VERCEL has confirmed a cyber-incident on 21 April 2026, described as being conducted by a “highly sophisticated” attacker who targeted a third‑party tool used by an employee. According to Infosecurity Magazine, the attacker used that access to take over the employee’s Google Workspace account, enabling access to some Vercel environments and environment variables that were not marked as sensitive.
Vercel noted that environment variables marked as “sensitive” are stored in a way that prevents reading, and there is no evidence that those values were accessed; none of its npm packages were compromised and there is no evidence of tampering. The company has already contacted a limited subset of customers whose non‑sensitive environment variables stored on Vercel were compromised, and is working with Mandiant to assess the attacker’s claims.
A screenshot on X, posted by a threat actor purporting to be part of the ShinyHunters collective, claims extortion of $2m and purports access to multiple employee accounts, API keys, tokens, source code and databases.