Vercel, a Web3 infrastructure provider, has finally provided a breather to the crypto community as it announced that no Node Package Manager (npm) package was affected in the attack. For context, npm is like an app store for code, facilitating speedy development by enabling managing and reusing code instead of redoing everything. The confirmation on this was made by the Vercel security team in collaboration with GitHub, Microsoft, npm, and Socket. The Vercel attack briefly This disclosure comes on the heels of a bunch of Vercel’s customers credentials getting attacked as the hacker got access to customers's API keys. Though the attack was initially aimed at the Context.ai. The “keys” (OAuth tokens), however, attached to the AI tool gave the attacker access to the employee's Google Workspace. And Vercel, being one of the organizations of the OAuth app, got dragged in. Steps taken by Vercel Despite npm being safe from getting attacked, Vercel didn't have a laid-back attitude. The Web3 infrastructure provider went ahead and added another layer of security with a minimum 2-step authentication method. The first was an authenticator app configuration, and the other was initiating a passkey. The Vercel team also noted, Deleting your Vercel projects or account is not sufficient to eliminate risk. Instead, they recommend reviewing and rotating unmasked “sensitive” environment variables. Additionally, the Vercel security team also urged customers to review and investigate the activity log. Applauding his team's move, Vercel's CEO Guillermo Rauch noted, Something is fishy beneath the surface Though everything looks clean on the surface, an important question pops up—how, despite such a kind of attack, was nothing compromised? Notably, there were screenshots circulating on X concerning Vercel striking a deal to sell their company’s internal database in return for $2 million USD. However, it's still unknown whether it was actually Vercel or the hacker who was manipulating the customers. This is because in another screenshot, Vercel clearly asked the exploiter to stop texting its employees. In conclusion, despite getting access to Google Workspace, the attacker was only able to majorly access non-sensitive variables, which were nothing but useless text. Lastly, the wrongdoer also couldn't rewrite the actual source code hosted on GitHub or GitLab. Hence, despite the attack, no major loss was incurred. Final Summary Vercel's security team, in collaboration with GitHub, Microsoft, npm, and Socket, confirmed that no npm packages were compromised. The $2 million USD deal of selling Vercel internal data is still raising eyebrows.
‘No npm packages compromised,’ confirms Vercel after security attack
This article was originally published on AMBCrypto and is republished here under RSS syndication for informational purposes. All rights and intellectual property remain with the original author. If you are the author and wish to have this article removed, please contact us at [email protected].
