Cloud platform Vercel disclosed on 19 April that a security breach tied to a compromised third-party AI tool allowed attackers to access internal systems and a limited set of customer credentials.
The intrusion originated from Context.ai, an AI tool used by a Vercel employee, which enabled attackers to take over the employee’s Google Workspace account. This access allowed the threat actor to reach certain internal environments and view environment variables that were not classified as sensitive.
Vercel, based in San Francisco, said in a security bulletin that sensitive environment variables are encrypted and “there is currently no evidence” they were accessed. The company added that only a “limited subset” of customers were affected and that those users have been contacted and advised to rotate credentials immediately.
Guillermo Rauch, Vercel’s chief executive, said in a post on X that “we’ve deployed extensive protection measures and monitoring” and introduced new dashboard features to improve how sensitive variables are managed. He added that the company had analysed its supply chain and confirmed that core projects, including Next.js and Turbopack, remain unaffected.
Reporting from The Verge said a threat actor claiming affiliation with the ShinyHunters group has attempted to sell stolen data online, including employee information and system access details. The claims have not been independently verified, and Vercel has not confirmed whether any data was exfiltrated.
CoinDesk reported that the breach has prompted crypto developers to rotate API keys and review application code, given Vercel’s role in hosting front-end infrastructure for decentralised applications. A representative from Orca, a Solana-based exchange, told the outlet its “onchain protocol and user funds were not affected” after it rotated deployment credentials as a precaution.
Techzine added that Vercel has engaged incident response firm Mandiant, other cybersecurity partners, and law enforcement as investigations continue. The company described the attacker as “highly sophisticated”, citing the speed and depth of system knowledge demonstrated during the breach.
Vercel has advised customers to review activity logs, rotate environment variables, and audit deployments for unusual behaviour. The company is continuing to investigate the scope of the incident and said it will notify customers if further evidence of compromise emerges.
