WeSearch

Mini Shai-Hulud in Intercom Package Spreads to Packagist Using Composer Plugin

·3 min read · 0 reactions · 0 comments · 2 views
Mini Shai-Hulud in Intercom Package Spreads to Packagist Using Composer Plugin

intercom/intercom-php 5.0.2 was compromised and converted into a Composer plugin that exfiltrates credentials at install time, extending the Mini Shai-Hulud campaign to PHP.

Original article
Semgrep
Read full at Semgrep →
Opening excerpt (first ~120 words) tap to expand

After compromising Lightning on PyPi earlier today, the same attackers compromised the intercom/intercom-php package version 5.0.2 on Packagist by overwriting the existing version with malicious code that converts it into a Composer plugin. The malicious plugin executes during package installation, downloading Bun JavaScript runtime and running an obfuscated credential-stealing payload. This represents an expansion of the Mini Shai-Hulud campaign from npm to the PHP ecosystem, using Composer's plugin system for install-time execution.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Semgrep.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from Semgrep

Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
Semgrep·6
Trump nominates Fox News doctor to be the next surgeon general
Ars Technica - All content·6
How bots could help revive democracy
International homepage·5
Zelenskyy’s push for EU membership strains ties with allies
International homepage·6
Dwayne ‘The Rock’ Johnson pulled over by police in Hollywood following co-star’s Walk of Fame ceremony
New York Post·5
PwC will drop cover for weight-loss drugs from employee health plans
International homepage·7