{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/mini-shai-hulud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Mini Shai-Hulud"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["intercom-php"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["Intercom","GitHub"],"content_html":"\u003cp\u003eOn April 30, 2026, the intercom/intercom-php repository on GitHub was subject to a supply chain attack. A compromised service account, \u003ccode\u003egithub-management-service\u003c/code\u003e, was used to push a malicious commit tagged as version 5.0.2. This attack is part of the broader \u0026ldquo;Mini Shai-Hulud\u0026rdquo; campaign, which also targeted the \u003ccode\u003eintercom-client\u003c/code\u003e package on npm. The malicious version of \u003ccode\u003eintercom-php\u003c/code\u003e included a Composer plugin designed to act as a dropper. It downloaded the Bun JavaScript runtime (version 1.3.13) and executed an obfuscated credential-harvesting payload. The malicious tag was live for approximately 1 hour and 44 minutes, between 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted. This incident highlights the risk of supply chain attacks targeting widely-used packages and the potential for significant credential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA compromised service account (\u003ccode\u003egithub-management-service\u003c/code\u003e) pushes a malicious commit to the \u003ccode\u003eintercom/intercom-php\u003c/code\u003e repository.\u003c/li\u003e\n\u003cli\u003eThe malicious commit is tagged as version 5.0.2 and published to GitHub.\u003c/li\u003e\n\u003cli\u003eDevelopers using \u003ccode\u003eintercom-php\u003c/code\u003e may inadvertently install the malicious version via \u003ccode\u003ecomposer update\u003c/code\u003e or \u003ccode\u003ecomposer install\u003c/code\u003e if performed during the compromised window.\u003c/li\u003e\n\u003cli\u003eThe Composer plugin within the malicious package is executed during the installation process.\u003c/li\u003e\n\u003cli\u003eThe plugin downloads the Bun JavaScript runtime (version 1.3.13) to the affected system.\u003c/li\u003e\n\u003cli\u003eThe Bun runtime executes an obfuscated JavaScript payload.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload attempts to harvest credentials, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials could then be exfiltrated by the attacker for unauthorized access to cloud resources and sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly compromised the \u003ccode\u003eintercom-php\u003c/code\u003e package, potentially affecting any project that installed or updated to version 5.0.2 between 20:53 UTC and 22:37 UTC on April 30, 2026. Successful exploitation leads to the theft of sensitive credentials, including those for major cloud providers (AWS, GCP, Azure), potentially granting attackers access to critical infrastructure and sensitive data. Even a short window of exposure can lead to widespread compromise if a large number of projects pull the malicious package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately check if your projects installed \u003ccode\u003eintercom/intercom-php\u003c/code\u003e version 5.0.2 between 20:53 and 22:37 UTC on April 30, 2026, using \u003ccode\u003ecomposer show intercom/intercom-php --version\u003c/code\u003e as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eIf the project installed the malicious version, treat all credentials accessible from that environment as compromised and rotate them, as mentioned in the Workarounds section.\u003c/li\u003e\n\u003cli\u003eClear the Composer cache using \u003ccode\u003ecomposer clear-cache\u003c/code\u003e to prevent further installations of the malicious package, as recommended in the Patches section.\u003c/li\u003e\n\u003cli\u003eVerify the commit hash in your \u003ccode\u003ecomposer.lock\u003c/code\u003e file against the malicious hash \u003ccode\u003ee69bf4b3\u003c/code\u003e and the clean hash \u003ccode\u003e9371eba9\u003c/code\u003e, as suggested in the Overview and Workarounds sections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bun Execution\u003c/code\u003e to identify instances where the Bun JavaScript runtime is executed, potentially indicating malicious activity from the dropper.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to effectively utilize the \u003ccode\u003eDetect Bun Execution\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T12:00:00Z","date_published":"2026-05-08T12:00:00Z","id":"/briefs/2026-05-intercom-php-supply-chain/","summary":"A malicious commit tagged as version 5.0.2 was pushed to the intercom/intercom-php repository on GitHub, containing a Composer plugin that downloaded the Bun JavaScript runtime and executed an obfuscated credential-harvesting payload, targeting cloud provider credentials, environment variables, SSH keys, and CI/CD secrets.","title":"Compromised intercom-php Package on GitHub","url":"https://feed.craftedsignal.io/briefs/2026-05-intercom-php-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Mini Shai-Hulud","version":"https://jsonfeed.org/version/1.1"}