https://feed.craftedsignal.io/vendors/intercom/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-05-intercom-php-supply-chain/Fri, 08 May 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-intercom-php-supply-chain/A malicious commit tagged as version 5.0.2 was pushed to the intercom/intercom-php repository on GitHub, containing a Composer plugin that downloaded the Bun JavaScript runtime and executed an obfuscated credential-harvesting payload, targeting cloud provider credentials, environment variables, SSH keys, and CI/CD secrets.On April 30, 2026, the intercom/intercom-php repository on GitHub was subject to a supply chain attack. A compromised service account, github-management-service, was used to push a malicious commit tagged as version 5.0.2. This attack is part of the broader “Mini Shai-Hulud” campaign, which also targeted the intercom-client package on npm. The malicious version of intercom-php included a Composer plugin designed to act as a dropper. It downloaded the Bun JavaScript runtime (version 1.3.13) and executed an obfuscated credential-harvesting payload. The malicious tag was live for approximately 1 hour and 44 minutes, between 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted. This incident highlights the risk of supply chain attacks targeting widely-used packages and the potential for significant credential compromise.

Attack Chain

1. A compromised service account (github-management-service) pushes a malicious commit to the intercom/intercom-php repository.
2. The malicious commit is tagged as version 5.0.2 and published to GitHub.
3. Developers using intercom-php may inadvertently install the malicious version via composer update or composer install if performed during the compromised window.
4. The Composer plugin within the malicious package is executed during the installation process.
5. The plugin downloads the Bun JavaScript runtime (version 1.3.13) to the affected system.
6. The Bun runtime executes an obfuscated JavaScript payload.
7. The JavaScript payload attempts to harvest credentials, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.
8. The harvested credentials could then be exfiltrated by the attacker for unauthorized access to cloud resources and sensitive data.

Impact

This supply chain attack directly compromised the intercom-php package, potentially affecting any project that installed or updated to version 5.0.2 between 20:53 UTC and 22:37 UTC on April 30, 2026. Successful exploitation leads to the theft of sensitive credentials, including those for major cloud providers (AWS, GCP, Azure), potentially granting attackers access to critical infrastructure and sensitive data. Even a short window of exposure can lead to widespread compromise if a large number of projects pull the malicious package.

Recommendation

• Immediately check if your projects installed intercom/intercom-php version 5.0.2 between 20:53 and 22:37 UTC on April 30, 2026, using composer show intercom/intercom-php --version as indicated in the overview.
• If the project installed the malicious version, treat all credentials accessible from that environment as compromised and rotate them, as mentioned in the Workarounds section.
• Clear the Composer cache using composer clear-cache to prevent further installations of the malicious package, as recommended in the Patches section.
• Verify the commit hash in your composer.lock file against the malicious hash e69bf4b3 and the clean hash 9371eba9, as suggested in the Overview and Workarounds sections.
• Deploy the Sigma rule Detect Bun Execution to identify instances where the Bun JavaScript runtime is executed, potentially indicating malicious activity from the dropper.
• Enable process creation logging with command-line arguments to effectively utilize the Detect Bun Execution Sigma rule.

]]>criticalthreatsupply-chaincredential-theftgithubhttps://feed.craftedsignal.io/briefs/2026-05-npm-intercom-client-compromise/Fri, 08 May 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-npm-intercom-client-compromise/A compromised version (7.0.4) of the intercom-client npm package was published using a compromised developer account, containing obfuscated JavaScript that executed during installation to harvest and exfiltrate credentials from the environment, as part of the 'Mini Shai-Hulud' supply chain campaign.On April 30, 2026, version 7.0.4 of the intercom-client npm package was published using a compromised developer account. This version was not created through Intercom’s official build pipeline. The malicious package contained an obfuscated JavaScript payload that was designed to execute upon installation via a preinstall hook. This payload was designed to harvest sensitive credentials from the environment in which it was running, including cloud provider credentials (AWS, GCP, and Azure), environment variables, .env files, GitHub and npm tokens, SSH keys, local configuration files, and cloud metadata service credentials. The stolen credentials were then exfiltrated to attacker-controlled GitHub repositories. The compromised package was available on npm for approximately 2 hours, between 15:00 and 17:00 UTC. This incident is part of the “Mini Shai-Hulud” supply chain campaign, as tracked by Wiz and Socket. Developers are advised to check their projects for the presence of version 7.0.4 using npm list intercom-client and rotate credentials if found.

Attack Chain

1. The attacker compromises a developer account with publishing privileges for the intercom-client npm package.
2. The attacker publishes a malicious version of the intercom-client package (version 7.0.4) to npm.
3. The malicious package includes an obfuscated JavaScript payload within a preinstall hook.
4. When a developer installs the compromised package using npm install intercom-client, the preinstall script automatically executes.
5. The obfuscated JavaScript payload harvests credentials from the environment, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, GitHub and npm tokens, SSH keys, local configuration files, and cloud metadata service credentials.
6. The harvested data is exfiltrated to attacker-controlled GitHub repositories.
7. The attacker gains access to the stolen credentials, potentially allowing them to compromise cloud infrastructure, source code repositories, and other sensitive resources.

Impact

The compromise of the intercom-client npm package resulted in the potential theft of sensitive credentials, including cloud provider credentials, API keys, and SSH keys. The impact could include unauthorized access to cloud infrastructure, source code repositories, and other sensitive resources. This attack affects any developer or organization that installed version 7.0.4 of the intercom-client package between 15:00 and 17:00 UTC on April 30, 2026. The long-term consequences depend on the extent to which the stolen credentials are used to further compromise systems and data.

Recommendation

• Downgrade the intercom-client package to version 7.0.3 or earlier to avoid the compromised version, as mentioned in the Patches section.
• Immediately rotate all credentials (cloud provider credentials, environment variables, API keys, SSH keys) accessible from any environment where version 7.0.4 was installed, as recommended in the Workarounds section.
• Review CI/CD build logs for any npm install commands that resolved to version 7.0.4 between 15:00 and 17:00 UTC on April 30, 2026, to identify potentially affected systems, as described in the Workarounds section.
• Deploy the Sigma rule “Detect Suspicious npm Preinstall Script” to identify potentially malicious npm package installations based on unusual script execution.

]]>criticaladvisorysupply-chaincredential-theftnpm