Summary
Workarounds
If a developer installed version 7.0.4 on any machine or CI system, treat all credentials accessible from that environment as compromised and rotate them. Check lock files (package-lock.json, yarn.lock, pnpm-lock.yaml) for references to 7.0.4. Review CI/CD build logs for any npm install that resolved to 7.0.4 between 15:00 and 17:00 UTC on April 30, 2026.
Resources
Impact
On April 30, 2026, version 7.0.4 of intercom-client was published to npm using credentials obtained from a compromised developer account. This version was not produced by Intercom's build pipeline.
The malicious version contained an obfuscated JavaScript payload that executed during package installation via a preinstall hook. The payload harvested credentials from the environment in which it ran, including cloud provider credentials (AWS, GCP, Azure), environment variables, .env files, GitHub and npm tokens, SSH keys, local configuration files, and cloud metadata service credentials.
Harvested data was exfiltrated to attacker-controlled GitHub repositories. The package was live on npm for approximately 2 hours (15:00-17:00 UTC).
This compromise is part of the "Mini Shai-Hulud" supply chain campaign tracked by Wiz and Socket.
Developers can check if their projects are affected by running: npm list intercom-client. If it shows 7.0.4, the project is affected.
GHSA-54PG-9963-V8VG has a CVSS score of 9.3 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Version 7.0.3 and all prior versions are unaffected. Downgrade to 7.0.3 immediately.
Frequently Asked Questions
- What is GHSA-54PG-9963-V8VG? GHSA-54PG-9963-V8VG is a critical-severity security vulnerability in intercom-client (npm), affecting versions = 7.0.4. No fixed version is listed yet.
- How severe is GHSA-54PG-9963-V8VG? GHSA-54PG-9963-V8VG has a CVSS score of 9.3 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of intercom-client are affected by GHSA-54PG-9963-V8VG? intercom-client (npm) versions = 7.0.4 is affected.
- Is there a fix for GHSA-54PG-9963-V8VG? No fixed version is listed for GHSA-54PG-9963-V8VG yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is GHSA-54PG-9963-V8VG exploitable, and should I be worried? Whether GHSA-54PG-9963-V8VG is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-54PG-9963-V8VG is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.