DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-54PG-9963-V8VG: GHSA-54PG-9963-V8VG: Supply Chain Compromise and Credential Theft in intercom-client

#security #cve #cybersecurity #ghsa

GHSA-54PG-9963-V8VG: Supply Chain Compromise and Credential Theft in intercom-client

Vulnerability ID: GHSA-54PG-9963-V8VG
CVSS Score: 9.6
Published: 2026-05-07

The intercom-client npm package was compromised in a supply chain attack when a malicious version (7.0.4) was published to the public registry. This version contained an obfuscated payload designed to steal multi-cloud credentials, SSH keys, and tokens, exfiltrating them via a GitHub repository dead-drop mechanism.

TL;DR

A malicious version (7.0.4) of the intercom-client npm package executes an obfuscated preinstall hook to harvest cloud metadata and local secrets. The malware exfiltrates stolen credentials by committing them to a newly created public GitHub repository on the victim's account.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Network (Supply Chain)
  • CVSS v3.1 Score: 9.6
  • Impact: Credential Theft & Exfiltration
  • Exploit Status: Active Exploitation
  • Malicious Component: router_runtime.js

Affected Systems

  • Node.js build environments
  • CI/CD pipelines executing npm install
  • Developer workstations utilizing intercom-client
  • Cloud instances (AWS, GCP, Azure) running the compromised software
  • intercom-client: == 7.0.4 (Fixed in: 7.0.3)

Mitigation Strategies

  • Strict dependency version pinning to prevent automatic ingestion of new, unverified package versions.
  • Implementation of egress network filtering in CI/CD pipelines to block unauthorized API calls and IMDS querying.
  • Enforcement of least privilege principles for developer accounts and cloud instance roles.
  • Utilization of --ignore-scripts flag during npm installations to prevent automatic execution of lifecycle hooks.

Remediation Steps:

  1. Audit environment dependencies using 'npm list intercom-client' to identify instances of version 7.0.4.
  2. Downgrade 'intercom-client' to version 7.0.3 in package.json and forcefully update lock files.
  3. Search the organization's GitHub account for public repositories with the description 'A Mini Shai-Hulud has Appeared'.
  4. Revoke and rotate all cloud credentials (AWS, GCP, Azure), GitHub tokens, npm tokens, and SSH keys accessible on compromised hosts.
  5. Review cloud provider logs (CloudTrail, etc.) for unauthorized access using potentially compromised instance roles.

References

Read the full report for GHSA-54PG-9963-V8VG on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)