Listen to this Post
The attack leverages a compromised developer account to publish a malicious version (7.0.4) of the intercom-client npm package. The legitimate maintainer’s npm credentials were stolen, allowing the attacker to bypass Intercom’s build pipeline. Upon installation, a preinstall hook defined in package.json executes an obfuscated JavaScript payload. This payload runs with the privileges of the user or CI system invoking npm install. It scans the environment for sensitive data: cloud provider tokens (AWS_ACCESS_KEY_ID, GOOGLE_APPLICATION_CREDENTIALS, AZURE_CLIENT_SECRET), environment variables (process.env), .env files, GitHub and npm authentication tokens, SSH private keys (~/.ssh/), local configuration files (.npmrc, .aws/credentials), and metadata endpoints (169.254.169.254 for cloud metadata). Harvested credentials are aggregated into a JSON object, then exfiltrated via HTTPS POST requests to attacker-controlled GitHub repositories (using raw.githubusercontent.com or gist.github.com as staging). The malicious package was available on the npm registry for approximately two hours (15:00–17:00 UTC on April 30, 2026). Detection relies on checking package-lock.json or running npm list intercom-client. The campaign, dubbed “Mini Shai-Hulud,” was identified by Wiz and Socket.
dailycve form:
Platform: npm package
Version: 7.0.4
Vulnerability: Malicious preinstall hook
Severity: Critical
date: April 30 2026
Prediction: April 30 2026
What Undercode Say:
Check affected version npm list intercom-client Search lock files grep "intercom-client\": \"7.0.4" package-lock.json grep "[email protected]" yarn.lock grep "[email protected]" pnpm-lock.yaml Rotate all credentials (example AWS) aws configure set aws_access_key_id NEW_KEY aws configure set aws_secret_access_key NEW_SECRET Audit CI logs for timestamp grep "npm install" /var/log/ci/build.log | grep "2026-04-30 15:[0-9]"
Exploit:
Attacker publishes trojaned 7.0.4 using stolen npm tokens. Preinstall script runs `node -e “eval(atob(‘base64…’))”` to decrypt and execute credential harvester. Exfil via `fetch` to attacker GitHub repo.
Protection from this CVE:
Downgrade to 7.0.3: npm install [email protected]. Block npm version 7.0.4 in internal registries. Use npm `–ignore-scripts` during install. Monitor package integrity with `npm audit` and Sigstore.
Impact:
All credentials exposed to the compromised environment (CI runners, dev machines) are stolen. Cloud accounts, git repos, and SSH keys become attacker-controlled. Full supply chain compromise of dependent projects.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
