{"id":5186,"date":"2026-04-22T03:37:11","date_gmt":"2026-04-22T03:37:11","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/04\/22\/vercel-confirms-cyber-incident-after-sophisticated-attacker-exploits-third-party-tool\/"},"modified":"2026-04-22T03:37:11","modified_gmt":"2026-04-22T03:37:11","slug":"vercel-confirms-cyber-incident-after-sophisticated-attacker-exploits-third-party-tool","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/22\/vercel-confirms-cyber-incident-after-sophisticated-attacker-exploits-third-party-tool\/","title":{"rendered":"Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third\u2011Party Tool"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Next.js developer Vercel has confirmed a cyber-incident\u00a0 conducted by a \u201chighly sophisticated\u201d attacker which may have resulted in threat actors getting hold of sensitive internal data.<\/p>\n

The US firm, which provides developer tools and cloud infrastructure, said in an updated April 21 notice that the unauthorized access originated from an employee\u2019s use of a third-party tool, Context.ai.<\/p>\n

\u201cThe attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as sensitive,\u201d it added.<\/p>\n

\u201cEnvironment variables marked as \u2018sensitive\u2019 in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed.\u201d<\/p>\n

Read more on Vercel: NCSC Urges Users to Patch Next.js Flaw Immediately<\/em><\/p>\n

Vercel claimed that the attacker was \u201chighly sophisticated based on their operational velocity and detailed understanding of Vercel’s systems\u201d.<\/p>\n

However, it confirmed that none of its npm packages were compromised and there\u2019s no evidence of tampering, meaning projects like popular React framework Next.js are safe.<\/p>\n

Vercel said it has already reached out to \u201ca limited subset of customers whose non-sensitive environment variables stored on Vercel\u201d were compromised.<\/p>\n

According to screenshots posted to X (formerly Twitter), a threat actor purporting to be part of the ShinyHunters collective is trying to extort Vercel to the tune of $2m. They claim to have access to multiple employee accounts \u201cwith access to several internal deployments,\u201d as well as API keys, npm\/GitHub tokens, source code and databases.<\/p>\n

Vercel Customers Urged to Follow Best Practices<\/strong><\/h2>\n

As it works with Mandiant to ascertain the validity of the threat actor\u2019s claims, Vercel has issued the following advice for customers:<\/p>\n