Vercel Security Incident Update: npm packages have not been compromised; new environment variables are set to "Sensitive" by default

According to Beating Monitoring, Vercel’s official account announced on the morning of April 21 that, after joint investigation with GitHub, Microsoft, npm, and Socket, no packages published by Vercel on npm have been tampered with, and the supply chain remains “still secure.” Vercel maintains open-source libraries such as Next.js, Turbopack, and SWR on npm, with a total monthly download volume in the hundreds of millions. If attackers exploit employee accounts to inject malicious code, the impact would far exceed that on Vercel’s own customers. This investigation eliminated the largest associated risk in the incident.

On the same day, the official security announcement also updated three details. The affected scope was clarified down to the field level for the first time. The announcement stated that what was leaked were the customer environment variables that were not marked as “sensitive,” which are decrypted on the backend and stored in plaintext. Vercel is still investigating whether more data has been taken. An additional recommendation to customers was added: “Deleting Vercel projects or accounts alone cannot eliminate the risk.” All sensitive keys must be rotated first before considering deletion, as credentials obtained by attackers can still directly access production systems.

The product side changed the default settings. Newly created environment variables are now defaulted to “sensitive” (sensitive: on). Previously, old accounts added variables as normal type by default, requiring manual selection to enable sensitivity. This was the direct entry point that allowed the attacker to read plaintext variables. The dashboard has also synchronized the launch of a more detailed activity log interface and team-level environment variable management; among all security recommendations, “Enable two-factor authentication” has been prioritized at the top.