GHSA-gr3r-crp5-qrrm: Compromised tag of intercom-php published via GitHub

On April 30, 2026, a malicious commit was pushed to the intercom/intercom-php repository and tagged as version 5.0.2, using a compromised service account (github-management-service). This occurred as part of the same supply chain attack that affected intercom-client on npm.

The malicious version contained a Composer plugin that acted as a dropper, downloading the Bun JavaScript runtime (version 1.3.13) and executing an obfuscated credential-harvesting payload. The payload targeted cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.

The malicious tag was live between approximately 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted to a clean commit.

This compromise is part of the “Mini Shai-Hulud” supply chain campaign tracked by Wiz and Socket.

To check if a consuming project is affected, run: composer show intercom/intercom-php --version. If the project installed or updated between 20:53 and 22:37 UTC on April 30, it may have received the malicious version. The malicious commit hash was e69bf4b3. The clean commit is 9371eba9. Check composer.lock to verify which version the consuming project is using.