Vercel has confirmed that no npm packages it published were compromised following its April 2026 security incident.
The company stated that investigations conducted in collaboration with GitHub, Microsoft, npm, and Socket Security found no evidence of tampering, and the software supply chain remains secure.
This clarification comes amid growing global concerns over supply chain attacks targeting open-source libraries, which can potentially impact thousands of applications if compromised.
Vercel emphasized that it will continue monitoring the situation and strengthening its security measures to reassure developers and organizations relying on its infrastructure.