Investigating: Compromised version of intercom-client npm package and intercom-php

Update: Continuing investigation

Our investigation continues with support from independent external security partners. We continue to find no evidence of unauthorised access to customer data or Intercom accounts. All Intercom services remain fully operational.

You are only potentially affected if your developers installed intercom-client@7.0.4 (npm) or intercom-php@5.0.2 during the affected window on April 30. The compromised package versions (intercom-client@7.0.4 and intercom-php@5.0.2) remain removed. Safe versions: intercom-client@7.0.3 and intercom-php@5.0.1. If you do not use these developer packages to interact with the Intercom REST API, you are not impacted.

We are keeping this incident open while we complete our remediation and investigation. We will update this page when we are ready to close it out.

Investigation and remediation continue

Since our last update:

• Credential rotation across affected systems is nearing completion
• We have engaged independent external security partners to conduct a full assessment
• Additional protections against malicious packages have been deployed alongside our existing security tooling
• We continue to find no evidence of unauthorized access to customer data or Intercom accounts


The compromised package versions (intercom-client@7.0.4 and intercom-php@5.0.2) have been removed. Safe versions are available: intercom-client@7.0.3 and intercom-php@5.0.1.

GitHub Security Advisories with full technical details:
- intercom-client: GHSA-54pg-9963-v8vg: https://github.com/intercom/intercom-node/security/advisories/GHSA-54pg-9963-v8vg
- intercom-php: GHSA-gr3r-crp5-qrrm: https://github.com/intercom/intercom-php/security/advisories/GHSA-gr3r-crp5-qrrm

We will continue to provide updates here as our investigation progresses.

The iOS Distribution Certificate has been revoked and all impacted releases have been re-signed with a new certificate.

If your builds are failing, follow the instructions here: https://github.com/intercom/intercom-ios/wiki/Codesigning-Issue to update.

This only affects developers who build apps that include the Intercom iOS SDK versions 19.5.6 and 19.5.7. It does not affect Intercom customers who use the Intercom product, their end users, or apps already on the App Store.

These changes relate only to iOS integrations and do not affect the Android SDK or web Messenger.

As part of our investigation, we identified that the Apple Distribution Certificate used to sign our iOS SDK was potentially exposed. We have found no evidence that this certificate has been misused, but as a precaution we have revoked the certificate.

This only affects developers who build apps that include the Intercom iOS SDK. It does not affect Intercom customers who use the Intercom product (Messenger, inbox, help center, etc.) or their end users. Apps already on the App Store are not affected.

Specifically, this affects versions 19.5.6 and 19.5.7 of the following packages:

- intercom-ios (https://github.com/intercom/intercom-ios)

- intercom-ios-sp (https://github.com/intercom/intercom-ios-sp)



If you are using either of these versions, your builds will fail until you update to a newly signed version.

Instructions for resolving this will be available shortly.

This change relates only to iOS integrations and do not affect the Intercom Android SDK, or the web Messenger.

Both malicious package versions (intercom-client@7.0.4 and intercom-php@5.0.2) have  been removed and are no longer available for download. Safe versions have been restored. 

GitHub Security Advisories have been published for both packages, enabling automated alerts via Dependabot and npm audit.

• https://github.com/intercom/intercom-node/security/advisories/GHSA-54pg-9963-v8vg
• https://github.com/intercom/intercom-php/security/advisories/GHSA-gr3r-crp5-qrrm


We have been working with Wiz and Socket.dev directly to understand and mitigate impact from this event. As a precaution, we are rotating all credentials across all affected systems. We have found no evidence of unauthorized access to customer data or accounts. The impact has been limited to developer tooling.


We will continue with remediation and share another update when we can.

We are continuing to investigate the malicious version of the intercom-client package.

We have now confirmed that intercom-php@v5.0.2 was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored.



If you installed or updated intercom-php during this window, we recommend you:

• Uninstall and reinstall the package from a clean source
• Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment



We will share further details as they become available.

We are continuing to investigate the malicious version of the intercom-client package.

We have now confirmed that intercom-php@v5.0.2 was also compromised, between 20:53 UTC and 22:37 UTC on 2026-04-30. A safe version of v5.0.2 has since been restored.



If you installed or updated intercom-php during this window, we recommend you:

• Uninstall and reinstall the package from a clean source
• Rotate any credentials (API keys, tokens, cloud credentials) that were accessible from the affected environment




We will share further details as they become available.

We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today.
The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs.


If you installed intercom-client@7.0.4, we recommend:

• removing the package immediately
• rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment

We are actively investigating and will share more information as it becomes available.