{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/intercom/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Mini Shai-Hulud"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["intercom-php"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["Intercom","GitHub"],"content_html":"\u003cp\u003eOn April 30, 2026, the intercom/intercom-php repository on GitHub was subject to a supply chain attack. A compromised service account, \u003ccode\u003egithub-management-service\u003c/code\u003e, was used to push a malicious commit tagged as version 5.0.2. This attack is part of the broader \u0026ldquo;Mini Shai-Hulud\u0026rdquo; campaign, which also targeted the \u003ccode\u003eintercom-client\u003c/code\u003e package on npm. The malicious version of \u003ccode\u003eintercom-php\u003c/code\u003e included a Composer plugin designed to act as a dropper. It downloaded the Bun JavaScript runtime (version 1.3.13) and executed an obfuscated credential-harvesting payload. The malicious tag was live for approximately 1 hour and 44 minutes, between 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted. This incident highlights the risk of supply chain attacks targeting widely-used packages and the potential for significant credential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA compromised service account (\u003ccode\u003egithub-management-service\u003c/code\u003e) pushes a malicious commit to the \u003ccode\u003eintercom/intercom-php\u003c/code\u003e repository.\u003c/li\u003e\n\u003cli\u003eThe malicious commit is tagged as version 5.0.2 and published to GitHub.\u003c/li\u003e\n\u003cli\u003eDevelopers using \u003ccode\u003eintercom-php\u003c/code\u003e may inadvertently install the malicious version via \u003ccode\u003ecomposer update\u003c/code\u003e or \u003ccode\u003ecomposer install\u003c/code\u003e if performed during the compromised window.\u003c/li\u003e\n\u003cli\u003eThe Composer plugin within the malicious package is executed during the installation process.\u003c/li\u003e\n\u003cli\u003eThe plugin downloads the Bun JavaScript runtime (version 1.3.13) to the affected system.\u003c/li\u003e\n\u003cli\u003eThe Bun runtime executes an obfuscated JavaScript payload.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload attempts to harvest credentials, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials could then be exfiltrated by the attacker for unauthorized access to cloud resources and sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly compromised the \u003ccode\u003eintercom-php\u003c/code\u003e package, potentially affecting any project that installed or updated to version 5.0.2 between 20:53 UTC and 22:37 UTC on April 30, 2026. Successful exploitation leads to the theft of sensitive credentials, including those for major cloud providers (AWS, GCP, Azure), potentially granting attackers access to critical infrastructure and sensitive data. Even a short window of exposure can lead to widespread compromise if a large number of projects pull the malicious package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately check if your projects installed \u003ccode\u003eintercom/intercom-php\u003c/code\u003e version 5.0.2 between 20:53 and 22:37 UTC on April 30, 2026, using \u003ccode\u003ecomposer show intercom/intercom-php --version\u003c/code\u003e as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eIf the project installed the malicious version, treat all credentials accessible from that environment as compromised and rotate them, as mentioned in the Workarounds section.\u003c/li\u003e\n\u003cli\u003eClear the Composer cache using \u003ccode\u003ecomposer clear-cache\u003c/code\u003e to prevent further installations of the malicious package, as recommended in the Patches section.\u003c/li\u003e\n\u003cli\u003eVerify the commit hash in your \u003ccode\u003ecomposer.lock\u003c/code\u003e file against the malicious hash \u003ccode\u003ee69bf4b3\u003c/code\u003e and the clean hash \u003ccode\u003e9371eba9\u003c/code\u003e, as suggested in the Overview and Workarounds sections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bun Execution\u003c/code\u003e to identify instances where the Bun JavaScript runtime is executed, potentially indicating malicious activity from the dropper.