Summary
The Intercom TypeScript Library [email protected] (published at 2026-04-30 at 14:41:04.098Z) has been compromised and uses a classic drop-and-execute attack pattern to run an infostealer that harvests GitHub Credentials. The attack patterns are similar to past Shai-Hulud compromises, which behave like a worm, automatically leveraging stolen credentials to infect additional npm packages. This worm behavior, combined with the fact that the library sees 361,510 downloads per week, indicates that another wave of infected packages might be coming. Users of the Intercom TypeScript Library who have installed version 7.0.4 should check for suspicious activity and rotate their GitHub credentials.
How it works
During install, [email protected] executes a setup.mjs script via preinstall hook, that downloads the Bun runtime from GitHub, then runs a router_runtime.js payload which executes gh auth token to harvest GitHub credentials, queries zero.masscan.cloud, and uses GitHub’s public commit search API as a dead-drop resolver, querying for specific strings (beautifulcastle, EveryBoiWeBuildIsAWormyBoi) to retrieve C2 instructions embedded in public commit messages from the GitHub repo https://github.com/LuisDepo/sayyadina-heighliner-138. This technique abuses a legitimate service to bypass network-level C2 detection. The Bun binary is self-deleted after execution to reduce forensic traces. The attacker then leverages the stolen credentials to infect additional pages. In November 2025, this style of attack resulted in the compromise of more than 1,000 packages.
IOCs
C2 domainzero.masscan.cloud
GitHub Querieshttps://api.github.com/search/commits?q=beautifulcastle%20&sort=author-date&order=deschttps://api.github.com/search/commits?q=EveryBoiWeBuildIsAWormyBoi&sort=author-date&order=desc&per_page=50
GitHub Reposhttps://github.com/LuisDepo/sayyadina-heighliner-138
