Our response to the June 3, 2026 supply chain incident
Blog post from Vapi
On June 3, 2026, Vapi swiftly addressed and contained a supply chain incident involving the Miasma/Shai-Hulud worm, which impacted repositories within its GitHub organization. The breach, identified via internal telemetry, involved an unexpired access token from a developer's personal GitHub account used to push malicious changes, including scripts targeting developer tools and package workflows. Despite the publication of four malicious versions of the @vapi-ai/server-sdk to npm, these versions had zero downloads before being removed, and there was no evidence of customer data or credentials being compromised. Vapi took immediate corrective actions, including revoking access, cleaning repositories, rolling back the affected npm versions, and enhancing branch protections. They also began rotating Vapi secrets and keys as a precaution, even though no breach beyond the initial access token was detected. Vapi's production services remained unaffected, and no customer action was required. The company continues to strengthen its security measures to prevent future incidents.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Secrets Management | 9 | 2,464 | 377 | 128 | +14% |
| AI Coding Assistant | 2 | 2,100 | 516 | 161 | +17% |
| Real-time | 1 | 5,515 | 1,316 | 255 | -4% |
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.