On April 30, 2026, the Mini Shai-Hulud campaign moved beyond npm and into Packagist. Attackers replaced the contents of intercom/intercom-php@5.0.2, Intercom's official PHP client, with over 20.7 million lifetime installs, with a credential-stealing payload that executed at install time, before any application code ever called the library. PHP teams, Laravel applications, and continuous integration (CI) pipelines that updated to that version may need to treat affected environments as compromised.
The attack exploited two properties of Packagist that most PHP developers have little reason to question.
Packagist versions are not immutable. The registry mirrors tags from upstream Git repositories, and those tags allow force-updates to point to a different commit. The attacker force-pushed a malicious commit behind the existing 5.0.2 tag, replacing a known-good release without changing its version number. Any developer or CI system that ran composer install or composer update after 20:53 UTC on April 30 received the compromised artifact, even with an explicit version pin.
The malicious composer.json then registered intercom/intercom-php as a Composer plugin, subscribing it to the post-install-cmd and post-update-cmd hooks. Composer ran attacker-controlled code as a natural part of installation so it didn’t require an import. The plugin executed a shell script that downloaded Bun 1.3.13 from GitHub Releases and ran an 11.7 MB obfuscated JavaScript payload called router_runtime.js as a background daemon. A legitimate PHP SDK has no business doing any of that.
router_runtime.js harvests credentials broadly: GitHub CLI tokens, npm tokens, SSH private keys, cloud credentials across AWS, Azure, and Google Cloud Platform (GCP), Docker registry credentials, Kubernetes configuration, HashiCorp Vault tokens, and .env files. It also queries cloud secret-management services directly, e.g., AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and Kubernetes Secrets.
The payload encrypts stolen data with AES-256-GCM before exfiltrating it to a hardcoded endpoint at zero[.]masscan[.]cloud. If that channel fails, it falls back to GitHub-based exfiltration using any GitHub credentials it has already harvested.
It also carries supply chain propagation logic. Stolen npm tokens let it republish modified packages with injected install-time scripts. It writes payload files into GitHub repositories using commit messages like chore: update dependencies, designed to disappear into normal developer workflows.
The Mini Shai-Hulud Packagist attack follows the same pattern as the axios npm attack from March: a trusted package, a payload injected silently at install time, and a detection window too narrow for teams pulling directly from public registries to rely on.
Cloudsmith sits between your teams and public registries, applying security controls before packages reach build environments or developer machines. Age-based (cooldown) policies would have identified the compromised 5.0.2 artifact immediately on publication, blocking it from entering any build until it cleared a configured minimum age threshold. According to internal data, in 2025, 99% of malicious npm packages received official verification within 72 hours. A cooldown policy buys exactly that kind of margin.
Cloudsmith continuously ingests threat intelligence from OSV.dev and the OpenSSF Malicious Packages project. Continuous package enrichment matches cached packages to malicious identifiers. A positive match triggers security policies, which automatically take the prescribed action that users define, e.g., block, quarantine, tag, etc., without requiring manual triage. Routing all Composer requests through Cloudsmith as an upstream proxy also gives your team a full audit trail of which package versions entered your artifact store and when. These are the first questions you need to answer when scoping an incident like this.
If you want to understand how these controls apply to your current Packagist and Composer setup, talk to Cloudsmith.
