WeSearch

Mini Shai-Hulud in Intercom Package Spreads to Packagist Using Composer Plugin

·3 min read · 0 reactions · 0 comments · 3 views
Mini Shai-Hulud in Intercom Package Spreads to Packagist Using Composer Plugin

intercom/intercom-php 5.0.2 was compromised and converted into a Composer plugin that exfiltrates credentials at install time, extending the Mini Shai-Hulud campaign to PHP.

Original article
Semgrep
Read full at Semgrep →
Opening excerpt (first ~120 words) tap to expand

After compromising Lightning on PyPi earlier today, the same attackers compromised the intercom/intercom-php package version 5.0.2 on Packagist by overwriting the existing version with malicious code that converts it into a Composer plugin. The malicious plugin executes during package installation, downloading Bun JavaScript runtime and running an obfuscated credential-stealing payload. This represents an expansion of the Mini Shai-Hulud campaign from npm to the PHP ecosystem, using Composer's plugin system for install-time execution.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Semgrep.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from Semgrep

Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
Semgrep·6
AT&T Promo Codes and Bundle Deals: Save $50 in May
WIRED·3
Verizon Promo Codes: $200 Verizon Gift Cards | May 2026
WIRED·3
Top Paramount+ Coupon Codes and Deals for May 2026
WIRED·3
30% Off Samsung Promo Code | May 2026
WIRED·3
Dyson Promo Codes: 25% Off in May 2026
WIRED·3