ME News reports that on April 21 (UTC+8), according to monitoring by Beating, Vercel’s official account announced on the morning of April 21 that, after a joint investigation with GitHub, Microsoft, npm, and Socket, no packages published by Vercel on npm had been tampered with—the supply chain remains “secure.” Vercel maintains open-source libraries on npm, including Next.js, Turbopack, and SWR, which collectively receive hundreds of millions of downloads per month; if attackers had compromised employee accounts to poison these packages, the impact would have far exceeded Vercel’s own customer base. This investigation has eliminated the largest potential ripple risk in the incident. On the same day, Vercel updated its official security notice with three key details. The scope of impact was clarified for the first time at the field level: the leaked data consisted only of customer environment variables not marked as “sensitive,” which were stored in plaintext after decryption on the backend. Vercel is still investigating whether additional data was exfiltrated. A new recommendation was added to customer guidance: “Deleting a Vercel project or account does not eliminate the risk.” Users must first rotate all keys not marked as sensitive before considering deletion, as credentials obtained by attackers can still directly access production systems. On the product side, the default setting has been changed: newly created environment variables are now set to “sensitive” by default (sensitive: on). Previously, for existing accounts, newly added variables defaulted to standard type and required manual selection to enable sensitivity—this was the direct entry point exploited by attackers to read plaintext variables. The dashboard has also been updated with a more detailed activity log interface and team-level environment variable management; “Enable two-factor authentication” has been prioritized as the top security recommendation. (Source: BlockBeats)
Vercel Confirms npm Packages Unaffected in Security Incident
KuCoinFlashShare
Summary
Vercel confirmed that its npm packages were not affected in a recent security breach. The company stated that Next.js, Turbopack, and SWR remained untampered following a joint investigation with GitHub, Microsoft, npm, and Socket. Vercel updated its security advisory, noting that only non-sensitive environment variables were exposed. The company now marks new variables as sensitive by default and has improved dashboard tools for activity logs and team-level management. On-chain news continues to highlight supply chain security updates across major platforms.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.