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to effectively utilize the \u003ccode\u003eDetect Bun Execution\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T12:00:00Z","date_published":"2026-05-08T12:00:00Z","id":"/briefs/2026-05-intercom-php-supply-chain/","summary":"A malicious commit tagged as version 5.0.2 was pushed to the intercom/intercom-php repository on GitHub, containing a Composer plugin that downloaded the Bun JavaScript runtime and executed an obfuscated credential-harvesting payload, targeting cloud provider credentials, environment variables, SSH keys, and CI/CD secrets.","title":"Compromised intercom-php Package on GitHub","url":"https://feed.craftedsignal.io/briefs/2026-05-intercom-php-supply-chain/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["intercom-client (= 7.0.4)","AWS","GCP","Azure","github.com","npm"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","npm"],"_cs_type":"advisory","_cs_vendors":["npm","GitHub","Amazon","Google","Microsoft","Intercom"],"content_html":"\u003cp\u003eOn April 30, 2026, version 7.0.4 of the intercom-client npm package was published using a compromised developer account. This version was not created through Intercom\u0026rsquo;s official build pipeline. The malicious package contained an obfuscated JavaScript payload that was designed to execute upon installation via a \u003ccode\u003epreinstall\u003c/code\u003e hook. This payload was designed to harvest sensitive credentials from the environment in which it was running, including cloud provider credentials (AWS, GCP, and Azure), environment variables, \u003ccode\u003e.env\u003c/code\u003e files, GitHub and npm tokens, SSH keys, local configuration files, and cloud metadata service credentials. The stolen credentials were then exfiltrated to attacker-controlled GitHub repositories. The compromised package was available on npm for approximately 2 hours, between 15:00 and 17:00 UTC. This incident is part of the \u0026ldquo;Mini Shai-Hulud\u0026rdquo; supply chain campaign, as tracked by Wiz and Socket. Developers are advised to check their projects for the presence of version 7.0.4 using \u003ccode\u003enpm list intercom-client\u003c/code\u003e and rotate credentials if found.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a developer account with publishing privileges for the intercom-client npm package.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes a malicious version of the intercom-client package (version 7.0.4) to npm.\u003c/li\u003e\n\u003cli\u003eThe malicious package includes an obfuscated JavaScript payload within a \u003ccode\u003epreinstall\u003c/code\u003e hook.\u003c/li\u003e\n\u003cli\u003eWhen a developer installs the compromised package using \u003ccode\u003enpm install intercom-client\u003c/code\u003e, the \u003ccode\u003epreinstall\u003c/code\u003e script automatically executes.\u003c/li\u003e\n\u003cli\u003eThe obfuscated JavaScript payload harvests credentials from the environment, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, GitHub and npm tokens, SSH keys, local configuration files, and cloud metadata service credentials.\u003c/li\u003e\n\u003cli\u003eThe harvested data is exfiltrated to attacker-controlled GitHub repositories.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the stolen credentials, potentially allowing them to compromise cloud infrastructure, source code repositories, and other sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the intercom-client npm package resulted in the potential theft of sensitive credentials, including cloud provider credentials, API keys, and SSH keys. The impact could include unauthorized access to cloud infrastructure, source code repositories, and other sensitive resources. This attack affects any developer or organization that installed version 7.0.4 of the intercom-client package between 15:00 and 17:00 UTC on April 30, 2026. The long-term consequences depend on the extent to which the stolen credentials are used to further compromise systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDowngrade the intercom-client package to version 7.0.3 or earlier to avoid the compromised version, as mentioned in the \u003ca href=\"#patches\"\u003ePatches\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eImmediately rotate all credentials (cloud provider credentials, environment variables, API keys, SSH keys) accessible from any environment where version 7.0.4 was installed, as recommended in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview CI/CD build logs for any \u003ccode\u003enpm install\u003c/code\u003e commands that resolved to version 7.0.4 between 15:00 and 17:00 UTC on April 30, 2026, to identify potentially affected systems, as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious npm Preinstall Script\u0026rdquo; to identify potentially malicious npm package installations based on unusual script execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T12:00:00Z","date_published":"2026-05-08T12:00:00Z","id":"/briefs/2026-05-npm-intercom-client-compromise/","summary":"A compromised version (7.0.4) of the intercom-client npm package was published using a compromised developer account, containing obfuscated JavaScript that executed during installation to harvest and exfiltrate credentials from the environment, as part of the 'Mini Shai-Hulud' supply chain campaign.","title":"Compromised intercom-client npm Package Exfiltrates Credentials","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-intercom-client-compromise/"}],"language":"en","title":"CraftedSignal Threat Feed — Intercom","version":"https://jsonfeed.org/version/1.1"}