1. What Happened

On April 19, 2026 at 02:02 AM, a thread titled "Vercel Database Access Key & Source Code" was posted on BreachForums by an account with the ShinyHunters name and an Administrator badge. The thread was marked VERIFIED by forum staff. The poster claimed to be selling access to Vercel's source code, database, and internal credentials for $2M USD, contact via XMPP, Telegram, or Tutamail, middleman required.

Vercel has since published an official security bulletin confirming the incident and beginning an investigation:

About ShinyHunters

ShinyHunters is a threat actor group (or, at this point, a brand) active since 2020, originally named after the rare Pokémon variant. Per Wikipedia and open-source threat reporting, the group has been linked to:

• Snowflake customer breach campaign (2024): over 165 customer environments affected, including Ticketmaster (560M records), AT&T (110M records), and Santander (30M records).
• PowerSchool breach (2024): US and Canadian K-12 student and teacher records.
• Salesforce data theft campaign (2025): a voice-phishing wave against Salesforce customers that reportedly affected Google, Cisco, Adidas, Louis Vuitton, Qantas, Allianz Life, and others.
• Rockstar Games (April 2026): a breach claim posted shortly before the Vercel listing.

Important caveat on attribution: the "ShinyHunters" label has been used by multiple overlapping actors over the years and is often worn by copycats. Several people on X have reported that the real ShinyHunters operators are denying involvement and say someone else is using their name. Nothing has been independently verified yet. Vercel's own bulletin does not attribute the incident to any named group, and no third-party security firm has confirmed the identity of the seller as of writing.

2. What Was Breached

The BreachForums listing, also circulated on X by @shiri_shh, describes the following items for sale:

• Source code from Vercel.
• Database access to what the poster describes as Vercel's internal user member system. Fields shown in the listing: id, name, displayName, email, active, admin, guest, timezone, createdAt, updatedAt, lastSeen.
• API keys, described by the poster as including some NPM tokens and some GitHub tokens.
• Multiple employee accounts with access to several internal deployments.
• Linear screenshots (Vercel's project management tool), used as the primary proof of access in the listing itself.

The poster framed the listing as a potential supply chain attack, citing Next.js' ~6 million weekly npm downloads. Outside of the user-system schema and the Linear screenshots, no public sample of source code or tokens has been published at the time of writing. Everything beyond that is the seller's claim, not independently verified.

3. Vercel's Findings

Per Vercel's April 2026 security bulletin, the entry point was a third-party AI tool, not Vercel's core infrastructure. The bulletin has since named it:

"The incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee."

The attack chain, per Vercel's timeline:

1. Attackers compromised Context.ai, a third-party AI tool that a Vercel employee (and hundreds of other users across other companies) had authorized as a Google Workspace OAuth app.
2. That compromise let the attacker take over the employee's Google Workspace account.
3. From there, the attacker pivoted into "some Vercel environments and environment variables that were not marked as 'sensitive'".

Scope of the breach

Vercel is being specific about what was and wasn't touched:

• Non-sensitive environment variables exposed. Anything you stored in Vercel without the sensitive flag should be treated as read by the attacker. That includes API keys, tokens, database URLs, and signing secrets if you put them there.
• Sensitive environment variables were not read. Vercel states that values marked sensitive are stored in a way that prevents reading them back, and they have no evidence those values were accessed.
• npm packages published by Vercel are safe. Per the bulletin: "In collaboration with GitHub, Microsoft, npm, and Socket, our security team has confirmed that no npm packages published by Vercel have been compromised." This directly addresses the supply-chain concern raised by the BreachForums listing's Next.js pitch. It does not cover every private token that may have lived in a non-sensitive env var, so rotate regardless.

Threat actor and response

Vercel describes the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems", and notes they are working with Mandiant, additional cybersecurity firms, industry peers, and law enforcement on the investigation. The bulletin still does not attribute the incident to any named group, and no third-party firm has publicly confirmed the BreachForums seller's identity as of this update.

