Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Vercel Security Incident Update: npm Packages Not Compromised, New Environment Variables Default to 'Sensitive'
According to monitoring by Beating, Vercel’s official account announced on the morning of April 21 that after a joint investigation with GitHub, Microsoft, npm, and Socket, it was confirmed that no packages published by Vercel on npm had been tampered with, and the supply chain ‘remains secure.’ Vercel maintains open-source libraries such as Next.js, Turbopack, and SWR on npm, which collectively have billions of downloads each month. If an attacker were to poison these packages using an employee account, the impact would far exceed that on Vercel’s own customers. This verification has eliminated the largest associated risk from the incident. On the same day, the official security announcement was updated with three details. The affected scope was clarified down to the field level for the first time. The announcement stated that the leaked information consisted of customer environment variables that were not marked as ‘sensitive,’ which were stored in plaintext after being decrypted in the backend. Vercel is still investigating whether more data was exfiltrated. Among the recommendations for customers, it was added that ‘deleting the Vercel project or account itself does not eliminate the risk.’ All unmarked sensitive keys must be rotated before considering deletion, as the credentials obtained by the attacker can still directly connect to the production system. On the product side, the default value has been changed. New environment variables are now set to ‘sensitive’ (sensitive: on) by default. Previously, for older accounts, newly added variables defaulted to regular types and had to be manually checked to enable sensitivity. This was the direct entry point for the attacker to read plaintext variables. The Dashboard has also launched a more detailed activity log interface and team-level environment variable management; among all security recommendations, ‘enable two-factor authentication’ has been prioritized.