nicolaj

pre-flight vibes.

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

oh?

and yes, i've been very hyperaware of not leaking it in the frontend, some git commit, committed .env or a log. however it does look like the API got compromised based on usage (attacker checked the models accessible). deactivating all paid API's for now. I got a bad feeling.

ah cool, some idiot abused the API in my workout tracking app yesterday. No idea how this happened, I've put rate limits in the code, and with Anthropic, but somehow ended in a small negative. will investigate.

Terminal automation + e2e testing solved Now as simple as snapshot, click, type: – wterm renders terminal-in-html, every cell in the a11y tree – agent-browser automates pages via the a11y tree Here's opencode in one browser driving Claude Code in another

@aaronjmars looked more into it, pretty sick. feel like there is so many fun things to test with this.

@gitpushnico simuating behavior, best ads, price action, etc

i urge you to try running miroshark, you can get started very quickly - a simple simulation can run for $1 and it really feels like magic

asciinator.app is live product feel > everything else you can just ship things with love

@pizzaboy stupid question perhaps, but can’t you just upload your little puffy guy so it doesn’t need to be recreated? or are you just pointing out a limitation

bro can't even recreate my little puffy guy.

@DrapzDZN so true, you need Nano Banana 2 and a few other tools as well.

"Its so over for designers" I have never seen claude AI create brand identities like these.

Us to our mentions

let it simmer, as @ryolu_ says.

Promised myself to sleep early today. dammit..

I am back. idk why I got flagged by their automated system. maybe it’s that I work 2 agents at once sometimes and push to 2 repos around the same time.

but are you GPDR compliant bro?

hmm..

Apparently my GitHub is taken down? it’s showing 404 on my profile, and repo links. no idea why, opened a ticket. Hopefully it’ll be solved soon. also thinking heavily about decentralisation in this moment.

if that's what your founding engineers look like, you're gonna make it