Executive Summary
On April 30, 2026, intercom-client@7.0.4, the official Node.js SDK for Intercom, was published to npm with a malicious preinstall hook and two undocumented files: setup.mjs and router_runtime.js StepSecurity opens in a new tab Socket opens in a new tab. The Intercom security advisory says credentials obtained from a compromised developer account were used, the artifact was not produced by Intercom's build pipeline, and the malicious version remained available for approximately two hours, from 15:00 to 17:00 UTC Intercom advisory opens in a new tab.
The malicious release preserved the legitimate SDK while adding "preinstall": "node setup.mjs" to package.json. setup.mjs bootstrapped Bun and executed an 11,731,860-byte obfuscated JavaScript payload, router_runtime.js, designed to harvest GitHub, npm, cloud, SSH, environment-file, and local configuration secrets StepSecurity opens in a new tab Intercom advisory opens in a new tab. Intercom closed the incident on June 8 after removing the malicious npm and PHP versions, rotating credentials, hardening its environment, and finding no evidence of unauthorized access to Intercom accounts or customer data Intercom status opens in a new tab.