Indicator of compromise

Vercel published an indicator of compromise (IOC) so other Google Workspace tenants can check for the same OAuth app in their own environments.

"We recommend that Google Workspace Administrators and Google Account owners check for usage of this app immediately."

110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Bulletin update timeline

• April 19, 11:04 AM PST Initial bulletin published with the OAuth app IOC.
• April 19, 6:01 PM PST Attack origin disclosed: Context.ai compromise leading to a Vercel employee's Google Workspace takeover.
• April 20, 10:59 AM PST Clarification that only non-sensitive environment variables were in scope.
• April 20, 5:32 PM PST Vercel-published npm packages confirmed safe; MFA and Deployment Protection guidance added. CEO Rauch published the parallel X update covered in Section 4.

4. April 20 Update: Rauch's Statement

On April 20, Vercel CEO Guillermo Rauch (@rauchg) posted a direct update to the community with materially new details about the incident's origin, what was accessed, and what Vercel is doing about it.

What's new in the CEO's statement

• The third-party AI tool is named: Context.ai. Rauch says a Vercel employee was compromised through the breach of Context.ai, an AI platform he was using as a customer. The earlier bulletin described the vector in generic terms; this is the first public naming.
• The pivot path was Google Workspace → Vercel environments. From the employee's compromised Google Workspace account, the attacker escalated into Vercel internal environments through a series of maneuvers.
• Customer env vars are encrypted at rest. Vercel reiterates that all customer environment variables are fully encrypted at rest, with multiple defense-in-depth layers protecting core systems.
• “Non-sensitive” env vars were enumerated. Vercel supports marking env vars as non-sensitive. The attacker enumerated these during their access. Sensitive (write-only) env vars were not exposed. This is the concrete detail customers need for rotation triage.
• Customer security impact described as “quite limited.” Vercel believes only a small set of customers were impacted and says it has already reached out directly with utmost priority to those it has concerns about.
• Supply chain reportedly clean. Vercel has analyzed its supply chain and says Next.js, Turbopack, and the broader @vercel open source projects remain safe. Still no public IOC on the package registry side, but that is the official stance as of April 20.
• Attacker profile: sophisticated, AI-accelerated. Rauch describes the group as “highly sophisticated” and strongly suspects they were “significantly accelerated by AI,” citing their velocity and in-depth understanding of Vercel.
• Two product changes shipped in response. A new dashboard overview page for environment variables, and a revised UI for creating and managing sensitive env vars. Both live now.
• Mandiant, industry peers, and law enforcement are engaged. Vercel is working with Google’s Mandiant team, external cybersecurity firms, and law enforcement, and has reached out to Context to help understand the full scope.

“Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments... We do have a capability however to designate environment variables as ‘non-sensitive.’ Unfortunately, the attacker got further access through their enumeration.”

Net takeaway: if you had any credential in a non-sensitive env var on Vercel, treat it as seen and rotate. The sensitive env var flag is the primary mitigation Vercel is pointing customers to, and the new dashboard UI makes that flag easier to find and apply.

5. Recommendations

Vercel's own recommendations, quoted from the bulletin:

Beyond Vercel's own guidance, there are a few common-sense follow-ups worth doing this week:

• Audit your own Google Workspace OAuth grants. Admin console > Security > API controls > App access control. Revoke any AI tool whose scopes look broader than its feature set needs.
• Rotate Vercel personal access tokens. Account Settings > Tokens.
• Rotate any GitHub PAT and NPM automation token that was ever wired into a Vercel integration or Vercel-hosted CI.
• Pin Next.js to an exact version for the next few weeks and watch for unexpected releases of next, turbo, or any @vercel/* package. This is precautionary, not a confirmed threat.
• Enforce 2FA on your Vercel team if you haven't already.
• Review deploy history for the last 7 days. Anything you don't recognize should be treated as suspect until verified.

This post will be updated as more information is released. For now, hope everyone stays safe. Rotate your API keys, and if you're a Google Workspace admin, check for usage of the OAuth app in Vercel's IOC and remove it.