top of page
perceptive_background_267k.jpg

Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope

Published:

1 May 2026 at 14:24:55

Alert date:

1 May 2026 at 15:01:38

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Cloud & Virtualization

The Shai-Hulud worm has compromised a third major npm package, intercom-client@7.0.4, with 361,510 weekly downloads. This follows the compromise of mbt@1.2.48 and @cap-js/sqlite@2.2.2 packages 29 hours earlier. The malicious version was published via a hijacked GitHub Actions OIDC publishing pipeline, demonstrating active propagation through CI/CD infrastructure. The worm has pivoted to multi-cloud targeting, now seeking AWS, GCP, and Azure credentials. The attack represents a significant supply chain compromise affecting hundreds of thousands of weekly downloads across multiple npm packages.

Technical details

Mitigation steps:

Affected products:

intercom-client
mbt
@cap-js/sqlite
npm
GitHub Actions
AWS
GCP
Azure

Related links:

https://www.stepsecurity.io/blog/shai-hulud-worm-pivots-to-multi-cloud-intercom-client-hijacked

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page