Skip to content
Supply chainContained

Vercel: security incident confirmed after a leak claim

On 19 April 2026, cloud platform Vercel (creator of Next.js) confirmed a security incident traced to a compromised third-party AI tool, exposing non-sensitive environment variables and a limited subset of customer accounts.

Victim
Vercel

On 19 April 2026, Vercel β€” the US cloud platform behind the Next.js framework, widely used across the JavaScript ecosystem β€” confirmed a security incident after threat actors claimed to be selling stolen internal data on a cybercrime forum.

Vercel's investigation, supported by external incident responders and Google Mandiant, traced the breach to a supply-chain compromise. An attacker first gained access to Context.ai, a third-party AI tool used by a Vercel employee; an infostealer infection (reported as Lumma Stealer) on that employee's machine in February 2026 harvested credentials, which were then used to take over the employee's Google Workspace account and, in turn, their Vercel account and internal systems. The intruder spent roughly two months inside before detection, with activity focused on rapid enumeration and decryption of environment variables.

The exposed data primarily concerned:

  • Non-sensitive environment variables stored on Vercel that decrypt to plaintext (such as some API keys and database credentials)
  • A limited subset of customer accounts, plus a small number of additional accounts found compromised through a prior, independent incident
  • Customer credentials, some of which were stored unencrypted

Vercel did not disclose exact customer counts. Following the breach, threat actors advertised a Vercel database for sale (reportedly for around $2M) on BreachForums and the ShinyHunters name was invoked, though that attribution was disputed and unverified. Services remained operational; Vercel notified affected customers, urged priority rotation of potentially exposed environment variables, confirmed npm packages were unaffected, and shipped hardening improvements to environment-variable management and activity logging. The company also engaged law enforcement.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/vercel-incident-de-securite-confirme-apres-une-revendication-de-fuite/
  2. vercel.comhttps://vercel.com/kb/bulletin/vercel-april-2026-security-incident
  3. techcrunch.comhttps://techcrunch.com/2026/04/23/vercel-says-some-of-its-customers-data-was-stolen-prior-to-its-recent-hack/
  4. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

Related incidents

Supply chainContained

Leak at Discord

On 4 October 2025 Discord disclosed a breach of a third-party customer-support provider that exposed support-ticket data and roughly 70,000 government-ID photos (submitted for age-verification appeals), plus names, emails, IP addresses and partial billing details.

Victim
Discord
Records
70.0K