Following the initial Shai-Hulud worm compromise of SAP CAP-JS npm packages on April 29, The Register reported on April 30 that attackers had extended the campaign to additional packages: intercom-client versions 7.0.4 and 7.0.5, and lightning versions 2.6.2 and 2.6.3. The combined weekly download count across these newly affected packages is approximately 572,000, significantly widening the blast radius beyond the original SAP ecosystem targets. Developers who pulled any of the listed package versions into their CI pipelines or local environments during the affected window should treat their build environments as potentially compromised, rotate secrets that may have been accessible, and audit outbound network activity for command-and-control indicators. Lock files should be pinned past these versions and verified against the npm advisory database before resuming normal builds.