Trust Center

Orca Security is aware of the security incident disclosed by Vercel involving unauthorized access to certain internal Vercel systems.
We conducted an internal investigation and can confirm the following:

• Our use of Vercel is limited to a single-page application for internal stakeholders, which is actively being migrated off Vercel.
• We reviewed our Vercel environment for suspicious activity and found none.
• Vercel confirmed directly that our credentials and personal data were not identified as compromised.
• As a precaution, we verified that the malicious OAuth App ID associated with the broader incident was not present in our Google Workspace environment.

Status: No impact to Orca Security or our customers.

We will continue to monitor Vercel's Security Bulletin (link below) for further updates and will communicate any changes to this assessment if warranted.
https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

On March 31, 2026, two malicious versions of the Axios npm package (v1.14.1 and v0.30.4) were published via a compromised maintainer account, deploying a cross-platform Remote Access Trojan to affected systems. We have reviewed our dependencies and confirmed that Orca Security does not use the affected versions. Our environments were not impacted by this incident.

We're aware of the recent security incidents affecting the Trivy vulnerability scanner (March 2026). We've thoroughly reviewed our systems and can confirm we were not impacted. Our Trivy version was not among those compromised, and we found no indicators of exposure in our pipelines or infrastructure. We will continue to monitor the situation closely.

We are aware of the recently disclosed vulnerability CVE-2025-55182 — widely known as “React2Shell” — which affects certain versions of React Server Components (RSC) and frameworks built on top of it (e.g. Next.js).

After a full review of our development and production environments, our dependency inventory, and build pipelines, we confirm that none of our services or infrastructure rely on the vulnerable React/Next.js versions or affected packages. As a result, there are no indicators of vulnerability, exploitation, or exposure related to CVE-2025-55182 in our environment.

We maintain continuous monitoring of public disclosures, open-source dependencies, and supply-chain risks. We also enforce strict software-dependency and version management policies. As the situation evolves, we remain ready to respond, and will update this page should our assessment change.

For further questions or concerns, please reach out to security@orca.security.

We are aware of the recently reported Gainsight security incident that may have exposed data through compromised Salesforce integrations. Our Security and Engineering teams promptly assessed our environment and confirm that Orca Security is not impacted.

Orca does not use Gainsight or any affected integrations in our systems. Our review found no exposure or unauthorized access related to this incident and we will continue to maintain strict vendor-risk oversight and active monitoring across our ecosystem.

We will keep tracking developments in this case and provide further updates if anything changes. For any questions, please contact security@orca.security.