← Supply-Chain Attack Compendium

intercom-client

Incident Summary

Intercom Node.js SDK Compromise (Mini Shai-Hulud)

The Mini Shai-Hulud/TeamPCP campaign compromised the official intercom-client package on npm. The malicious 7.0.4 release was published on April 30, 2026 at 14:41 UTC via a hijacked GitHub Actions OIDC publishing pipeline and introduced a preinstall hook, setup.mjs loader, and 11.7 MB obfuscated router_runtime.js payload. The payload used Bun v1.3.13, daemonized itself, harvested GitHub, npm, AWS, GCP, Azure, private-key, and generic API credentials, exfiltrated via GitHub private repositories under victim accounts, and attempted worm-style propagation through stolen npm publishing tokens.

Date
2026-04-30
Category
Open Source
Target Surface
Package registry
Insertion Phase
CI/CD
Impact
Credential theft
Cause
CI/CD Exploit

What Was Affected

Package intercom-client
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain npmjs.com

Compromised Versions

Incident Context

Motive
Credential Theft
Attribution
Advanced Persistent Threat
Transitive
Yes
User Impact
361510
Observed Duration
0 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

  • npm integrity sha512:LcCAJzWI5Jkx75prg8T88aonPsExIrffcugdCDWhNv0HhmOlkA8xYqMuNHqjkgF8o9yxrs09tDub/6MWncK1Lg==
  • file:setup.mjs
  • file:router_runtime.js
  • url:https://api.github.com/user
  • url:https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/
  • url:https://registry.npmjs.org/
  • url:http://169.254.169.254
  • url:http://metadata.google.internal
  • oidc:c6068f87-840d-4993-aa1b-425530e39ee9
  • env:__DAEMONIZED
  • marker:globalThis.__decodeScrambled
  • regex:/gh[op]_[A-Za-z0-9]{36}/g
  • regex:/npm_[A-Za-z0-9]{36,}/g
  • regex:/ghs_[A-Za-z0-9]{36,}/g
  • regex:/AKIA[A-Z0-9]{16}/g
  • regex:/(AccountKey|accessKey|client_secret)/
  • regex:/-----BEGIN PRIVATE KEY-----/g

Indicators and Changes

Hashes

  • sha256:5f748fbc89cde66abefa826439c765a0081a027792e9da8d80fbf23571311622
  • sha1:1a1b1d0d89fadf7664c42ec628bac7d39a71bd50
  • sha256:fe64699649591948d6f960705caac86fe99600bf76e3eae29b4517705a58f0e2
  • sha256:5ae8b2343e97cc3b2c945ec34318b63f27fa2db1e3d8fbaa78c298aa63db52ed

External References

Source Data

Source record: oss/intercom-client/meta.yaml