Our response to the June 3, 2026 supply chain incident

On June 3, 2026, Vapi identified and contained a supply chain incident associated with the Miasma/Shai-Hulud worm that affected repositories in the Vapi GitHub organization. Vapi became aware of the issue via its internal telemetry as soon as the impacted npm packages were deployed, and was able to remove the malicious code, clean, validate, and resolve the incident within a 3-hour window.

Based on our investigation, no customer data, customer credentials, Vapi secrets, or keys (beyond the initial compromised access token) were accessed or exfiltrated. Four malicious versions of @vapi-ai/server-sdk were published to npm, but based on our review of npm download data, those versions had zero downloads before they were removed. We have also not identified evidence that the malicious code executed in our GitHub Actions CI/CD environment.

At this time, no customer action is required. We are sharing more details below about what happened, what we found, what we did in response, and what customers can review as an additional precaution.

What happened

On June 3, 2026, between approximately 22:56 and 23:30 UTC, an unexpired access token belonging to a developer’s personal GitHub account was used to push malicious changes across repositories that account had access to. This included some Vapi repositories.

The attack modified repository branch tips and introduced malicious files designed to execute through common developer and CI tooling paths. The malicious changes included scripts and hooks targeting developer tools and package workflows, including npm-related execution path and AI coding assistant configurations.

In a limited number of repositories, the compromised account had elevated access. In such repositories where access was allowed, the worm disabled branch protections, preventing them from preventing the push.

During the incident, npm indicated that new versions of @vapi-ai/server-sdk had been published.

The versions containing the worm were published at approximately 4:30 pm PT / 11:30 pm UTC on June 3, 2026. We removed and rolled back the malicious npm versions by approximately 7:20 pm PT the same day.

We have no evidence that the malicious code executed through our CI/CD environment, and our platform has not been impacted.

What we found

Based on our investigation:

• We have not identified evidence that customer data was accessed or exfiltrated.
• We have not identified evidence that customer credentials were accessed or exfiltrated.
• We have not identified evidence that Vapi secrets or keys were breached (beyond the initial compromised developer access token).
• The malicious @vapi-ai/server-sdk versions had zero downloads before they were removed.
• We have not identified malicious packages published to PyPI, RubyGems, NuGet, Maven, Go, or Packagist as part of this incident.

What we did

After identifying the incident, we took the following actions:

1. Removed the malicious npm versions.
2. Revoked access for the affected GitHub account.
3. Cleaned identified affected repositories and branches. We deleted worm artifact branches and verified that the malicious files were no longer present on remediated branches.
4. Audited GitHub users and applications. We reviewed GitHub users, access patterns, and authorized applications. We also deployed an updated, stricter access policy to reduce unnecessary elevated access.
5. Added additional repository protections. We hardened branch protections for SDK default branches to block force pushes and branch deletion by default, while preserving required release workflows.
6. Began rotating Vapi secrets and keys. Although we have not identified evidence that Vapi secrets or keys were breached, we are rotating them as a precaution.

Customer Guidance

Based on what we know today, no customer action is required.

Because the malicious npm versions had zero downloads before removal, we do not believe customer environments installed these versions from npm. As a precaution, customers may review package manifests, lockfiles, and internal package mirrors for the following versions:

• @vapi-ai/server-sdk@0.11.1
• @vapi-ai/server-sdk@0.11.2
• @vapi-ai/server-sdk@1.2.1
• @vapi-ai/server-sdk@1.2.2

If any of these versions are present in your environment, remove them and install a current, known-good version of @vapi-ai/server-sdk.

If one of these versions was installed or executed in an environment containing credentials, rotate credentials that may have been available in that environment.

We will update this guidance if necessary.

FAQ

Were customer data or customer credentials compromised? No. We have not identified evidence that customer data or customer credentials were accessed or exfiltrated.

Were Vapi secrets or keys breached? No. We have not identified evidence that Vapi secrets or keys beyond one initially affected access token were breached. We are rotating Vapi secrets and keys as a precaution.

Were the malicious npm versions downloaded? No. Based on our review of npm download data, the malicious @vapi-ai/server-sdk versions had zero downloads before they were removed.

Which npm versions were affected? The affected versions were:

• @vapi-ai/server-sdk@0.11.1
• @vapi-ai/server-sdk@0.11.2
• @vapi-ai/server-sdk@1.2.1
• @vapi-ai/server-sdk@1.2.2

These versions have been removed or rolled back.

Were other Vapi packages affected?

We have not identified malicious packages published to PyPI, RubyGems, NuGet, Maven, Go, or Packagist as part of this incident. The malicious package publishing activity we identified was limited to the npm versions listed above.

Did the malicious code execute in Vapi CI/CD?

We have not identified evidence that the malicious code executed through our CI/CD environment.

Why did branch protection not prevent this?

The compromised developer account had elevated access to some repositories. In repositories where that access allowed administrator or maintainer bypass, branch protections did not block the push. We have since reviewed and hardened repository access policies, application access, and branch protection settings.

Do customers need to rotate Vapi API keys?

Based on our current findings, we are not requiring customers to rotate Vapi API keys. Customers may choose to rotate keys according to their own security policies. We will update this guidance if our investigation identifies any reason to rotate customer keys.

Did this affect Vapi production services?

No, the platform and production services were not impacted. To reiterate, we did not identify evidence of a breach of customer data, customer credentials, Vapi secrets, or Vapi keys.

What is Vapi doing to reduce the risk of this happening again?

We have audited GitHub users and applications, enforced an updated GitHub access policy, added additional protections on SDK default branches, removed malicious npm versions, cleaned identified affected repositories and branches, and begun rotating Vapi secrets and keys.

VAPI works continuously to enhance our development, package publishing, and CI/CD controls, including where elevated access and bypass permissions are allowed.

What about the StepSecurity report?

On June 4, 2026, we learned about an article from StepSecurity titled "Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp." This article references an event that is relevant to us, specifically mentioning Vapi. We want to note that Vapi identified and resolved the issue internally and in real-time, even before being aware of this article.