ON 19 April 2026, Vercel disclosed a security incident following a threat actor’s public claim to sell stolen corporate data on the Dark Web. According to Google Mandiant, the breach originated via a compromised third‑party AI tool called Context[.]ai, with an OAuth app belonging to Context[.]ai being the entry point that allowed access to a Vercel employee’s Google Workspace account.
The attacker exfiltrated data including environment variables and an identified dataset of 580 employee records, and a formal indicator of compromise was published at 11:04 AM PST. The post on BreachForums, under the name ShinyHunters, claimed access to keys, internal project data, and various tokens, and referenced the alleged ransom demand of $2 million.
Vercel emphasised that its Next[.]js and Turbopack projects remained untampered and services stayed operational, while six million weekly Next[.]js downloads underscored the potential for widespread impact. The incident has prompted the company to work with incident response firms and to provide guidance to customers on auditing and rotating exposed credentials.