According to a recent LinkedIn post from Semgrep, the company is tracking what it refers to as the “Mini Shai-Hulud” campaign, which it suggests has now affected Packagist via the intercom/intercom-php@5.0.2 package. The post indicates that this package was compromised with a payload similar to those observed in recent npm and PyPI ecosystem attacks.
Claim 55% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The company’s LinkedIn post highlights that Packagist’s mirroring of Git tags may have enabled an attacker to overwrite an existing version by force-updating the tag. It also notes that, unlike npm’s preinstall hooks, the PHP artifact operates as a Composer plugin triggered on post-install and post-update events, which then downloads a Bun-based payload.
For investors, the post suggests that Semgrep is actively researching cross-ecosystem software supply chain threats, reinforcing its position in application security and threat detection. Increased visibility around high-profile package compromises could support demand for the firm’s code security products and services, potentially strengthening its competitive standing in the DevSecOps market.
The focus on Composer and Packagist extends Semgrep’s relevance beyond JavaScript and Python, implying broader coverage of language ecosystems. This broader applicability may expand its addressable market among enterprise developers seeking unified tooling for supply chain security and vulnerability detection across multiple package managers.