We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today.
The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs.
If you installed intercom-client@7.0.4, we recommend:
removing the package immediately
rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment
We are actively investigating and will share more information as it becomes available.
Investigating
We are investigating reports that a malicious version (7.0.4) of the intercom-client npm package was briefly published earlier today.
The latest legitimate version is 7.0.3. The impact is contained to the node SDK which is used to access Intercom APIs.
If you installed intercom-client@7.0.4, we recommend:
removing the package immediately
rotating any credentials (API keys, tokens, cloud credentials) that were accessible from that environment
We are actively investigating and will share more information as it becomes available.
