Multiple npm packages from various web services were compromised through account takeover/developer compromise. A malicious actor was able to add a stealthy loader to the package.json file that locates the Bun runtime, silently installs, then executes a malicious script.
Our investigation has shown that no Vercel environment was impacted and we are notifying a small set of customers with affected builds.
Link to headingImpact to Vercel Customers
Vercel has taken immediate steps to address this for our customers. As an initial step, we reset the cache for projects that pulled in any of the vulnerable packages while we continue to investigate whether any loaders successfully ran.
As of this publication, no Vercel-managed systems or internal build processes have been impacted.
Preliminary analysis identified a limited set of Vercel customer builds referencing the compromised packages.
Impacted customers are being contacted directly with detailed mitigation steps.
We will continue to issue updates throughout our investigation.