Vercel has confirmed a cybersecurity breach in which hackers gained unauthorised access to parts of its internal systems and stole data affecting a limited number of customers.
The company disclosed in a security bulletin that the attack was linked to a compromise involving a third-party AI tool, Context AI, which attackers allegedly exploited to infiltrate Vercel’s infrastructure. Despite the breach, Vercel said its core services remain unaffected and that it is working closely with impacted customers.
“We are actively investigating and have engaged incident response experts,” the company said, adding that law enforcement has been notified.
Chief Executive Officer Guillermo Rauch said the attackers gained initial access through a compromised Google Workspace account belonging to a Vercel employee, before moving laterally within internal systems. The hackers were able to access certain environment variables that were not designated as sensitive and therefore not encrypted at rest.
The incident highlights a growing trend of supply chain attacks targeting AI tools and developer ecosystems. In recent weeks, several open-source AI projects have been compromised, raising concerns about vulnerabilities in widely used software dependencies.
Hackers linked to the group ShinyHunters have reportedly claimed responsibility and attempted to sell stolen data, including API keys and internal access credentials, though this has not been independently confirmed.
In response, Vercel has introduced new security measures, including improved controls for managing sensitive environment variables, and has urged customers to review and secure their configurations.
