Vercel, the developer behind the open source Next.js web development framework, has confirmed it has been targeted in a “highly sophisticated” cyber incident that may have exposed certain internal data, according to an update released April 21.
The US-based firm said the entry point was the compromised Context.ai tool used by an employee. Attackers leveraged this access to take over the employee’s Google Workspace account, allowing them to access parts of Vercel’s internal environments and retrieve environment variables that were not classified as sensitive.
Vercel said that environment variables marked as “sensitive” are stored securely and are not readable in plain form.
“Environment variables marked as "sensitive" in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed,” the company said. “We assess the attacker as highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems.”
Vercel has also engaged directly with Context.ai to determine the full scope of the initial compromise.
In coordination with GitHub, Microsoft, npm, and Socket, Vercel confirmed that no npm packages it maintains were affected.
“There is no evidence of tampering, and we believe the supply chain remains safe,” the company said.
Reports of the possible breach emerged earlier this month, when a threat actor claiming to be linked to the ShinyHunters collective has attempted to extort Vercel for $2 million. The group alleges it has obtained access to multiple employee accounts, internal deployments, API keys, GitHub and npm tokens, as well as source code and databases.