Vercel: security incident confirmed after a leak claim
On 19 April 2026, cloud platform Vercel (creator of Next.js) confirmed a security incident traced to a compromised third-party AI tool, exposing non-sensitive environment variables and a limited subset of customer accounts.
- Victim
- Vercel
On 19 April 2026, Vercel β the US cloud platform behind the Next.js framework, widely used across the JavaScript ecosystem β confirmed a security incident after threat actors claimed to be selling stolen internal data on a cybercrime forum.
Vercel's investigation, supported by external incident responders and Google Mandiant, traced the breach to a supply-chain compromise. An attacker first gained access to Context.ai, a third-party AI tool used by a Vercel employee; an infostealer infection (reported as Lumma Stealer) on that employee's machine in February 2026 harvested credentials, which were then used to take over the employee's Google Workspace account and, in turn, their Vercel account and internal systems. The intruder spent roughly two months inside before detection, with activity focused on rapid enumeration and decryption of environment variables.
The exposed data primarily concerned:
- Non-sensitive environment variables stored on Vercel that decrypt to plaintext (such as some API keys and database credentials)
- A limited subset of customer accounts, plus a small number of additional accounts found compromised through a prior, independent incident
- Customer credentials, some of which were stored unencrypted
Vercel did not disclose exact customer counts. Following the breach, threat actors advertised a Vercel database for sale (reportedly for around $2M) on BreachForums and the ShinyHunters name was invoked, though that attribution was disputed and unverified. Services remained operational; Vercel notified affected customers, urged priority rotation of potentially exposed environment variables, confirmed npm packages were unaffected, and shipped hardening improvements to environment-variable management and activity logging. The company also engaged law enforcement.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/vercel-incident-de-securite-confirme-apres-une-revendication-de-fuite/
- vercel.comhttps://vercel.com/kb/bulletin/vercel-april-2026-security-incident
- techcrunch.comhttps://techcrunch.com/2026/04/23/vercel-says-some-of-its-customers-data-was-stolen-prior-to-its-recent-hack/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/