Compromised intercom-client@7.0.4 npm package is tied to the ongoing Mini Shai-Hulud worm attack targeting developer and CI/CD secrets.
April 30, 2026
4 min read
Socket AI scanner detected, and the Socket Threat Research team has confirmed that intercom-client@7.0.4 is malicious, identifying a fresh compromise of the npm package used for Intercom’s Node.js client.
intercom-client is a widely used official SDK for Intercom’s API. While it is not among npm’s largest packages, npm package aggregators report roughly 360,000 weekly downloads, and npm lists more than 100 dependent projects. The real exposure may extend beyond direct dependents, since the package is commonly installed in backend services, developer environments, and CI/CD pipelines that integrate with Intercom’s API.
Version 7.0.4 of intercom-client contains two malicious files that were not present in the previous version, 7.0.3: setup.mjs and router_runtime.js. The earlier version was published 88 days before 7.0.4 and did not contain the same files, confirming that the malicious code was introduced in the latest release.
The package includes a preinstall hook that runs setup.mjs during installation. The script downloads and executes an unverified Bun binary from GitHub without integrity checks. The second malicious file, router_runtime.js, is an 11.7 MB heavily obfuscated JavaScript file designed to collect Kubernetes and Vault credentials from environment variables and local files. Stolen secrets are encrypted and exfiltrated through the GitHub API.
The attack closely resembles the lightning@2.6.2 PyPI attack from earlier today, as well as the TeamPCP-linked supply chain campaign we reported yesterday affecting SAP CAP and Cloud MTA npm packages. The router_runtime.js file is almost identical to the one used in the lightning attack. In these campaigns, compromised packages also introduced a preinstall script that downloaded a platform-specific Bun ZIP from GitHub Releases, extracted it, and immediately executed the extracted Bun binary on an inserted JavaScript payload. Those packages similarly used an approximately 11.7 MB obfuscated file, targeted developer and CI/CD environments, and abused GitHub infrastructure for exfiltration.
The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy. We are continuing to analyze whether the intercom-client compromise is part of the same campaign, a direct follow-on attack, or a copycat using similar tooling.
The malicious files were injected into the npm distribution for 7.0.4.
The compromise affects developers and CI/CD environments that installed intercom-client@7.0.4. Because the malicious behavior runs during installation, affected systems may have been exposed even if the package was never imported or used directly in application code.
We recommend that users immediately remove intercom-client@7.0.4, downgrade to a known-good version, rotate potentially exposed credentials, and review systems where the package may have been installed. Environments with Kubernetes credentials, Vault tokens, cloud credentials, or GitHub tokens should be prioritized for investigation.
Several reports were filed on the intercom-node repository reporting on the compromised release. These issues were subsequently closed, redacted, and retitled to “N/A” by the GitHub user nhur. This GitHub account nhur exhibited a burst of suspicious activity on April 30, 2026, concentrated within a ~47-minute window. During this time, the account created three new public repositories—ghola-melange-, mentat-melange-, and powindah-sietch-*—all with similar naming patterns and identical descriptions ("A Mini Shai-Hulud has Appeared"). These repositories contained minimal content and appear to have been created via the GitHub web interface.
In parallel, the account performed write actions across 11 repositories in the intercom organization, where it had private membership and access. These actions included creating branches with names resembling Dependabot conventions but containing a typo (e.g., dependabout/github_actions/...), and pushing commits that introduced new GitHub Actions workflows (such as .github/workflows/format-check.yml) and modified existing CI configuration files. The commits used spoofed identities (e.g., "dependabot[bot]" or "claude") but lacked verified signatures.
The newly introduced workflow files were configured to access repository secrets via ${{ toJSON(secrets) }} and write them to files, which were then set up for upload as GitHub Actions artifacts. In at least one repository (intercom-node), subsequent activity shows that a GitHub Actions bot committed additional files shortly after the initial push, indicating that CI workflows were triggered and executed. These follow-on commits added files under .claude/ and .vscode/ directories. These are hallmarks of the Shai-Hulud–style supply chain worm and its later variants.
We have confirmed that the GitHub user nhur was compromised and that the malicious intercom-client@7.0.4 package was published through a now-deleted branch that triggered an automated CI publish workflow.
A commit to intercom/intercom-node from nhur shows a workflow change titled “Test Commit” that does not belong to any branch in the repository. The commit deleted .github/workflows/ci.yml and added .github/workflows/test.yml, with the new workflow named dependabot/fix and configured to run on pushes to a branch of the same name.
We’re tracking this Mini Shai-Hulud campaign on a dedicated page with affected package artifacts, detection details, and related coverage:
https://socket.dev/supply-chain-attacks/mini-shai-hulud
We are continuing to monitor the package and will update this post as more information becomes available. This is a developing story. We are investigating the scope of exposure, remediation status, and any response from the package maintainers, npm, or GitHub.
router_runtime.js5ae8b2343e97cc3b2c945ec34318b63f27fa2db1e3d8fbaa78c298aa63db52ed0cf67457352cf82dea4189d9dbd41b8f519dbb819bd71891febd47b6a7d9ef1f6120662asetup.mjsfe64699649591948d6f960705caac86fe99600bf76e3eae29b4517705a58f0e27c8bf63a9ba9169d5237acfc683f1bd004349341598f8a39b021cf56d33432b6f67f7660MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm1ThuFsx+rWD5RFI8A7B rfqrCQjmy+cqqbWew+a2XhtU7nsJebqZfj8Evc6NLXOoMc1arQtWjV9r6bILrLyh aL0WuRERGvAl/9/cPRwYotUvkQKvwMZHruaCCqMGVF6XndpJQ8ejOm5AVsV6MNhl VepMDfBhuvtM6E0/JrFOd304stkl+wfVyTz2Kd2ehy8+o1BBhpV6v6sShF5CZCwZ qgw/V4wYBgLHx1RHrraPu7m/so/wEWpmrQ8qYsJxd9Nmrjfcd8hJy5mpcQfhY03JiVOtzztfnHaa F7js9FTPWs9hhJbEFik6eHDcRCH6VXQ86/ieRxVdS3aSf/bY8KCMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA55aMQwvJuy++UvFmWrPW agKRz35hwLlAKUrYjC0Bvqu/1C9uDeVGxNrfkUE8sm3motzVBwJAHl9iOrcepqt6 2kckAbxV9T7wCarVjb+iQRV/gPHlbMJf/cRttJXfU5TwbwFuWtuusxQufAdVveeg qprcOwJ5OBZoz5XeloyRDUVGWA4viZ0TNgpne3RXioJekEWSadSw0pwwc2azIzHB EBzhx5ehCkNm31xel/TXxPlAhl5QTBu9j2VOjNMEc6sDMhr3qRxL0eX5B/HJ2Dt9 CDYJ24F9lJLYVuGkO77UKLaiacFUHSUGQxnhMQ9dr3c4/uPm/I2APNinde2HzY/Lhxxp://169[.]254[.]169[.]254 AWS IMDShxxp://169[.]254[.]170[.]2 AWS ECS credentialshxxp://169[.]254[.]170[.]23 AWS ECS (alt endpoint)hxxp://metadata[.]google[.]internal GCP IMDSSubscribe to our newsletter
Get notified when we publish new security blog posts!
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Research
/Security News
GitHub account BufferZoneCorp published sleeper packages that later added credential theft, GitHub Actions tampering, fake go wrappers, and SSH persistence.
Research
/Security News
Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems.