GHSA-GR3R-CRP5-QRRM

GHSA-GR3R-CRP5-QRRM is a critical-severity security vulnerability in intercom/intercom-php (composer), affecting versions = 5.0.2. No fixed version is listed yet.

Summary

Workarounds

If a project installed version 5.0.2 during the affected window, treat all credentials accessible from that environment as compromised and rotate them. Clear the Composer cache with composer clear-cache and check composer.lock for the commit hash to confirm whether you have the malicious or clean version.

Resources

Impact

On April 30, 2026, a malicious commit was pushed to the intercom/intercom-php repository and tagged as version 5.0.2, using a compromised service account (github-management-service). This occurred as part of the same supply chain attack that affected intercom-client on npm.

The malicious version contained a Composer plugin that acted as a dropper, downloading the Bun JavaScript runtime (version 1.3.13) and executing an obfuscated credential-harvesting payload. The payload targeted cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, SSH keys, local configuration files, and CI/CD secrets.

The malicious tag was live between approximately 20:53 UTC and 22:37 UTC on April 30, 2026, before being identified and reverted to a clean commit.

This compromise is part of the "Mini Shai-Hulud" supply chain campaign tracked by Wiz and Socket.

To check if a consuming project is affected, run: composer show intercom/intercom-php --version. If the project installed or updated between 20:53 and 22:37 UTC on April 30, it may have received the malicious version. The malicious commit hash was e69bf4b3. The clean commit is 9371eba9. Check composer.lock to verify which version the consuming project is using.

GHSA-GR3R-CRP5-QRRM has a CVSS score of 9.3 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

intercom/intercom-php (= 5.0.2)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Version 5.0.1 and all prior versions are unaffected. The 5.0.2 tag has been reverted to a clean commit. Downgrade to 5.0.1 or run composer clear-cache and reinstall to get the clean 5.0.2.

Frequently Asked Questions

  1. What is GHSA-GR3R-CRP5-QRRM? GHSA-GR3R-CRP5-QRRM is a critical-severity security vulnerability in intercom/intercom-php (composer), affecting versions = 5.0.2. No fixed version is listed yet.
  2. How severe is GHSA-GR3R-CRP5-QRRM? GHSA-GR3R-CRP5-QRRM has a CVSS score of 9.3 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of intercom/intercom-php are affected by GHSA-GR3R-CRP5-QRRM? intercom/intercom-php (composer) versions = 5.0.2 is affected.
  4. Is there a fix for GHSA-GR3R-CRP5-QRRM? No fixed version is listed for GHSA-GR3R-CRP5-QRRM yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is GHSA-GR3R-CRP5-QRRM exploitable, and should I be worried? Whether GHSA-GR3R-CRP5-QRRM is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-GR3R-CRP5-QRRM is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

Other vulnerabilities in intercom/intercom-php

Stop the waste.
Protect your environment with Kodem.