Vercel, a Web3 infrastructure provider, has finally provided a breather to the crypto community as it announced that no Node Package Manager (npm) package was affected in the attack.
For context, npm is like an app store for code, facilitating speedy development by enabling managing and reusing code instead of redoing everything.
The confirmation on this was made by the Vercel security team in collaboration with GitHub, Microsoft, npm, and Socket.
The Vercel attack briefly
This disclosure comes on the heels of a bunch of Vercel’s customers credentials getting attacked as the hacker got access to customers’s API keys. Though the attack was initially aimed at the Context.ai.
The “keys” (OAuth tokens), however, attached to the AI tool gave the attacker access to the employee’s Google Workspace. And Vercel, being one of the organizations of the OAuth app, got dragged in.
Steps taken by Vercel
Despite npm being safe from getting attacked, Vercel didn’t have a laid-back attitude.
The Web3 infrastructure provider went ahead and added another layer of security with a minimum 2-step authentication method. The first was an authenticator app configuration, and the other was initiating a passkey.
The Vercel team also noted,
Instead, they recommend reviewing and rotating unmasked “sensitive” environment variables. Additionally, the Vercel security team also urged customers to review and investigate the activity log.
Applauding his team’s move, Vercel’s CEO Guillermo Rauch noted,
Source: Guillermo Rauch/XSomething is fishy beneath the surface
Though everything looks clean on the surface, an important question pops up—how, despite such a kind of attack, was nothing compromised?
Notably, there were screenshots circulating on X concerning Vercel striking a deal to sell their company’s internal database in return for $2 million USD.
Source: XHowever, it’s still unknown whether it was actually Vercel or the hacker who was manipulating the customers. This is because in another screenshot, Vercel clearly asked the exploiter to stop texting its employees.
Source: XIn conclusion, despite getting access to Google Workspace, the attacker was only able to majorly access non-sensitive variables, which were nothing but useless text.
Lastly, the wrongdoer also couldn’t rewrite the actual source code hosted on GitHub or GitLab. Hence, despite the attack, no major loss was incurred.
Final Summary
- Vercel’s security team, in collaboration with GitHub, Microsoft, npm, and Socket, confirmed that no npm packages were compromised.
- The $2 million USD deal of selling Vercel internal data is still raising eyebrows.
Source: https://ambcrypto.com/no-npm-packages-compromised-confirms-vercel-after-security-attack/
