{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] Intercom\u2019s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack", "protected": false, "publish_timestamp": "1779546269", "published": true, "threat_level_id": "2", "timestamp": "1779546268", "uuid": "5d6b5965-d685-4230-966d-bc6a7dd7e852", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Shai-Hulud\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950023", "to_ids": false, "type": "link", "uuid": "5de87259-a9fc-41ac-8908-c62ad88a8601", "value": "https://socket.dev/blog/intercom-s-npm-package-compromised-in-supply-chain-attack", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950023", "to_ids": false, "type": "text", "uuid": "dce8a21c-68e2-41ec-ad6d-c2bc8e3f0206", "value": "The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950023", "to_ids": false, "type": "text", "uuid": "d0751797-18a6-49f5-b551-0ccc609412fa", "value": "Name: Intercom\u2019s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"ci/cd targeting\", \"npm compromise\", \"mini shai-hulud\", \"supply chain attack\", \"github account compromise\"]\nTgtd countries: []\nMlwr families: [\"Mini Shai-Hulud\"]\nAttack_ids: []\nIndustries: [\"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777950023", "to_ids": false, "type": "threat-actor", "uuid": "7a1e1e08-b6f7-4ca2-9fd7-47053a2c75ed", "value": "TeamPCP" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546264", "to_ids": true, "type": "md5", "uuid": "0152eab1-c412-45ff-bb62-f289f731d727", "value": "598f8a39b021cf56d33432b6f67f7660", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546266", "to_ids": true, "type": "sha1", "uuid": "92f6587f-6e9c-4abd-9ad5-ec61dfbe74aa", "value": "7c8bf63a9ba9169d5237acfc683f1bd004349341", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546268", "to_ids": true, "type": "sha256", "uuid": "29bb72b1-0c85-42f0-ac09-a83933d1cc3b", "value": "fe64699649591948d6f960705caac86fe99600bf76e3eae29b4517705a58f0e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Network Indicators (Do Not Block)", "deleted": false, "disable_correlation": false, "timestamp": "1778209807", "to_ids": false, "type": "url", "uuid": "d2d5dd30-529d-41d6-8534-2cd7cde16821", "value": "http://169.254.169.254", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Network Indicators (Do Not Block)", "deleted": false, "disable_correlation": false, "timestamp": "1778209827", "to_ids": false, "type": "url", "uuid": "dbb5ca84-7cd9-4cae-991b-0535f8f8bb77", "value": "http://169.254.170.2", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Network Indicators (Do Not Block)", "deleted": false, "disable_correlation": false, "timestamp": "1778209848", "to_ids": false, "type": "url", "uuid": "67b51cc5-33d4-4991-839e-c95a2b1b6506", "value": "http://169.254.170.23", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Network Indicators (Do Not Block)", "deleted": false, "disable_correlation": false, "timestamp": "1778209869", "to_ids": false, "type": "url", "uuid": "ceddd1bd-ac08-4114-99b3-5592ab80e5fe", "value": "http://metadata.google.internal", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546262", "uuid": "2703afcc-0e1f-44db-b9c7-3aa67cf67aa9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546262", "to_ids": true, "type": "md5", "uuid": "df4a3228-f2a4-4f26-91c4-7cc1618d760d", "value": "9bd71891febd47b6a7d9ef1f6120662a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546262", "to_ids": true, "type": "sha1", "uuid": "7675ca7b-727b-4045-ab11-d6d6cdf327b1", "value": "0cf67457352cf82dea4189d9dbd41b8f519dbb81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546262", "to_ids": true, "type": "sha256", "uuid": "090d406a-8958-4979-838b-7816e8f776a7", "value": "5ae8b2343e97cc3b2c945ec34318b63f27fa2db1e3d8fbaa78c298aa63db52ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206430", "to_ids": true, "type": "ssdeep", "uuid": "13b48c75-8fc8-49a0-8297-077b121474f3", "value": "49152:tvpw3R136+I911qNdg+EY4nI8SFo+vlCVs2XZHd4IoR4I9MOpMRQ0Y/2569BVhWX:G0BDhP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206430", "to_ids": false, "type": "size-in-bytes", "uuid": "db34c758-af73-4f72-8785-d4829ead4687", "value": "11731860" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778206430", "to_ids": true, "type": "vhash", "uuid": "c27ad4a3-51fb-48d3-9f43-66aecf923eb2", "value": "a89c16d574a0ed404bb69484c9742a42" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206430", "to_ids": true, "type": "filename", "uuid": "7cd38cd7-baf9-4085-936f-423ce873bbab", "value": "router_runtime.js.txt" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 08/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206430", "to_ids": false, "type": "text", "uuid": "da8277ab-a9d7-4cf3-b304-4b1638d58d67", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/ShaiWorm.DQ!MTB\nVT Total Detection:17/61\nFirst Submission:2026-05-06T13:42:04.000000+00:00\nLast Submission:2026-05-06T13:42:04.000000+00:00" } ] } ] } }