Vercel recently suffered a massive security breach that exposed internal company data. The popular cloud computing platform helps developers run Next.js web applications worldwide. However, cybercriminals found a backdoor into Vercel by exploiting a 3rd party artificial intelligence tool called Context.ai. A notorious hacking group known as ShinyHunters quickly claimed full responsibility for the cyberattack. These hackers now demand exactly $2 million from the tech company in exchange for the stolen digital files. Vercel immediately hired Mandiant, an incident response team owned by Google, to investigate the entire mess and stop the bleeding.
The actual attack did not start directly inside Vercel. Instead, the hackers first compromised Context.ai, a specialized platform that builds AI agents for large businesses. The trouble began when at least 1 Vercel employee signed up for an AI Office Suite using their official corporate email account. During the simple sign-up process, the employee clicked a button that granted the AI tool “Allow All” OAuth permissions. Sadly, Vercel left their internal workspace settings too open. This small mistake allowed the hackers to hijack the employee’s enterprise Google Workspace account and move freely through Vercel’s internal computer networks.
Cybersecurity experts at Hudson Rock traced the origin of this massive problem back to a very silly mistake. They discovered that an employee at Context.ai accidentally infected their own computer with Lumma Stealer malware back in February. This worker downloaded malicious cheat scripts for the popular video game Roblox. Once the malware infected the machine, it silently stole vital login credentials. The hackers grabbed Google Workspace passwords, along with secret access keys for platforms such as Supabase, Datadog, and Authkit. While Vercel has not yet confirmed this specific Roblox story, the timeline aligns perfectly wwith thesecurity failure
Context.ai admitted they noticed strange activity earlier this year. Back in March, the AI company successfully detected and blocked an attempt to break into its Amazon Web Services environment. Unfortunately, they later realized the hackers had already stolen OAuth security tokens belonging to regular users. Vercel executives described these specific attackers as highly sophisticated. The cybercriminals moved with extreme speed and showed a deep understanding of exactly how Vercel operates its complex cloud systems.
During their digital break-in, the hackers accessed important environment variables. Developers use these text strings to store project settings and database links. Vercel stated that their system properly encrypts any variable clearly marked as sensitive, meaning the hackers could not read those specific files. However, the attackers did steal non-sensitive variables stored in plain text. Because developers sometimes accidentally place secret passwords in these non-sensitive folders, Vercel considers all unencrypted data completely exposed.
Vercel took immediate action to protect its users and locked down its network. The company contacted local law enforcement agencies and sent direct warning emails to a small group of affected customers. Security leaders ordered all users to check their activity logs for weird behavior right away. Furthermore, they told developers to immediately rotate their database passwords, change their API keys, and review all recent software updates for hidden malicious code.
To prevent this from happening again, the tech company rolled out brand-new security features this week. Vercel launched an updated dashboard that provides users with a clear overview of all their environment variables. They also designed a much better user interface to help developers manage their sensitive security settings without making dumb mistakes. Guillermo Rauch, the Chief Executive Officer at Vercel, posted a message on the social media platform X to calm angry users. He promised everyone that the company thoroughly checked its supply chain. He confirmed that popular open-source projects like Next.js and Turbopack remain 100 percent safe and untouched by the hackers.
