{
  "title": "intercom-client npm Mini Shai-Hulud Compromise",
  "summary": "On April 30, 2026, `intercom-client@7.0.4` on npm introduced a first-ever `preinstall` hook that executed a Bun-launched obfuscated credential stealer and exfiltrated secrets through GitHub APIs.",
  "date": "2026-04-30",
  "severity": "critical",
  "tags": [
    "npm",
    "package-compromise",
    "supply-chain",
    "credential-theft",
    "shai-hulud"
  ],
  "sources_count": 5,
  "indicators": {
    "slug": "intercom-client-npm-shai-hulud",
    "since": "2026-04-30T00:00:00Z",
    "until": "2026-05-01T00:00:00Z",
    "ecosystem": "npm, javascript npm",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "intercom-client"
    ],
    "versions": [
      "7.0.4",
      "intercom-client@7.0.4"
    ],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "setup.mjs",
      "router_runtime.js"
    ],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [
      "npm preinstall launches Bun-backed loader files"
    ],
    "networkPatterns": [
      "egress related to intercom-client 7.0.4"
    ],
    "telemetrySelectors": []
  }
}