GHSA-54PG-9963-V8VG: Supply Chain Compromise and Credential Theft in intercom-client

The vulnerability tracked as GHSA-54PG-9963-V8VG represents a severe supply chain compromise affecting the Node.js ecosystem. On April 30, 2026, threat actors successfully compromised a developer account with publishing rights for the intercom-client npm package. The attackers subsequently published version 7.0.4 directly to the public registry, bypassing the vendor's official continuous integration and deployment pipelines.

This incident is classified under CWE-506 (Embedded Malicious Code). The package itself acts as a vehicle for the "Mini Shai-Hulud" worm, a sophisticated credential harvesting tool targeting developer environments and build servers. Any system executing an automated or manual dependency resolution process that pulled version 7.0.4 during the two-hour vulnerability window became compromised.

The attack leverages the standard Node.js package lifecycle to achieve code execution without requiring direct user interaction beyond the initial installation command. The resulting execution environment allows the malware to operate with the same privileges as the user or service account invoking the package manager, providing extensive access to system configurations and environment variables.

The technical root cause of this compromise is the unauthorized account takeover (ATO) of an npm maintainer identified as nhur. The npm registry allows authorized maintainers to publish packages directly via the command line API, provided they possess valid authentication tokens. The threat actor utilized stolen or bypassed credentials to authenticate as this user and upload the malicious artifact.

Once published, the malware relies on an npm preinstall hook defined within the package.json file. The Node.js package manager automatically executes scripts associated with this hook prior to the actual installation of the package contents. This native behavior is frequently abused in supply chain attacks to guarantee payload execution regardless of whether the dependent application actually imports or utilizes the infected module.

The payload executed by the hook is a heavily obfuscated JavaScript file named router_runtime.js, weighing approximately 11.7 MB. In specific execution contexts, the malware attempts to invoke the Bun runtime environment. This runtime substitution serves two purposes: it accelerates the execution of the resource-intensive credential harvesting routines, and it actively bypasses basic sandbox restrictions or behavioral detections targeting the standard Node.js executable.

While the exact source code of the obfuscated payload remains proprietary to the threat actors, the structural changes to the intercom-client package are deterministic. The primary modification occurs within the package metadata. The legitimate version 7.0.3 contains standard dependency and script definitions, whereas the malicious version 7.0.4 introduces the execution vector.

// Legitimate package.json (v7.0.3)
{
  "name": "intercom-client",
  "version": "7.0.3",
  "scripts": {
    "test": "mocha"
  }
}
 
// Malicious package.json (v7.0.4)
{
  "name": "intercom-client",
  "version": "7.0.4",
  "scripts": {
    "preinstall": "node router_runtime.js",
    "test": "mocha"
  }
}

The router_runtime.js file constitutes the core of the attack. Upon execution, the script immediately begins a synchronous traversal of the host filesystem. It specifically targets directories known to house development configurations, such as user home directories, .aws, and .ssh folders. Concurrently, it initiates HTTP GET requests to localized IP addresses associated with cloud metadata services.

The exfiltration routine represents a notable departure from traditional command-and-control (C2) architectures. The script parses the harvested files for valid GitHub Personal Access Tokens (PATs). If a token with repo scope is identified, the script utilizes the GitHub REST API to programmatically generate a new, public repository under the victim's account. The harvested secrets are then base64-encoded and pushed as an initial commit to this repository.

The exploitation phase begins the moment a developer or CI/CD pipeline executes npm install, yarn install, or pnpm install in a project where intercom-client is listed as a dependency without strict version pinning. The package manager downloads version 7.0.4 and immediately processes the preinstall directive. This action launches router_runtime.js within the execution context of the host machine.

Following execution, the malware initiates its cloud discovery phase. It queries the Instance Metadata Service (IMDS) endpoints specific to AWS (169.254.169.254), GCP (metadata.google.internal), and Azure. The malware extracts temporary instance roles, security credentials, and identity tokens. Simultaneously, the local filesystem scanning routine parses .env files, SSH private keys, and configuration files for long-lived credentials.

The final stage involves the dead-drop exfiltration. The malware authenticates to GitHub using stolen tokens and creates a repository featuring randomly selected words themed around the "Dune" franchise. The repository description is uniformly set to "A Mini Shai-Hulud has Appeared". By committing the stolen data to a public repository hosted on legitimate infrastructure, the attackers evade traditional data-loss prevention (DLP) systems that monitor for anomalous outbound network traffic to unknown domains.

The CVSS v3.1 base score for this vulnerability is 9.6 (Critical), reflecting the profound severity of the compromise. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N highlights the network-based attack vector and the changed scope (S:C). The malware compromises the immediate execution environment but primarily aims to pivot, granting attackers unauthorized access to the victim's broader cloud infrastructure and source code repositories.

The loss of confidentiality is total for environments that executed the payload. Temporary IMDS tokens allow attackers to assume the identity of cloud instances, potentially leading to unauthorized data access within S3 buckets or database instances. Furthermore, the theft of SSH keys and long-lived API tokens facilitates persistent access to developer workstations and internal network resources.

The integrity impact is equally critical. With access to stolen GitHub tokens and npm publishing credentials, the threat actors can modify source code repositories, manipulate infrastructure-as-code configurations, or publish subsequent supply chain attacks under the victim's identity. The use of a public GitHub repository for exfiltration also introduces immediate public exposure of highly sensitive organizational secrets.

Organizations utilizing intercom-client must immediately audit their dependency trees to determine if version 7.0.4 was downloaded or executed. Administrators should execute npm list intercom-client across all development and build environments. If version 7.0.4 is identified, the environment must be considered actively compromised, necessitating a full incident response protocol rather than a simple package downgrade.

The package version must be strictly downgraded to version 7.0.3 or earlier. Developers must update the package.json file and regenerate lock files (package-lock.json, yarn.lock) to ensure the malicious version is purged from local and remote caches. Continuous integration pipelines should be temporarily halted until the dependency tree is verified clean.

Credential rotation is the most critical remediation step. Organizations must assume all secrets present on the affected host during the two-hour vulnerability window are compromised. This mandates the immediate revocation and regeneration of AWS IAM keys, GCP service account tokens, GitHub Personal Access Tokens, npm publish tokens, and any database credentials or API keys stored in local .env files. Finally, security teams must monitor cloud access logs (e.g., AWS CloudTrail) for anomalous activity originating from the compromised credentials.