registry  /  vercel  /  56.2.1

vercel@56.2.1

The command-line interface for Vercel

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `vercel mcp` and selects a supported MCP client, or supplies `--clients`.
Impact
Adds a first-party Vercel MCP endpoint to a user-selected coding-agent client; no exfiltration, stealth persistence, or remote payload chain was confirmed.
Mechanism
Explicit AI-agent MCP integration setup via `claude mcp add` or client install deep links.
Rationale
No concrete malicious chain was found, but the package includes an explicit user-command AI-agent configuration capability. Per firewall policy, this warrants a warning rather than a block.
Evidence
package.jsondist/vc.jsdist/commands-bulk.jsdist/get-latest-worker.cjsdist/fetch-dist-tags.cjs
Network endpoints1
mcp.vercel.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands-bulk.js` implements `vercel mcp` setup for Claude Code, Cursor, and VS Code.
  • The setup invokes `claude mcp add` or opens client-specific MCP install deep links.
  • It targets the first-party endpoint `https://mcp.vercel.com`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/vc.js` activates only when the user runs `vercel` or `vc`.
  • MCP setup requires an interactive client selection or explicit `--clients` in non-interactive mode.
  • The setup block reads existing MCP settings but has no direct file-write call.
  • `dist/get-latest-worker.cjs` only fetches npm dist-tags and writes a local update cache.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 128 file(s), 7.41 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, api.example.com, api.vercel.com, backend.internal, bitbucket.org, codeload.github.com, cursor.sh, dogs.are.great, err.sh, example.com, example.vercel.app, examples.vercel.sh, feross.org, fetch.spec.whatwg.org, gist.githubusercontent.com, github.com, gitlab.com, internal.example.com, mcp.vercel.com, mimesniff.spec.whatwg.org, mozilla.github.io, my-app-xxxxx.vercel.app, new-api.example.com, now.sh, openapi-internal.vercel.sh, openapi.vercel.sh, raw.githubusercontent.com, registry.npmjs.org, sites.google.com, stackoverflow.com, telemetry.vercel.com, tools.ietf.org, v0.app, vercel.com, vercel.link, w3c.github.io, websockets.spec.whatwg.org, www.example.com, www.w3.org, your-project-abc123.vercel.app
Oversized source lightweight scan
dist/chunks/chunk-DDEPCAGE.js2.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalShellDynamicRequireHighEntropyStringsUrlStringsbitbucket.orgfeross.orggithub.comgitlab.comstackoverflow.comtools.ietf.orgvercel.comvercel.linkwww.w3.org

Source & flagged code

12 flagged · loading source
dist/vc.jsView file
16// so at most one platform binary downloads per install. L17: import { spawnSync } from 'node:child_process'; L18: import { createRequire } from 'node:module';
High
Child Process

Package source references child process execution.

dist/vc.jsView on unpkg · L16
dist/commands-bulk.jsView file
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L486: import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js"; ... L1064: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1065: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1066: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1155: telemetry2.trackCliFlagHelp("agent"); L1156: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1157: return 2;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/commands-bulk.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> dist/vc.js -> dist/index.js -> dist/commands-bulk.js L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L486: import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js"; ... L1064: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1065: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1066: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1155: telemetry2.trackCliFlagHelp("agent"); L1156: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1157: return 2;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands-bulk.jsView on unpkg · L2
486import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js";
High
Shell

Package source references shell execution.

dist/commands-bulk.jsView on unpkg · L486
7106); L7107: const testUrl = `https://${deployment.url}${subpath}`; L7108: output_manager_default.log(`${import_chalk26.default.bold("Deployment URL:")} ${link_default(testUrl)}`); ... L7117: if (run3) { L7118: const proc = await (0, import_execa.default)(run3, [testUrl], { L7119: stdio: "inherit", ... L7121: env: { L7122: ...process.env, L7123: HOST: deployment.url,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands-bulk.jsView on unpkg · L7106
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L486: import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js"; ... L1064: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1065: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1066: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1155: telemetry2.trackCliFlagHelp("agent"); L1156: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1157: return 2;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands-bulk.jsView on unpkg · L2
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L486: import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js"; ... L1064: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1065: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1066: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1155: telemetry2.trackCliFlagHelp("agent"); L1156: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1157: return 2;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands-bulk.jsView on unpkg · L2
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L486: import { L487: require_execa L488: } from "./chunks/chunk-R6IGDGX3.js"; ... L1064: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1065: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1066: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1155: telemetry2.trackCliFlagHelp("agent"); L1156: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1157: return 2;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands-bulk.jsView on unpkg · L2
dist/get-latest-worker.cjsView file
16L17: const { mkdirSync, writeFileSync } = require('fs'); L18: const { access, mkdir, readFile, unlink, writeFile } = require('fs/promises');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/get-latest-worker.cjsView on unpkg · L16
dist/index.jsView file
2Cross-file remote execution chain: dist/index.js spawns dist/commands-bulk.js; helper contains network access plus dynamic code execution. L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L118: if (stream == null) L119: stream = process.stdout; L120: if (callback == null) ... L141: var paths = __require("path"); L142: var isWinOS = /^win/i.test(process.platform); L143: function normalize_path(path2) { ... L188: const object = {}; L189: object.cache = () => process.env.XDG_CACHE_HOME || path2.join(osPaths.home() || osPaths.temp(), ".cache"); L190: object.config = () => process.env.XDG_CONFIG_HOME || path2.join(osPaths.home() || osPaths.temp(), ".config");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L2
dist/chunks/chunk-DDEPCAGE.jsView file
path = dist/chunks/chunk-DDEPCAGE.js kind = oversized_source_file sizeBytes = 2099995 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/chunk-DDEPCAGE.jsView on unpkg
dist/commands/dev/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vercel@56.2.0 matchedIdentity = npm:dmVyY2Vs:56.2.0 similarity = 0.858 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/dev/index.jsView on unpkg

Findings

3 Critical6 High6 Medium8 Low
CriticalCredential Exfiltrationdist/commands-bulk.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands-bulk.js
CriticalPrevious Version Dangerous Deltadist/commands/dev/index.js
HighChild Processdist/vc.js
HighShelldist/commands-bulk.js
HighSame File Env Network Executiondist/commands-bulk.js
HighSandbox Evasion Gated Capabilitydist/commands-bulk.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/chunks/chunk-DDEPCAGE.js
MediumDynamic Requiredist/get-latest-worker.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands-bulk.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/commands-bulk.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings