Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in vercel-api-client

Malware was discovered in the npm package vercel-api-client. Systems with this package installed are considered fully compromised and require immediate remediation including credential rotation and package removal.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with vercel-api-client installed
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • vercel-api-clientnpm package containing malware

A critical malware incident was identified in the npm package vercel-api-client. According to the GitHub Advisory (GHSA-9634-pgqf-xjgr), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nThis represents a critical supply chain attack through a compromised package in the npm ecosystem, with potential impact to all systems that installed or ran the affected package.

Indicators of compromise

Packages
  • vercel-api-client

Remediation

  • Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer
  • Remove the vercel-api-client package from all affected systems
  • Audit system logs and network traffic for signs of unauthorized access or data exfiltration
  • Consider the affected system(s) potentially compromised and perform a full security review
  • Check for any other suspicious packages or modifications on affected systems
  • Monitor for any unauthorized activity on accounts or services that may have been accessed from compromised systems

Sources

  1. GitHub Advisory GHSA-9634-pgqf-xjgr · GitHub Advisory Database

Cite this entry

"Malware in vercel-api-client." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 24, 2026; last updated June 24, 2026. https://supplychainattack.org/incident/malware-in-vercel-api-client-19t4lb

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in multer-express

    Malware was discovered in the npm package multer-express. Systems with this package installed or running are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. containedcritical

    Malware in opt-archetype-check

    Malware was discovered in the npm package opt-archetype-check, resulting in full system compromise for any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.

    npmCompromised package
  3. activecritical

    Malware in aes-decode-runner-pro

    Malware discovered in the npm package aes-decode-runner-pro. Systems with this package installed are considered fully compromised and may have given outside entities complete control.

    npmCompromised package
  4. containedcritical

    Malware in fetch-page-assets

    Malware was discovered in the npm package fetch-page-assets. Systems with this package installed or running should be considered fully compromised and require immediate remediation.

    npmCompromised package