Compromised version of intercom-client published to npm
On April 30, 2026, version 7.0.4 of intercom-client was published to npm using credentials obtained from a compromised developer account. This version was not produced by Intercom's build pipeline. The malicious version contained an obfuscated JavaScript payload that executed during package installation via a preinstall hook. The payload harvested credentials from the environment in which it ran, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, GitHub and …