GHSA-GR3R-CRP5-QRRM: GHSA-GR3R-CRP5-QRRM: Supply Chain Compromise in intercom-php via Malicious Composer Plugin

GHSA-GR3R-CRP5-QRRM: Supply Chain Compromise in intercom-php via Malicious Composer Plugin

Vulnerability ID: GHSA-GR3R-CRP5-QRRM
CVSS Score: 10.0
Published: 2026-05-07

The intercom/intercom-php package on Packagist was subjected to a supply chain compromise by the TeamPCP threat actor group. Attackers published a malicious package version (5.0.2) utilizing a Composer plugin to achieve arbitrary code execution upon installation, resulting in the exfiltration of environment variables and sensitive credentials to an external command-and-control server.

TL;DR

A malicious version (5.0.2) of the intercom/intercom-php package was published via a compromised GitHub tag. It uses a malicious Composer plugin to automatically execute code during installation, exfiltrating local secrets and environment variables. All organizations that installed this version must immediately rotate all potentially exposed credentials.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-506 / CWE-912
• Attack Vector: Supply Chain / Malicious Package
• CVSS Score: 10.0 (Critical)
• Execution Context: Composer Plugin Lifecycle
• Primary Impact: Credential Exfiltration
• Exploit Status: Active Exploitation (Remediated)

Affected Systems

• Packagist PHP Ecosystem
• Composer Package Manager Runtime
• Developer Workstations
• CI/CD Pipelines
• intercom/intercom-php: 5.0.2 (Fixed in: Removed from registry; use alternative verified versions.)

Mitigation Strategies

• Strict Dependency Pinning and Lockfile Enforcement
• Comprehensive Credential Rotation
• Network Egress Filtering for CI/CD Runners
• Enforcement of Two-Factor Authentication (2FA) for Maintainers

Remediation Steps:

1. Audit all projects for the presence of intercom/intercom-php version 5.0.2 in composer.json or composer.lock.
2. Immediately downgrade or upgrade the package to a verified, safe version.
3. Identify all systems (developer laptops, build servers) where composer install or composer update was executed while 5.0.2 was in the dependency tree.
4. Rotate all credentials, API keys, database passwords, and cloud tokens accessible in the environment variables or local files of the affected systems.
5. Review access logs for cloud infrastructure and internal services for unauthorized access originating after the time of potential compromise.

References

• GitHub Advisory: GHSA-gr3r-crp5-qrrm
• Intercom Status History
• Socket Blog - Mini Shai-Hulud Packagist Compromise
• Wiz Analysis of TeamPCP Campaign
• Incident Timeline // TeamPCP Supply Chain Campaign

---

Read the full report for GHSA-GR3R-CRP5-QRRM on our website for more details including interactive diagrams and full exploit analysis.