[EU Hosting] Investigating: Compromised version of intercom-client npm package and intercom-php

Update timeline

1. investigating Apr 30, 2026, 04:58 PM UTC

   Status: Investigating We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today. The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs. If you installed [email protected], we recommend: • removing the package immediately • rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment We are actively investigating and will share more information as it becomes available.

2. investigating Apr 30, 2026, 11:00 PM UTC

   Status: Investigating We are continuing to investigate the malicious version of the intercom-client package. We have now confirmed that [email protected] was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored. If you installed or updated intercom-php during this window, we recommend you: • Uninstall and reinstall the package from a clean source • Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment We will share further details as they become available. Affected components REST API (Degraded performance)

3. monitoring May 01, 2026, 12:26 AM UTC

   Status: Monitoring We are continuing to investigate the malicious version of the intercom-client package. We have now confirmed that [email protected] was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored. If you installed or updated intercom-php during this window, we recommend you: • Uninstall and reinstall the package from a clean source • Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment We will share further details as they become available. Affected components REST API (Degraded performance)

4. monitoring May 01, 2026, 09:55 AM UTC

   Status: Monitoring Both malicious package versions ([email protected] and [email protected]) have been removed and are no longer available for download. Safe versions have been restored. GitHub Security Advisories have been published for both packages, enabling automated alerts via Dependabot and npm audit. • https://github.com/intercom/intercom-node/security/advisories/GHSA-54pg-9963-v8vg • https://github.com/intercom/intercom-php/security/advisories/GHSA-gr3r-crp5-qrrm We have been working with Wiz and Socket.dev directly to understand and mitigate impact from this event. As a precaution, we are rotating all credentials across all affected systems. We have found no evidence of unauthorized access to customer data or accounts. The impact has been limited to developer tooling. We will continue with remediation and share another update when we can. Affected components REST API (Degraded performance)

5. monitoring May 01, 2026, 11:51 AM UTC

   Status: Monitoring As part of our investigation, we identified that the Apple Distribution Certificate used to sign our iOS SDK was potentially exposed. We have found no evidence that this certificate has been misused, but as a precaution we have revoked the certificate. This only affects developers who build apps that include the Intercom iOS SDK. It does not affect Intercom customers who use the Intercom product (Messenger, inbox, help center, etc.) or their end users. Apps already on the App Store are not affected. Specifically, this affects versions 19.5.6 and 19.5.7 of the following packages: - intercom-ios (https://github.com/intercom/intercom-ios) - intercom-ios-sp (https://github.com/intercom/intercom-ios-sp) If you are using either of these versions, your builds will fail until you update to a newly signed version. Instructions for resolving this will be available shortly. This change relates only to iOS integrations and do not affect the Intercom Android SDK, or the web Messenger. Affected components Mobile Messenger (Degraded performance) REST API (Degraded performance)

6. monitoring May 01, 2026, 01:24 PM UTC

   Status: Monitoring The iOS Distribution Certificate has been revoked and all impacted releases have been re-signed with a new certificate. If your builds are failing, follow the instructions here: https://github.com/intercom/intercom-ios/wiki/Codesigning-Issue to update. This only affects developers who build apps that include the Intercom iOS SDK versions 19.5.6 and 19.5.7. It does not affect Intercom customers who use the Intercom product, their end users, or apps already on the App Store. These changes relate only to iOS integrations and do not affect the Android SDK or web Messenger. Affected components Mobile Messenger (Degraded performance) REST API (Degraded performance)