Adam Bouhmad

If Steve Jobs were still alive, he would have the moral authority to face and maybe even to solve this problem. But I doubt anyone in the phone business now does.

Update: Socket has found 121 more compromised npm package artifacts across 84 package names, including 64 UiPath artifacts. Combined w/ TanStack, the current known total is 205 affected npm package artifacts across enterprise automation, AI/MCP, auth, workflow, and dev tooling.

this is how I imagine couples in SF break up with each other

i've been trying to merge at least one PR a day using @mattpocockuk's improve-codebase-architecture skill, and it has turned into my favorite work each day.

What's happening in Baltimore is slowly suffusing into the American consciousness. It's a genuinely great development that should be receiving more attention.

Amusing how a surprising number of people I used to professionally respect have started to outsource all their writing to AI, not even bothering to change the horribly templated (and telling) writing. To me it suggests they care more about "content" than quality, and poor taste

Going through old photos and stumbled upon this one from DC25 where @dakami signed my copy of POC||GTFO RIP. An absolute legend & role model for the industry. Taken way too early

This is legit what San Francisco feels like when you visit for the first time

Welcome to Baltimore, Vega Ioane. The Ravens get one of the cleanest prospects in the class — and turn down the chance to draft Rueben Bain. His 2025, per PFF: 311 pass block snaps 0 sacks allowed 0 hits allowed 4 hurries allowed And many pancakes.

The Bay Area’s lack of understanding of how much the rest of the world dislikes and distrusts them is its greatest weakness.

I want to keep everyone updated on the details of the security investigation. The team performed an in-depth analysis to search for root causes and to better understand the behavior of the threat actor. We cast a very wide net, pulling and processing nearly a petabyte of logs of the entire Vercel Network and API, extending well beyond the initial Context[.]ai compromise. We now understand that the threat actor has been active beyond that startup's compromise. Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables. As a result: ◾We've deepened and widened our collaboration with partners across the industry, like Microsoft, AWS and Wiz, to further protect the broader internet. ◾ We've notified other suspected victims of this threat actor, independent of this event, encouraging them to rotate credentials and adopt best practices. We've also shipped a bunch more product enhancements. I'm extremely thankful to our team and industry partners for working around the clock. For more details on the ongoing investigation, refer to our security bulletin: vercel.com/kb/bulletin/ve…

We're live at @FrontierTechWk hackathon 🏁 We're giving away $25k in Cloudflare credits to today's winner - happy building!

We raised a Series A for exe.dev. We are going to build a new cloud. blog.exe.dev/series-a

🔥 R2 Start of Production Photos 🔥

The structure of the deal is pretty interesting here. I think what’s happening is: 1. xAI is having trouble training a SOTA coding model (hence cofounder departures), bunch of idle GPUs 2. Cursor doesn’t have capital to blow on a $5B training run to compete with Codex/Claude 3. xAI says to Cursor: use all the GPUs you want at cost and get to a SOTA coding model, as long as we have an option to buy you 4. Cursor also gets a free option: train a model better than Opus and get bought out for $60B, or get $10B that pays for all the GPUs you rented Win win

White smoke seen from Apple Park to signify a new CEO

@rauchg Sending the Hugops your guys’ way

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

If you want to rotate your SENTRY_AUTH_TOKEN: Settings > Organization Tokens > Create New Your risk is low even if this token is compromised. It mostly allows the attacker to publish sourcemaps and release metadata. There’s some read access but nothing that should create escalation.

We have no one to blame for our dystopia but ourselves.