‘Highly Sophisticated,’ AI-Powered Hackers Behind Vercel Breach: CEO

Vercel’s CEO said a “highly sophisticated,” potentially AI-assisted hacking group was behind a recent security incident that exposed some customer credentials following a breach of internal systems.

“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI,” CEO Guillermo Rauch tweeted, adding that the attackers “moved with surprising velocity and in-depth understanding of Vercel.”

The company, which is a cloud platform for developers, said Sunday it had identified unauthorized access to certain internal systems and was actively investigating. The incident affected a limited subset of customers whose credentials were compromised, prompting the company to advise immediate credential rotation.

The breach originated from the compromise of Context.ai, a third-party AI tool used by a Vercel employee, which allowed attackers to take over the employee’s Google Workspace account and gain access to some Vercel environments and non-sensitive environment variables.

The disclosure highlights growing concerns about the security risks posed by third-party integrations and AI-powered tooling, as attackers increasingly exploit supply chain vulnerabilities to gain footholds inside organizations.

Vercel and crypto

Natalie Newson, CertiK senior blockchain security researcher, told Decrypt the event has triggered urgency among crypto developers specifically. “Because many crypto frontends use Vercel to host their UI, a breach can allow attackers to implant a wallet drainer. Users interacting with a trusted page won’t be expecting anything malicious to occur,” she said, adding that,”Exploits in the crypto space can lead to substantial financial losses.”

Even if smart contracts remain secure, front end compromises still pose risks. “Front end compromises can be particularly damaging for end users,” she noted, pointing to the CoW Swap incident in April in which one user saw $316k drained from their wallet.

She said the rising trend of agentic AI has led to many users posting the latest apps and extensions to improve productivity and malicious actors are taking advantage of this trend. “Companies should be extra cautious when utilising new AI apps and extensions while reviewing internal security models to ensure that if a breach does occur the impact remains as limited as possible,” she said.

Rauch said the attack unfolded through “a series of maneuvers” beginning with the compromised employee account and escalating into broader access to internal environments. While Vercel stores customer environment variables encrypted at rest, the company allows some variables to be marked as non-sensitive, which the attackers were able to access.

The company believes the number of affected customers is limited and said it has contacted those potentially impacted as a priority. Vercel has since deployed additional monitoring and protection measures, while also reviewing its supply chain to ensure the safety of projects such as Next.js and Turbopack.

John Woods, CEO of Nillion, told Decrypt that “limited subset” usually means the observed affected-customer set appears limited so far, but it does not necessarily rule out broader internal movement or wider downstream risk. “In modern cloud platforms, blast radius is not only about how many customers were visibly impacted at first, but also about what the compromised systems could reach behind the scenes,” Woods said.

He recommended companies follow a variety of best practices to avoid this sort of situation. “Lock down OAuth grants, use least privilege, enforce strict controls around sensitive environment variables, separate frontend deployment from secret or signing authority, and monitor deployments and logs closely,” he said.

“For anyone whose credentials may have been taken, the immediate priority is to revoke access, rotate credentials, and review every system those credentials could reach,” he added, noting that, “At a higher level, the lesson is to avoid architectures where one compromise can reach too much.”

It is not yet clear who is behind the attack. Screenshots have surfaced of a user with the name of the hacking group “ShinyHunters” claiming on a forum to have breached Vercel and to be selling access to company data, including source code, API keys and internal systems.

The actor, who may also be impersonating ShinyHunters, also claimed to have discussed a $2 million ransom demand with the company. Vercel did not immediately respond to a request to confirm those claims.