Skip to main content

Intercom [email protected] describes credentials harvesting via preinstall payload

April 30, 2026

The Intercom TypeScript Library [email protected] was published with malicious preinstall behavior that downloads a Bun runtime and runs payload code to harvest GitHub credentials, then uses those credentials to infect other npm packages. For enterprise IT and security teams, this adds another high-download npm target for credential containment and incident triage.

Research Overview

The report describes [email protected] as compromised through a drop-and-execute install flow that leads to GitHub credential theft. It characterizes the follow-on behavior as worm-like, using stolen credentials to reach additional packages.

The analysis links the observed behavior to earlier Shai-Hulud-style npm supply-chain compromises, which also used stolen credentials to spread. The report notes that [email protected] has high weekly download volume, contributing to the concern about future infected releases.

Key Findings

During installation, the package runs a setup.mjs script via a preinstall hook. The script downloads the Bun runtime from GitHub and then executes a payload identified as router_runtime.js.

The payload uses a GitHub auth token to harvest GitHub credentials, queries zero.masscan.cloud, and retrieves command-and-control instructions using GitHub’s public commit search API as a resolver. The report says the Bun binary self-deletes after execution to reduce forensic traces.

Technical Breakdown

The payload queries GitHub commit data from a specified repository, using search strings embedded in public commit messages. It references the repository https://github.com/LuisDepo/sayyadina-heighliner-138 and targets commits containing the strings “beautifulcastle” and “EveryBoiWeBuildIsAWormyBoi”.

After credentials are obtained, the report describes the attacker using them to infect additional npm pages. It also points to a prior outcome of this attack style, stating that in November 2026 it compromised more than 1,000 packages.

Blog Signals brief is a fact-based summary of the vendor blog.