Compromise of Intercom TypeScript Library Signals Threat to NPM Ecosystem
The recent compromise of the Intercom TypeScript library version 7.0.4 has revealed a sophisticated attack leveraging a drop-and-execute method to deploy an infostealer targeting GitHub credentials. This incident, identified by Netskope, reflects earlier compromise tactics seen with the Shai-Hulud campaigns, indicating a concerning trend in supply chain attacks affecting the software development ecosystem.
The attack mechanism initiates when the compromised library executes a setup script during installation, which downloads the Bun runtime from GitHub. A script named router_runtime.js then runs, employing the command gh auth token to extract GitHub credentials. This execution queries a control server at zero.masscan.cloud and retrieves further instructions hidden within public commit messages on GitHub. Notably, the attacker utilizes specific queries such as “beautifulcastle” and “EveryBoiWeBuildIsAWormyBoi” to bypass typical command-and-control detection methods, taking advantage of a legitimate service. The Bun binary is designed to erase itself post-execution, which helps in evading detection and forensic analysis. The compromised credentials can subsequently be leveraged to infect additional npm packages, posing a broader risk.
Defensive Context
Developers and organizations utilizing the Intercom TypeScript library must be vigilant. Specifically, those who have integrated this library and its version 7.0.4 should monitor for abnormal activity and consider rotating their GitHub credentials due to potential exposure. The wide adoption of this library, with over 361,000 weekly downloads, increases the likelihood that many may unwittingly fall victim to these infections.
Why This Matters
This attack exemplifies a growing threat model within the software development community, where compromised libraries can lead to cascading infections across dependent projects. Entities heavily reliant on npm packages, especially those in sectors focused on software development, could find themselves particularly susceptible to similar attacks.
Indicators of Compromise (IOCs)
- C2 domain:
zero.masscan.cloud - GitHub Queries:
https://api.github.com/search/commits?q=beautifulcastle&sort=author-date&order=deschttps://api.github.com/search/commits?q=EveryBoiWeBuildIsAWormyBoi&sort=author-date&order=desc&per_page=50
- GitHub Repository:
https://github.com/LuisDepo/sayyadina-heighliner-138
