[EU Hosting] Investigating: Compromised version of intercom-client npm package and intercom-php

Update timeline

1. investigating Apr 30, 2026, 04:58 PM UTC

   Status: Investigating We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today. The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs. If you installed [email protected], we recommend: • removing the package immediately • rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment We are actively investigating and will share more information as it becomes available.

2. investigating Apr 30, 2026, 11:00 PM UTC

   Status: Investigating We are continuing to investigate the malicious version of the intercom-client package. We have now confirmed that [email protected] was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored. If you installed or updated intercom-php during this window, we recommend you: • Uninstall and reinstall the package from a clean source • Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment We will share further details as they become available. Affected components REST API (Degraded performance)

3. monitoring May 01, 2026, 12:26 AM UTC

   Status: Monitoring We are continuing to investigate the malicious version of the intercom-client package. We have now confirmed that [email protected] was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored. If you installed or updated intercom-php during this window, we recommend you: • Uninstall and reinstall the package from a clean source • Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment We will share further details as they become available. Affected components REST API (Degraded performance)

4. monitoring May 01, 2026, 09:55 AM UTC

   Status: Monitoring Both malicious package versions ([email protected] and [email protected]) have been removed and are no longer available for download. Safe versions have been restored. GitHub Security Advisories have been published for both packages, enabling automated alerts via Dependabot and npm audit. • https://github.com/intercom/intercom-node/security/advisories/GHSA-54pg-9963-v8vg • https://github.com/intercom/intercom-php/security/advisories/GHSA-gr3r-crp5-qrrm We have been working with Wiz and Socket.dev directly to understand and mitigate impact from this event. As a precaution, we are rotating all credentials across all affected systems. We have found no evidence of unauthorized access to customer data or accounts. The impact has been limited to developer tooling. We will continue with remediation and share another update when we can. Affected components REST API (Degraded performance)

5. monitoring May 01, 2026, 11:51 AM UTC

   Status: Monitoring As part of our investigation, we identified that the Apple Distribution Certificate used to sign our iOS SDK was potentially exposed. We have found no evidence that this certificate has been misused, but as a precaution we have revoked the certificate. This only affects developers who build apps that include the Intercom iOS SDK. It does not affect Intercom customers who use the Intercom product (Messenger, inbox, help center, etc.) or their end users. Apps already on the App Store are not affected. Specifically, this affects versions 19.5.6 and 19.5.7 of the following packages: - intercom-ios (https://github.com/intercom/intercom-ios) - intercom-ios-sp (https://github.com/intercom/intercom-ios-sp) If you are using either of these versions, your builds will fail until you update to a newly signed version. Instructions for resolving this will be available shortly. This change relates only to iOS integrations and do not affect the Intercom Android SDK, or the web Messenger. Affected components Mobile Messenger (Degraded performance) REST API (Degraded performance)

6. monitoring May 01, 2026, 01:24 PM UTC

   Status: Monitoring The iOS Distribution Certificate has been revoked and all impacted releases have been re-signed with a new certificate. If your builds are failing, follow the instructions here: https://github.com/intercom/intercom-ios/wiki/Codesigning-Issue to update. This only affects developers who build apps that include the Intercom iOS SDK versions 19.5.6 and 19.5.7. It does not affect Intercom customers who use the Intercom product, their end users, or apps already on the App Store. These changes relate only to iOS integrations and do not affect the Android SDK or web Messenger. Affected components Mobile Messenger (Degraded performance) REST API (Degraded performance)

7. monitoring May 04, 2026, 11:06 AM UTC

   Status: Monitoring Investigation and remediation continue Since our last update: • Credential rotation across affected systems is nearing completion • We have engaged independent external security partners to conduct a full assessment • Additional protections against malicious packages have been deployed alongside our existing security tooling • We continue to find no evidence of unauthorized access to customer data or Intercom accounts The compromised package versions ([email protected] and [email protected]) have been removed. Safe versions are available: [email protected] and [email protected]. GitHub Security Advisories with full technical details: - intercom-client: GHSA-54pg-9963-v8vg: https://github.com/intercom/intercom-node/security/advisories/GHSA-54pg-9963-v8vg - intercom-php: GHSA-gr3r-crp5-qrrm: https://github.com/intercom/intercom-php/security/advisories/GHSA-gr3r-crp5-qrrm We will continue to provide updates here as our investigation progresses. Affected components Mobile Messenger (Operational) REST API (Operational)

8. monitoring May 06, 2026, 09:01 AM UTC

   Status: Monitoring Update: Continuing investigation Our investigation continues with support from independent external security partners. We continue to find no evidence of unauthorised access to customer data or Intercom accounts. All Intercom services remain fully operational. You are only potentially affected if your developers installed [email protected] (npm) or [email protected] during the affected window on April 30. The compromised package versions ([email protected] and [email protected]) remain removed. Safe versions: [email protected] and [email protected]. If you do not use these developer packages to interact with the Intercom REST API, you are not impacted. We are keeping this incident open while we complete our remediation and investigation. We will update this page when we are ready to close it out. Affected components REST API (Operational) Mobile Messenger (Operational)

9. monitoring May 18, 2026, 12:39 PM UTC

   Status: Monitoring Update: Investigation continues - no change to impact Our investigation with independent external security partners continues. There is no evidence of unauthorized access to customer data or Intercom accounts. All Intercom services remain fully operational. The only impact has been to the compromised packages reported previously. The compromised versions ([email protected] and [email protected]) were removed and safe versions remain available. Since our last update, we have completed credential rotation and continued hardening our development environment with additional security controls. We will post a final update when we are ready to close this incident. Affected components Mobile Messenger (Operational) REST API (Operational)

10. resolved Jun 08, 2026, 11:53 AM UTC

    Status: Resolved Resolved We're closing this incident. On April 30, 2026 an attacker published malicious versions of intercom-client (v7.0.4) and intercom-php (v5.0.2). Both were removed from distribution within hours of discovery. No evidence of unauthorized access to customer data or Intercom accounts was found. If you installed [email protected] or [email protected] on April 30 and haven't already done so, we recommend rotating any credentials configured in that environment. All other versions of both packages are safe. We kept the incident open out of an abundance of caution while we completed credential rotation, hardened our infrastructure, and monitored closely for any follow-on activity. We're now satisfied it's fully remediated. Affected components Mobile Messenger (Operational) REST API (Operational)