Summary Impact to Vercel Customers What We Did What We’re Watching & Doing Recommendations for Vercel Users Timeline References The supply chain campaign has escalated. What began with the Qix compromise affecting ~18 core npm packages (, , , etc.) has since spread:Shai-Haludchalkdebugansi-styles Read more Over 40 additional packages attacked via the Tinycolor “worm” vector. The CrowdStrike / namespace was also compromised, with multiple trojanized releases.crowdstrike-publisher The DuckDB maintainer account () published malicious versions matching the same wallet-drainer malware used in the Qix incidents.

No Vercel customers were impacted in that DuckDB subset.duckdb_admin We identified Vercel customer projects whose builds depended (directly or transitively) on the compromised package versions.a small set of 10 Impacted customers have been notified and provided with project-level guidance. In the DuckDB incident, no Vercel customer build was affected. Working closely with npm, open-source maintainers, and ecosystem security partners to track any further spread of Shai-Halud. Enhancing our supply chain defenses so that deployments on Vercel remain secure by default : stricter…