On September 9, 2025, the campaign extended to DuckDB-related packages after the duckdb_admin account was breached. These releases contained the same wallet-drainer malware, confirming this was part of a coordinated effort targeting prominent npm maintainers. While Vercel customers were not impacted by the DuckDB incident, we continue to track activity across the npm ecosystem with our partners to ensure deployments on Vercel remain secure by default. Link to heading Overview On September 8, 2025, a supply chain attack compromised 18 popular npm packages including chalk , debug , and ansi-styles . The injected code was designed to intercept cryptocurrency transactions in browsers. Our security and engineering teams identified all affected Vercel projects in the initial compromise and purged build caches. Impacted customers were notified with specific guidance . No Vercel customers were affected in the DuckDB incident.…