header-langage
简体中文
繁體中文
English
Tiếng Việt
한국어
日本語
ภาษาไทย
Türkçe
Scan to Download the APP

Vercel Security Incident Update: npm Package Not Compromised, New Environment Variables Defaulted to "Sensitive"

According to Dongcha Beating monitoring, on the morning of April 21st, the official Vercel account announced that after a joint investigation with GitHub, Microsoft, npm, and Socket, any package published by Vercel on npm had not been tampered with, and the supply chain remains "secure." Vercel maintains open-source libraries such as Next.js, Turbopack, and SWR on npm, with a total monthly download volume in the billions. If an attacker were to poison them using an employee account, the impact would far exceed Vercel's own customers. This verification process eliminated the largest associated risk in this incident.

On the same day, the official security announcement was updated with three additional details. The scope of affected parties was narrowed down to the field level for the first time. The announcement stated that the leaked information was the part of the customer environment variables that were not marked as "sensitive," which were stored in plain text after being decrypted in the background. Vercel is still investigating whether more data was taken. A new recommendation was added for customers: "Deleting a Vercel project or account itself does not eliminate the risk." It is necessary to first rotate all non-sensitive keys and then consider deletion, as the credentials obtained by the attacker can still directly access the production system.

On the product side, default settings were changed. Newly created environment variables now default to "sensitive" (sensitive: on). For older accounts, newly added variables were previously of the normal type by default, requiring manual selection to enable sensitivity. This was the direct entry point for the attacker to read plaintext variables in this incident. The dashboard has simultaneously launched a more detailed activity log interface and team-level environment variable management. "Enable two-factor authentication" has been pushed to the forefront of all security recommendations.

Source
举报 Correction/Report
On-Chain Activity
49min ago

「Silver Stallion Squadron」 Opens 20x Leveraged ETH Short, Reaching $12 Million Position

1h ago

An address withdrew 80,000 ETH from Binance, worth $184.7 million

1h ago

On-chain ETH Whale Triggers Largest Long Liquidation, Selling 20,000 ETH and Profiting $1.04 Million

2h ago

Trader Loracle Goes 5x Short on $11 Million Value HYPE

24H Important News
2026-04-21
Aave: WETH Reserve on Ethereum Core V3 Market Unfrozen
Upbit Launches CHIP KRW, Bitcoin, USDT Spot Trading
The Wise Money Account has invested $14.7 thousand, predicting that the traffic at the Strait of Hormuz will not return to normal before May.
Analysis: Arbitrum Freezes KelpDAO Hacker's ETH with System-Level Transaction, Injected via ArbOS by Security Council
Correction/Report
Submit
Add Library
Visible to myself only
Public
Save
Choose Library
Add Library
Cancel
Finish
API 形状 warpcast