Multiple npm packages from various web services through account takeover/developer compromise. A malicious actor was able to add a stealthy loader to the package.json file that locates the Bun runtime, silently installs, then executes a malicious script.were compromised Our investigation has shown that no Vercel environment was impacted and we are notifying a small set of customers with affected builds. Vercel has taken immediate steps to address this for our customers. As an initial step, we reset the cache for projects that pulled in any of the vulnerable packages while we continue to investigate whether any loaders successfully ran.

We will continue to issue updates throughout our investigation. Read more Impact to Vercel Customers As of this publication, or internal build processes have been impacted.no Vercel-managed systems identified referencing the compromised packages.Preliminary analysisa limited set of Vercel customer builds Impacted customers are being contacted directly with detailed mitigation steps.