npm

@amedit/vercel-builder-probe @1.0.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10548

Ecosystem

npm

Summary

When wired in as a @vercel/build-utils Builder and the exported build() runs in a Vercel deployment pipeline, index.js reads the installer's RUNTIME_CACHE_HEADERS, VERCEL_DEPLOYMENT_KEY, and VERCEL_OIDC_TOKEN environment variables and prints the raw JWTs and deployment key to the build log via console.log lines prefixed '[P1216]' (index.js:21-24). It then HMAC-signs a forged JWT using the installer's VERCEL_DEPLOYMENT_KEY ( crypto.createHmac('sha256', rawKey).update(header+'.'+payload).digest('base64url') , index.js:41-44) and sends a request carrying that forged token to iad1.suspense-cache.vercel-infra.com with hardcoded team/project/deployment identifiers belonging to a third party. Installer harm is twofold: (1) the deployment key and cache JWT are written into Vercel build logs, where they may be retained, surfaced in CI artifacts, or shared; and (2) the installer's Vercel account is the one issuing a signature-forging request against Vercel's internal suspense-cache endpoint with another party's IDs, exposing the installer to abuse-policy enforcement. The '[P1216]' tag and hardcoded foreign deployment IDs indicate a research/abuse probe rather than a legitimate Builder.

Source: amazon-inspector (7fe0b29ddff65cbd65167ea905c448d928fc6da661d69df415993635bf1bd3bc)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.