Attack Chain

1. A compromised service account (github-management-service) pushes a malicious commit to the intercom/intercom-php repository.
2. The malicious commit is tagged as version 5.0.2 and published to GitHub.
3. Developers using intercom-php may inadvertently install the malicious version via composer update or composer install if performed during the compromised window.
4. The Composer plugin within the malicious package is executed during the installation process.
5. The plugin downloads the Bun JavaScript runtime (version 1.3.13) to the affected system.
6. The Bun runtime executes an obfuscated JavaScript payload.
7. The JavaScript payload attempts to harvest credentials, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.
8. The harvested credentials could then be exfiltrated by the attacker for unauthorized access to cloud resources and sensitive data.

Impact

This supply chain attack directly compromised the intercom-php package, potentially affecting any project that installed or updated to version 5.0.2 between 20:53 UTC and 22:37 UTC on April 30, 2026. Successful exploitation leads to the theft of sensitive credentials, including those for major cloud providers (AWS, GCP, Azure), potentially granting attackers access to critical infrastructure and sensitive data. Even a short window of exposure can lead to widespread compromise if a large number of projects pull the malicious package.

Recommendation

• Immediately check if your projects installed intercom/intercom-php version 5.0.2 between 20:53 and 22:37 UTC on April 30, 2026, using composer show intercom/intercom-php --version as indicated in the overview.
• If the project installed the malicious version, treat all credentials accessible from that environment as compromised and rotate them, as mentioned in the Workarounds section.
• Clear the Composer cache using composer clear-cache to prevent further installations of the malicious package, as recommended in the Patches section.
• Verify the commit hash in your composer.lock file against the malicious hash e69bf4b3 and the clean hash 9371eba9, as suggested in the Overview and Workarounds sections.
• Deploy the Sigma rule Detect Bun Execution to identify instances where the Bun JavaScript runtime is executed, potentially indicating malicious activity from the dropper.
• Enable process creation logging with command-line arguments to effectively utilize the Detect Bun Execution Sigma rule.