The Vercel security and compute teams have conducted an investigation into the malicious takeover of the 𝚊𝚡𝚒𝚘𝚜@𝟷.𝟷𝟺.𝟷 npm package. • We’ve blocked outgoing access from our build infrastructure to the Command & Control hostname 𝚜𝚏𝚛𝚌𝚕𝚊𝚔.𝚌𝚘𝚖. • The malicious version of the package has been blocked and unpublished from npm. • Vercel’s own infrastructure and applications have been unaffected. • We recommend checking your supply chain for exposure. For more information, read the full advisory ↓ vercel.com/changelog/axios-p…

Today we partnered with Meta to disclose a critical vulnerability in React Server Components, impacting Next.js. Huge credit to Lachlan Davidson for responsibly reporting this to Meta and to our industry partners for responding quickly to our call-to-action. This is how open source security is supposed to be: responsible disclosure, fast mobilization, and close collaboration. Within 72 hours, we patched React, shipped WAF mitigations for all Vercel customers, and coordinated major cloud and security providers to protect their customers in the same way. The united response across the ecosystem has been incredible. AWS, Microsoft, Cloudflare, Fastly, Akamai, F5, Google, Deno, Netlify, Railway, Fly, and others moved quickly with platform protections and clear guidance to their customers. As a reminder, if you’re running Next.js 15 or 16, please upgrade immediately to 15.5.7 or 16.0.7. Vercel customers have platform-level protections, but upgrading is still a must. Ref: vercel.com/changelog/cve-202…

We’ve got confirmation of a working #react2shell POC being shared. We’ve verified Vercel’s Web Application Firewall is successfully blocking this known variant. We are also seeing bad actors attempt exploitation. Upgrading React & frameworks remains a top priority.

Loved speaking with Mandy Andress from @elastic, Mario Duarte, from @SnowflakeDB, and Talha Tariq (@0xtbt) from @HashiCorp about their journies from private to public. @iconbuzz

How Drift Detection Helps Maintain a Secure Infrastructure hashicorp.com/blog/how-drift… from @HashiCorp by @0xtbt

We just released our second annual HashiCorp State of Cloud Strategy Survey, with some interesting insight into what enterprises are doing in the cloud. 1/10

We're thrilled to welcome Talha Tariq (@0xtbt) to our CISO Advisory Board. Talha is the Chief Security Officer at @HashiCorp. He brings 20 years of experience building & scaling security programs from startups to Fortune 100 organizations. Give Talha a warm welcome!

Oregon is beautiful!

We’re excited to announce that Talha Tariq @0xtbt is our day 1 KEYNOTE for SANS #CloudSecNextSummit! Join Summit chairs @fykim & @emjohn20 for expert talks on building and maintaining a secure cloud infrastructure. Register for Free: sans.org/u/1acC

Join us tomorrow for the Nomad 1.0 launch live stream hashi.co/3lZiBeb Until then the Path to 1.0 continues w/ @KentGruber previewing a new feature. Product security is an important aspect of #Nomad, so we'll introduce a feature to help w/ audits hashi.co/2IXsSJl

Continuously amazed at the scale of infrastructure. Here managing 300 million secret requests per day. #Vault

Really humbled and excited to be part of this journey

Great turnout today at the #BSidesSF 2020 Saturday Workshops located @HashiCorp! Day One of our 10th Anniversary event complete!

Highly recommend this podcast conversation with HashiCorp security boss Talha Tariq (@0xtbt) hackervalleystudio.podbean.c…

When it comes to cloud infrastructure, how can you prioritize security concerns? @HashiCorp CSO @0xtbt shares advice for building an effective cloud security program. bit.ly/399v3kK

Thank you to all who came out today to listen to @travismcpeak and me speak. If you missed it, checkout the new open source github.com/Netflix-Skunkwork…

Really excited to announce our first ever @HashiCorp-organized, community-focused event in the APAC region: HashiDays Sydney! We hope you can join us. x.com/HashiCorp/status/12023…

Going to #reInvent 2019? Make sure to come checkout @travismcpeak and myself speak on "Monitoring anomalous application behavior" Thursday at 12:15pm - Session ID - NFX205

Excited to have @__muscles join @HashiCorp as Director for Detecion & Response to help build and scale our Security Team

Cloud security top areas to consider: 1. What are cloud providers responsible for vs what are you responsible for 2. Identity and access management strategy 3. Comprehensive monitoring strategy by @marzena_fuller at #DevGuild by @GGVCapital and @heavybit