Cybersafetyconnections May 4, 2026, vol#255
- From bastion.tech ,there was a cyber-attack on Vercel at the end of April 2026.
- Vercel, employees, a subset of Vercel’s customers and developers and companies that rely on Vercel’s products for deployment were impacted.
- The cyberatatck was a result of supply‑chain style compromise, exploiting a third‑party integration.
- A cybercriminal claiming to be connected to the ShinyHunters listed the stolen data for sale for $2 million.
- Here is how Vercel mitigated loss from the cyberattack.
- Here is how Vercel could have prevented the cyber attack.
1. What Happened
Attackers compromised Context.ai, a third‑party AI tool used by a Vercel employees,and used that access to pivot into Vercel’s internal Google Workspace and cloud environments. They accessed environment variables that were not marked as “sensitive”, along with some internal systems and 580 employee records (per attacker claims). A threat actor claiming ties to ShinyHunters listed the stolen data for sale for $2 million. bastion.tech
2. Who Was Impacted
- Vercel, the cloud platform behind Next.js and Turbopack
- A subset of Vercel customers, whose non‑sensitive environment variables may have been exposed
- 580 Vercel employees, based on attacker claims
- Developers and companies relying on Vercel for production deployments
Vercel confirmed that sensitive secrets were not accessed, and Next.js/Turbopack open‑source projects were unaffected. bastion.tech
3. How Did It Happen?
Study of Collaborative management of Supply Chain
The intrusion chain is fully documented:
- Initial Access: Compromise of Context.ai, a third‑party AI tool connected to a Vercel employee’s Google Workspace account.
- Pivot: Attackers used that foothold to access internal Vercel environments.
- Data Accessed:
- Non‑sensitive environment variables
- Some internal systems
- Employee records (per attacker claims)
- Data Offered for Sale: A threat actor claiming ShinyHunters affiliation listed the data for $2M. bastion.tech
This was a supply‑chain style compromise, exploiting a third‑party integration rather than Vercel’s core infrastructure.
4. Which Cybercriminal Group Was Involved?
Computer Hacker and Cyber Crime
A threat actor claiming affiliation with ShinyHunters took responsibility and attempted to sell the stolen data.
ShinyHunters is known for high‑profile data‑theft operations targeting SaaS and cloud platforms. bastion.tech
5. How the Victim Mitigated Loss
Vercel took several immediate and longer‑term actions:
Immediate Mitigation
- Rotated all non‑sensitive environment variables
- Flagged secrets as “sensitive” to ensure they are stored in a non‑readable manner
- Isolated and audited affected internal systems
- Contacted impacted customers directly
- Published indicators of compromise (IOCs) to help customers assess exposure
bastion.tech
Long‑Term Mitigation
- Strengthened controls around third‑party AI/SaaS integrations
- Reviewed SSO‑connected tools for privilege creep
- Enhanced internal monitoring and access‑control policies
- Conducted a full forensic investigation with external experts
bastion.tech
6. How the Vercel Could Have Prevented the Attack
Based on the documented intrusion path, the following measures would have reduced or prevented the breach:
- Stricter third‑party integration controls, including least‑privilege access for AI tools
- Mandatory “sensitive” flagging for all environment variables by default
- Zero‑trust access policies for employee Google Workspace accounts
- Continuous monitoring of third‑party OAuth permissions
- Automated detection of unusual access patterns from integrated tools
- Vendor‑risk assessments for AI and SaaS tools connected to production systems
These align with the post‑incident recommendations Vercel issued. bastion.tech
Subscribe to get the lates blog post.
Your CyberSafety Advocate 