Vercel and GitHub confirm npm supply chain security; packages have not been tampered with

On April 21, 2026, the official Vercel account announced that, after a joint investigation with GitHub, Microsoft, npm, and Socket, it confirmed that all packages Vercel published on npm have not been tampered with, and the supply chain remains secure. A security advisory updated the same day said that the data leaked in this incident was customer environment variables that were not marked as “sensitive,” which, after backend decryption, are stored in plaintext.

npm Packages Not Tampered With: Results of the Joint Investigation

According to Vercel’s April 21, 2026 announcement, Vercel has completed a joint investigation with GitHub, Microsoft, npm, and Socket to confirm that all open-source packages Vercel maintains on npm have not been tampered with. The aforementioned packages include Next.js, Turbopack, and SWR, with a combined monthly download volume in the hundreds of millions.

Cause of the Security Incident and Scope of Impact

According to a statement from Vercel CEO Guillermo Rauch, an employee account was leaked after being compromised through the Context.ai platform. Context.ai has integrated with Vercel environments and has been granted deployment-level Google Workspace OAuth permissions. After Context.ai was compromised, the attacker used this to obtain privileged access and further expanded the scope of access by enumerating Vercel environment resources.

According to the updated security advisory, the leaked data was customer environment variables that were not marked as “sensitive” (stored in plaintext after backend decryption). Whether more data was taken remains under investigation by Vercel. The advisory also explains that deleting a Vercel project or the account itself cannot eliminate the risk; the credentials obtained by the attacker can still be used to directly connect to production systems, so key rotation must be prioritized.

Vercel said the number of affected customers is limited, involving hundreds of users across multiple organizations. Users who have not yet received a notification currently have no reason to believe that their Vercel account credentials or personal information have been leaked. Vercel is working with Mandiant, other cybersecurity companies, and law enforcement agencies to conduct the investigation.

Product Updates and Recommendations for Customer Action

According to Vercel’s security advisory, product updates released in parallel on April 21 include: newly created environment variables default to being “sensitive” (sensitive: on); the Dashboard adds a more dense activity log interface and team-level environment variable management; and in the security recommendations, “Enable Two-Factor Authentication” is listed as the top priority.

Vercel’s specific recommendations for customers are as follows:

· Check the Vercel-designated OAuth application in Google Workspace account activity

· Rotate all environment variables that contain API keys, tokens, database credentials, or signing keys (even if they were previously marked as non-sensitive)

· Enable protection for sensitive variables and check whether recent deployments show any anomalies

Frequently Asked Questions

Were Vercel’s packages on npm tampered with?

According to Vercel’s April 21, 2026 announcement, Vercel has completed a joint investigation with GitHub, Microsoft, npm, and Socket, confirming that all packages—including Next.js, Turbopack, and SWR—have not been tampered with, and supply chain security remains intact.

What caused this Vercel security incident?

According to a statement from Vercel CEO Guillermo Rauch, the attack began with a compromise of the third-party AI tool Context.ai. Context.ai had previously been granted deployment-level Google Workspace OAuth permissions for Vercel environments. The attacker used this to gain privileged access and further enumerated Vercel environment resources.

What actions should affected Vercel users prioritize?

According to Vercel’s security advisory, affected users should prioritize rotating all environment variables that contain API keys, tokens, database credentials, or signing keys. The advisory also states that deleting a project or an account cannot replace key rotation, and the credentials obtained by the attacker can still directly connect to production systems.