According to a recent LinkedIn post from Semgrep, the company’s researchers are tracking what they describe as the “Mini Shai-Hulud” supply‑chain campaign extending into the PHP ecosystem via Packagist. The post cites a compromise of intercom/intercom-php@5.0.2, allegedly leveraging the same malicious payload previously observed in npm and PyPI incidents.
Claim 55% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The post explains that Packagist mirrors tags from upstream Git repositories, and that Git tags can be force‑updated to point to different commits, enabling an attacker to overwrite an existing version. It further notes that, instead of using an npm‑style preinstall hook, the PHP package reportedly registers as a Composer plugin, subscribes to post-install and post-update events, and then retrieves the same Bun-based payload.
For investors, this activity underscores Semgrep’s ongoing focus on emerging software supply‑chain threats, an area of heightened enterprise concern and spending. By publicly analyzing cross‑ecosystem attacks, the company may strengthen its positioning as a security intelligence and tooling provider, potentially supporting demand for its products among development and security teams.
The incident also highlights continued systemic risk in open‑source package registries, which could drive organizations toward vendors offering code and dependency scanning solutions. If Semgrep can convert this research exposure into customer adoption and higher contract values, the elevated awareness of such attacks could provide a tailwind for future revenue growth and reinforce its competitive stance against other application security platforms.