The Worm Turns to PHP: Mini Shai-Hulud’s 20-Million-Install Hijack of Intercom

Security researchers at Socket have identified a major expansion of the “Mini Shai-Hulud” supply chain campaign, which has now breached the PHP ecosystem via the Packagist repository. The attack targets the widely used intercom/intercom-php package—a library with over 20.7 million lifetime installs—indicating a high-risk exposure for developer environments and CI/CD pipelines.

This discovery reveals a complex attack chain crossing three major software ecosystems: a local compromise in PyPI (lightning) led to an npm breach (intercom-client), which ultimately allowed the threat actor to poison the PHP package artifact.

Unlike the npm variant that used preinstall hooks, the malicious PHP artifact (version 5.0.2) exploits the Composer plugin system to achieve install-time execution. The attacker modified the composer.json file to convert the standard SDK into a “composer-plugin,” allowing it to run scripts as soon as a developer runs composer install or update.

As the Socket report details, “This is not normal behavior for a PHP SDK. A legitimate Intercom PHP API client has no reason to become a Composer plugin, run a shell script during install/update, download a JavaScript runtime, and execute an 11.7 MB obfuscated JavaScript payload”.

Once the Composer plugin is triggered, it executes setup-intercom.sh, which downloads the Bun JavaScript runtime to launch a heavily obfuscated payload named router_runtime.js. This payload is a surgical tool designed for mass credential theft and further propagation.

The malware specifically hunts for:

• Cloud & Infrastructure: AWS, Azure, and GCP credentials, plus Kubernetes service account tokens.
• Developer Secrets: GitHub CLI tokens, npm tokens, SSH private keys, and Docker registry credentials.
• Environment Files: .env files, shell history, and application configs like wp-config.php.

To evade detection, the malware utilizes daemonization—running in the background as a detached process—and exfiltrates stolen data via an encrypted tunnel to zero[.]masscan[.]cloud.

The “Mini Shai-Hulud” campaign is designed to be self-sustaining. The payload includes logic to use stolen GitHub credentials to create new repositories or modify existing ones. It often hides its presence by committing files into hidden directories like .claude/ or .vscode/ using spoofed metadata:

• Commit Message: chore: update dependencies
  Author: claude <claude@users.noreply.github.com>

This allows the malware to blend into legitimate developer workflows while it spreads to new targets.

Socket’s AI scanner detected the malicious code just 14 minutes after its release, and the artifact has since been removed from Packagist. However, any organization that performed a build using intercom/intercom-php@5.0.2 on April 30, 2026, must treat their environment as compromised.

Recommended Actions:

• Audit: Search for the installation of version 5.0.2 in all environments.
• Cleanse: Remove the malicious artifact and reinstall from a verified, known-good source.
• Rotate: Immediately rotate all cloud credentials (AWS/Azure/GCP), GitHub/npm tokens, and SSH keys that were present on the host.
• Review: Check repositories for unauthorized commits or hidden payload files in .claude or .vscode folders.

Because this malware executes at the time of installation, your system is exposed even if your application never actually calls the Intercom library.