Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

What Happened

Attackers compromised a popular software building block called 'intercom/intercom-php' by sneaking malicious code into version 5.0.2. Software developers, servers, and automated building systems that downloaded or updated to this specific version are affected. The malicious code secretly steals highly sensitive passwords, cloud access keys, and source code tokens, which could allow attackers to breach company networks and spread the infection further. Organizations must immediately check if they use this version, remove it, and change any passwords or access keys that were stored on the affected computers.

Key Takeaways

• The Mini Shai-Hulud campaign has expanded to the PHP ecosystem via a compromised Packagist package (intercom/intercom-php@5.0.2).
• The malicious package abuses Composer's plugin system to execute a shell script during installation.
• The script downloads the Bun runtime and executes an obfuscated JavaScript payload (router_runtime.js) to harvest and exfiltrate developer and CI/CD secrets.
• The root cause traces back to a compromised PyPI package (lightning via pyannote-audio), which led to an npm compromise, and subsequently this PHP package.
• The malware can propagate by abusing stolen npm tokens and GitHub credentials to modify and republish other packages.

Affected Systems

• PHP projects, Laravel applications, and backend services installing intercom/intercom-php@5.0.2
• CI/CD pipelines and build runners
• Developer workstations

Attack Chain

The attack begins when a developer or CI/CD pipeline installs or updates the compromised intercom/intercom-php@5.0.2 package. During installation, a malicious Composer plugin executes setup-intercom.sh, which downloads the Bun JavaScript runtime. Bun then executes an obfuscated JavaScript payload (router_runtime.js) that harvests credentials from environment variables, AWS, GCP, Kubernetes, Vault, and other secret managers. The stolen data is encrypted using AES-256-GCM and exfiltrated to zero.masscan.cloud or via GitHub repositories, while the malware attempts to propagate by abusing stolen npm and GitHub tokens.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but lists file hashes, network indicators, and strings for threat hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect a PHP process (Composer) spawning a shell script that downloads a binary (Bun) and executes a JavaScript file, which then reads sensitive files and makes external network connections. Network Visibility: Medium — Network monitoring can detect connections to the hardcoded exfiltration domain (zero.masscan.cloud) and downloads of the Bun runtime from GitHub Releases, though exfiltration via GitHub API may blend with legitimate traffic. Detection Difficulty: Moderate — While the initial execution via Composer plugin might blend in with normal package installations, the subsequent behavior (downloading Bun, executing obfuscated JS, accessing multiple secret stores) is highly anomalous.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• Network Connections (Sysmon Event ID 3)
• Composer execution logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Composer processes (php) spawning shell scripts (sh/bash) that subsequently download and execute the Bun runtime.	Process creation logs (EDR/Sysmon)	Execution	Low
Search for network connections to zero.masscan.cloud originating from developer workstations or CI/CD build nodes.	DNS/Network connection logs	Exfiltration	Low
Identify unexpected creation of hidden directories like .claude/ or .vscode/ containing JavaScript files (router_runtime.js, setup.mjs) within project repositories.	File creation logs	Persistence	Medium
Monitor for processes executing with the __DAEMONIZED flag or detached spawns originating from package manager installations.	Process creation logs	Execution	Medium

Control Gaps

• Lack of immutability in Packagist allowing force-updated Git tags to replace package contents
• Unrestricted Composer plugin execution during package installation

Key Behavioral Indicators

• Composer executing setup-intercom.sh
• Bun runtime downloaded during PHP package installation
• Creation of router_runtime.js
• Commits by claude@users.noreply.github.com or leeFengHuo

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Audit all environments for the installation of intercom/intercom-php@5.0.2.
• Remove the malicious artifact and reinstall only from a known-good source.
• Rotate all potentially exposed credentials (GitHub, npm, SSH, AWS, GCP, Kubernetes, Vault, Docker, .env secrets).

Infrastructure Hardening

• Restrict or disable Composer plugin execution globally unless explicitly required and verified.
• Implement egress filtering on CI/CD nodes to block unauthorized outbound connections (e.g., to zero.masscan.cloud).

User Protection

• Review developer workstations for suspicious files in .claude/ or .vscode/ directories.
• Enforce strict least-privilege access for developer tokens and cloud credentials.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of verifying package integrity.
• Train teams to monitor for unexpected installation scripts or plugin executions during dependency updates.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1552.004 - Unsecured Credentials: Private Keys
• T1552.007 - Unsecured Credentials: Cloud Instance Metadata API
• T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1140 - Deobfuscate/Decode Files or Information
• T1573.002 - Encrypted Channel: Asymmetric Cryptography

Additional IOCs

• Domains:
  • zero[.]masscan[.]cloud - Exfiltration domain
• Urls:
  • hxxps://zero[.]masscan[.]cloud:443/v1/telemetry - Exfiltration URL
• File Hashes:
  • 907aec5b1288057a3e0885226918b6930a62a0f348ce23de026a683238c7903e (SHA256) - composer.json
  • b084743bd16043461e68b604dde80a8b386b405eae6f66c1103fb4fd6831d4a7 (SHA256) - src/composerPlugin.php
• File Paths:
  • /tmp/tmp.987654321.lock - Suspicious lock file path
  • .claude/router_runtime.js - Payload file written to repository path
  • .claude/setup.mjs - Payload file written to repository path
  • .claude/settings.json - Payload file written to repository path
  • .vscode/setup.mjs - Payload file written to repository path
  • .vscode/tasks.json - Payload file written to repository path
  • results/results-*.json - Suspicious results file path
  • package-updated.tgz - Suspicious package tarball path
• Other:
  • e8a812c5ea7d8c7ed642b0d82754ced6a99025b0 - Git commit hash used in force-update
  • e69bf4b3e84e7951a7b4ded8fee8822c57630cf8 - Git commit hash used in force-update
  • leeFengHuo - Spoofed GitHub author metadata
  • claude@users.noreply.github.com - Spoofed GitHub author email
  • A Mini Shai-Hulud has Appeared - GitHub repository description string
  • EveryBoiWeBuildIsAWormyBoi - String for threat hunting
  • Exiting as russian language detected! - String for threat hunting
  • __DAEMONIZED - Daemonization flag used for stealth/persistence