We are continuing to investigate the malicious version of the intercom-client package.
We have now confirmed that intercom-php@v5.0.2 was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored.
If you installed or updated intercom-php during this window, we recommend you:
Uninstall and reinstall the package from a clean source
Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment
We will share further details as they become available.
Monitoring
We are continuing to investigate the malicious version of the intercom-client package.
We have now confirmed that intercom-php@v5.0.2 was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored.
If you installed or updated intercom-php during this window, we recommend you:
Uninstall and reinstall the package from a clean source
Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment
We will share further details as they become available.
Investigating
We are continuing to investigate the malicious version of the intercom-client package.
We have now confirmed that intercom-php@v5.0.2 was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored.
If you installed or updated intercom-php during this window, we recommend you:
Uninstall and reinstall the package from a clean source
Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment
We will share further details as they become available.
Investigating
We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today.
The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs.
If you installed intercom-client@7.0.4, we recommend:
removing the package immediately
rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment
We are actively investigating and will share more information as it becomes available.
