Security Bulletin: Supply-Chain Response and Precautionary Credential Rotation | System Status

Summary

Following the April 2026 security incident disclosed by Vercel, and additional third-party supply-chain communications received by Cloud Posse, we reviewed our exposure and elected — out of an abundance of caution — to rotate credentials for integrated services supporting Atmos Pro. The rotation required a redeployment; Atmos Pro was unavailable for approximately 30 minutes during this window. We have no evidence of unauthorized access to Cloud Posse systems or customer data. No customer action is required.

Updates

April 21, 2026 — Initial publication.

Who Is Impacted

Atmos Pro customers experienced an approximately 30-minute service interruption during the redeployment window required to pick up rotated credentials. This duration was longer than intended due to procedural friction encountered during the rotation; the remediation is described in the Follow-Up section below.
Based on our current evidence, no customer data, customer accounts, or running workflows were affected.
Every effort was made to minimize customer impact during the rotation window.

What We Know

On April 19–20, 2026, Vercel publicly disclosed a security incident involving compromise of a third-party AI tool used by a Vercel employee, which led to unauthorized access to some environments and non-sensitive environment variables within Vercel's infrastructure. Vercel's bulletin is available at https://vercel.com/kb/bulletin/vercel-april-2026-security-incident. Atmos Pro is hosted on Vercel.
We separately received additional third-party supply-chain communications that remain under embargo as of this publication. We are honoring those embargoes and will publish separate follow-up bulletins once the related third parties have issued their own disclosures.
We reviewed our exposure to these communications and elected to rotate credentials for integrated services as a precautionary measure.
We have no evidence of unauthorized access to Cloud Posse systems, Atmos Pro infrastructure, or customer data.

What We Did

Rotated credentials for integrated services supporting Atmos Pro, including source control, email delivery, database, and background job providers.
Redeployed Atmos Pro so that the rotated credentials took effect across all environments.
Reviewed logs for indicators of compromise across affected integrations.
Confirmed normal operation following the redeployment.

Recommendations for Customers

No customer action is required at this time. Customers with SOC 2 or other compliance obligations who need additional detail to document our response in their own audit trail may contact support@cloudposse.com.

Indicators of Compromise

None observed in our systems at the time of this publication.

Follow-Up

Rotation runbook. The procedural friction that extended this rotation window has been addressed by documenting every step of the credential rotation process. Based on this documentation, future rotations are expected to complete in under 5 minutes of downtime.
Embargoed communications. We will publish separate follow-up bulletins once any referenced third-party disclosures become public.
Ongoing review. We continue to monitor for additional information from affected upstream vendors and will disclose any material new findings as updates to this bulletin.

Summary

Who Is Impacted

Atmos Pro customers experienced an approximately 30-minute service interruption during the redeployment window required to pick up rotated credentials. This duration was longer than intended due to procedural friction encountered during the rotation; the remediation is described in the Follow-Up section below.

Based on our current evidence, no customer data, customer accounts, or running workflows were affected.

Every effort was made to minimize customer impact during the rotation window.

What We Know

On April 19–20, 2026, Vercel publicly disclosed a security incident involving compromise of a third-party AI tool used by a Vercel employee, which led to unauthorized access to some environments and non-sensitive environment variables within Vercel's infrastructure. Vercel's bulletin is available at https://vercel.com/kb/bulletin/vercel-april-2026-security-incident. Atmos Pro is hosted on Vercel.

We separately received additional third-party supply-chain communications that remain under embargo as of this publication. We are honoring those embargoes and will publish separate follow-up bulletins once the related third parties have issued their own disclosures.

We reviewed our exposure to these communications and elected to rotate credentials for integrated services as a precautionary measure.

We have no evidence of unauthorized access to Cloud Posse systems, Atmos Pro infrastructure, or customer data.

What We Did

Rotated credentials for integrated services supporting Atmos Pro, including source control, email delivery, database, and background job providers.

Redeployed Atmos Pro so that the rotated credentials took effect across all environments.

Reviewed logs for indicators of compromise across affected integrations.

Confirmed normal operation following the redeployment.

Follow-Up

Rotation runbook. The procedural friction that extended this rotation window has been addressed by documenting every step of the credential rotation process. Based on this documentation, future rotations are expected to complete in under 5 minutes of downtime.

Embargoed communications. We will publish separate follow-up bulletins once any referenced third-party disclosures become public.

Ongoing review. We continue to monitor for additional information from affected upstream vendors and will disclose any material new findings as updates to this bulletin.