- Removed malicious userConfig loader that dynamically imported external config
- Removed mergeConfig function that allowed configuration hijacking
- Added .gitignore rules to block v0-user-next.config files
SECURITY INCIDENT:
- Backdoor discovered allowing remote code execution via /adfa route
- Attacker installed cryptocurrency miner on production VM
- Root-level system compromise with 9+ months of access
- Full incident details in SECURITY_INCIDENT_REPORT.md
All malware removed from VM. All credentials being rotated.
Date: January 10, 2026
