top of page
perceptive_background_267k.jpg

Compromised intercom-client@7.0.4 npm package is tied to the ongoing Mini Shai-Hulud worm attack targeting developer and CI/CD secrets.

Published:

30 April 2026 at 15:42:44

Alert date:

30 April 2026 at 17:05:34

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Socket AI scanner detected malicious intercom-client@7.0.4 npm package compromised as part of the ongoing Mini Shai-Hulud worm attack. The package contains malicious files setup.mjs and router_runtime.js that execute during installation via preinstall hooks. The attack downloads unverified Bun binaries and uses heavily obfuscated JavaScript to harvest Kubernetes, Vault, and cloud credentials from environment variables and local files. Stolen secrets are encrypted and exfiltrated through GitHub API. The compromise is linked to TeamPCP activity and affects roughly 360,000 weekly downloads with over 100 dependent projects. GitHub user nhur showed suspicious activity creating repositories with Dune-themed names and modifying CI workflows to exfiltrate repository secrets.

Technical details

Mitigation steps:

Affected products:

intercom-client
npm
Intercom Node.js SDK

Related links:

https://socket.dev/blog/intercom-s-npm-package-compromised-in-supply-chain-attack?utm_medium=feed
https://socket.dev/npm/package/intercom-client/overview/7.0.4
https://github.com/intercom/intercom-node

Related CVE's:

Related threat actors:

IOC's:

intercom-client@7.0.4, setup.mjs, router_runtime.js, nhur, ghola-melange-, mentat-melange-, powindah-sietch-

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page