a8d54e296e8479aedbd89fa24baa02b8409a78bf06d4d03340881bd"
      },
      {
        "id": "",
        "name": "66664a49edbcee0ed0d8365839707916e92d3aa06e7f26f33c9dcc58e5fc1ef3"
      },
      {
        "id": "",
        "name": "50212a875643520353df158196b9b3be4595094125ad8d2d2c48bdd9cb04ce1f"
      },
      {
        "id": "",
        "name": "b084743bd16043461e68b604dde80a8b386b405eae6f66c1103fb4fd6831d4a7"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "zero.masscan.cloud"
      }
    ]
  },
  "external_refs": [
    {
      "id": "7d930414-d457-4d1e-8eff-7bd14fa2f6bb",
      "standard_id": "external-reference--468131a6-141d-56ec-955c-e882e2bfb96b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-package-compromise",
      "hash": null,
      "external_id": null,
      "created": "2026-05-04T14:30:17.906Z",
      "modified": "2026-05-04T14:30:17.906Z",
      "createdById": null
    },
    {
      "id": "73c35473-4f02-4322-8df5-d10aeec012cf",
      "standard_id": "external-reference--f82555b9-46f4-57ac-9a5a-e7379ad9b9f7",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69f4696df292a40fd0caa46d",
      "hash": null,
      "external_id": "69f4696df292a40fd0caa46d",
      "created": "2026-05-04T14:30:17.844Z",
      "modified": "2026-05-04T14:30:17.844Z",
      "createdById": null
    }
  ]
}