Link to heading Summary The Shai-Halud supply chain campaign has escalated. What began with the Qix compromise affecting ~18 core npm packages ( chalk , debug , ansi-styles , etc.) has since spread: Over 40 additional packages attacked via the Tinycolor “worm” vector. The CrowdStrike / crowdstrike-publisher namespace was also compromised, with multiple trojanized releases. The DuckDB maintainer account ( duckdb_admin ) published malicious versions matching the same wallet-drainer malware used in the Qix incidents. No Vercel customers were impacted in that DuckDB subset. Link to heading Impact to Vercel Customers We identified a small set of 10 Vercel customer projects whose builds depended (directly or transitively) on the compromised package versions. Impacted customers have been notified and provided with project-level guidance. In the DuckDB incident, no Vercel customer build was affected.…