Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack
The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API.
Authors: Socket Threat Research
Source:
Socket
- sha2565ae8b2343e97cc3b2c945ec34318b63f27fa2db1e3d8fbaa78c298aa63db52edrouter_runtime.js - 11.7 MB obfuscated JavaScript payload used for credential harvesting
- sha256fe64699649591948d6f960705caac86fe99600bf76e3eae29b4517705a58f0e2setup.mjs - Malicious preinstall script that downloads and executes the Bun binary
- urlhxxp://169[.]254[.]169[.]254AWS IMDS endpoint targeted by the malware to harvest cloud credentials
- urlhxxp://169[.]254[.]170[.]2AWS ECS credentials endpoint targeted by the malware
- urlhxxp://metadata[.]google[.]internalGCP IMDS endpoint targeted by the malware to harvest cloud credentials
Detection / Hunter
What Happened
The official software package for Intercom's programming interface was hijacked by attackers to include malicious code. Anyone who installed version 7.0.4 of the intercom-client package is affected, particularly developers and automated build systems. This is a severe issue because the malicious code steals sensitive passwords and access tokens for cloud services like AWS, Google Cloud, and Kubernetes. Users should immediately remove the compromised version, downgrade to a safe version, and change any passwords or tokens that were present on the affected systems.
Key Takeaways
- The official intercom-client npm package (version 7.0.4) was compromised to include malicious credential harvesting code.
- The attack utilizes a preinstall script to download a Bun binary and execute an 11.7MB obfuscated payload (router_runtime.js).
- The malware specifically targets Kubernetes, Vault, AWS, and GCP credentials in developer and CI/CD environments.
- The campaign is linked to the 'Mini Shai-Hulud' worm and the TeamPCP threat actor, utilizing compromised GitHub accounts to manipulate CI workflows.
- The compromised GitHub account 'nhur' was used to create malicious repositories and spoof Dependabot commits to exfiltrate secrets via GitHub Actions artifacts.
Affected Systems
- Node.js developer environments
- CI/CD pipelines
- Backend services integrating intercom-client@7.0.4
- GitHub Actions workflows
Attack Chain
A compromised GitHub account (nhur) was used to manipulate CI workflows and publish a malicious version (7.0.4) of the intercom-client npm package. Upon installation, a preinstall hook executes setup.mjs, which downloads an unverified Bun binary from GitHub. This binary executes an 11.7 MB obfuscated JavaScript payload (router_runtime.js) that harvests Kubernetes, Vault, AWS, and GCP credentials from environment variables and local files. The stolen secrets are then encrypted and exfiltrated using the GitHub API.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules (YARA, Sigma, etc.) are provided in the article.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions can detect the execution of the Bun binary and subsequent file reads, but may lack the context to tie it back to the npm preinstall hook without specific parent-child process monitoring. Network Visibility: Medium — Network monitoring can identify anomalous connections to Cloud IMDS endpoints (169.254.x.x) from unexpected processes, as well as unusual outbound traffic to the GitHub API. Detection Difficulty: Moderate — The heavy obfuscation of the JavaScript payload and the use of legitimate GitHub infrastructure for exfiltration make static analysis and network blocking difficult. Detection relies heavily on behavioral anomalies.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- File Creation (Sysmon 11)
- GitHub Audit Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for npm or node processes spawning bun binaries, especially those executing from temporary directories. | Process Creation (EDR/Sysmon) | Execution | Low |
| Monitor for unexpected processes (like bun or node) making HTTP requests to Cloud Instance Metadata APIs (169.254.169.254 or 169.254.170.x). | Network Connections (EDR/Sysmon) | Credential Access | Medium |
| Search GitHub audit logs for workflow modifications that include the string '${{ toJSON(secrets) }}' being written to files or uploaded as artifacts. | GitHub Audit Logs | Collection | Low |
Control Gaps
- Lack of integrity checks on npm preinstall scripts
- Overly permissive CI/CD secrets access
- Insufficient monitoring of GitHub Actions workflow modifications
Key Behavioral Indicators
- Execution of bun binary triggered by npm preinstall
- Creation of GitHub repositories with the description 'A Mini Shai-Hulud has Appeared'
- Spoofed dependabot commits modifying CI workflows to dump secrets
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Immediately remove intercom-client@7.0.4 from all environments.
- Downgrade to a known-good version (intercom-client@7.0.3 or earlier).
- Rotate all potentially exposed credentials, prioritizing Kubernetes, Vault, AWS, GCP, and GitHub tokens.
Infrastructure Hardening
- Restrict access to Cloud IMDS endpoints from containerized and CI/CD environments.
- Implement strict egress network filtering for CI/CD runners to prevent unauthorized exfiltration.
- Disable or heavily restrict the use of npm preinstall scripts in CI/CD pipelines where possible.
User Protection
- Enforce 2FA/MFA on all GitHub and npm accounts.
- Audit GitHub organization permissions, third-party app access, and active SSH keys/Personal Access Tokens.
Security Awareness
- Educate developers on the risks associated with npm preinstall scripts and supply chain attacks.
- Train engineering teams to verify package integrity and monitor for unexpected dependency updates or workflow changes.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1078.004 - Valid Accounts: Cloud Accounts
- T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
- T1048 - Exfiltration Over Alternative Protocol
Additional IOCs
- Urls:
hxxp://169[.]254[.]170[.]23- AWS ECS (alt endpoint) targeted by the malware
- File Hashes:
0cf67457352cf82dea4189d9dbd41b8f519dbb81(SHA1) - router_runtime.js payload9bd71891febd47b6a7d9ef1f6120662a(MD5) - router_runtime.js payload7c8bf63a9ba9169d5237acfc683f1bd004349341(SHA1) - setup.mjs preinstall script598f8a39b021cf56d33432b6f67f7660(MD5) - setup.mjs preinstall script
- File Paths:
.github/workflows/format-check.yml- Malicious GitHub Actions workflow introduced by compromised account.github/workflows/test.yml- Malicious GitHub Actions workflow introduced by compromised account.claude/- Directory added by follow-on commits in the Shai-Hulud worm attack.vscode/- Directory added by follow-on commits in the Shai-Hulud worm attack
- Other:
nhur- Compromised GitHub account used to publish the malicious package and manipulate repositoriesghola-melange-68- Malicious repository created by compromised accountmentat-melange-655- Malicious repository created by compromised accountpowindah-sietch-859- Malicious repository created by compromised account8fd2c82- Malicious commit hash by user nhur deleting ci.yml and adding test.ymlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm1ThuFsx+rWD5RFI8A7B...- Public RSA Key associated with the malware (truncated for brevity, full key in article)MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA55aMQwvJuy++UvFmWrPW...- Public RSA Key associated with the malware (truncated for brevity, full key in article)