Vercel confirmed on Sunday that it has suffered an intrusion after a hacker offered to sell data allegedly stolen from the company’s systems.
Vercel is best known as the company behind Next.js, the popular open source React framework for building web applications. It’s also known for its frontend cloud platform, which makes it easy to deploy, scale, and host web apps.
A hacker using the online moniker ShinyHunters announced on BreachForums on April 19 the sale of Vercel databases, access keys, employee accounts, and source code, offering it for $2 million.
“This could be the largest supply chain attack ever if done right”, the hacker said.
In a security incident notice published on Sunday and continuously updated since, Vercel confirmed unauthorized access to certain internal systems.
The company says its investigation is ongoing, but it has confirmed that the credentials of a “limited subset of customers” were compromised. Impacted users have been notified and instructed to reset credentials.
“The incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee,” Vercel said. “The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive’.”
Vercel CEO Guillermo Rauch explained in a post on X, “Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as ‘non-sensitive’. Unfortunately, the attacker got further access through their enumeration.”
Hudson Rock, a threat intelligence firm specializing in infostealer malware, reported that the Lumma stealer obtained a Context.ai employee’s credentials in February 2026, which may have facilitated the Vercel hack.
The BreachForums post offering the Vercel data appears to have been deleted, and the ShinyHunters group has reportedly denied being responsible for the attack. It remains to be seen whether the cybercrime group names Vercel on its data leak website.
Vercel has promised to share more information as its investigation progresses.
Related: Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack
Related: European Commission Reports Cyber Intrusion and Data Theft
Related: Nightclub Giant RCI Hospitality Reports Data Breach
