Vercel, the cloud infrastructure provider and maintainer of the Next.js framework, confirmed on April 21, 2026, that it has mitigated a security incident involving unauthorized access to internal systems. The breach originated from a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The incident led to the potential exposure of non-sensitive environment variables for a limited subset of customers, although the company’s core infrastructure remains secure.
The attack sequence was initiated in February 2026 when a Context.ai employee was infected with Lumma Stealer malware via a malicious Roblox game exploit download. This infection allowed attackers to harvest corporate credentials and subsequently breach Context.ai’s AWS environment in March 2026, exfiltrating OAuth tokens for its user base. One compromised token was linked to a Vercel employee who had signed up for the Context.ai AI Office Suite using their enterprise Google Workspace account. The employee had granted Allow All permissions to the application, which the attacker utilized to hijack the employee's account and pivot into Vercel’s internal environments.
Technical analysis by Vercel’s security team revealed that the unauthorized actor accessed environment variables that were not designated as sensitive. While sensitive variables are encrypted at rest and showed no evidence of compromise, non-sensitive variables—which often contain configuration data, build-time flags, and public-facing API endpoints—were accessible. Following the breach, a threat actor using the ShinyHunters persona listed a purported Vercel internal database for sale on BreachForums for $2 million. Vercel has not confirmed the validity of the data being sold but has advised all affected users to rotate their credentials immediately.
Vercel has engaged Mandiant for a comprehensive forensic investigation and is coordinating with law enforcement. In collaboration with Microsoft, GitHub, npm, and Socket, Vercel confirmed that its software supply chain remains intact. No npm packages published by Vercel, such as Next.js, Turbopack, or the Vercel AI SDK, were compromised. The company also reported that its core Edge Network and production databases remained secure throughout the event, with no downtime reported for customer applications.
To prevent future occurrences, Vercel has updated its platform to default all new environment variables to the sensitive setting, ensuring they are encrypted and unreadable by default. The company is also auditing all third-party OAuth integrations and has revoked access for the compromised Context.ai application, identified by the ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Vercel’s security operations center continues to monitor for anomalous activity as the investigation into the full scope of exfiltrated data continues.