A threat actor claiming to be part of the ShinyHunters extortion group posted on April 19, 2026 that they breached Vercel’s internal infrastructure and are selling stolen assets, including source code, databases, NPM and GitHub tokens, and a file with 580 employee records. Vercel confirmed unauthorized access to some internal systems, engaged Google Mandiant and Context, said core services remain operational while investigators probe whether Next.js or Turbo.js were tampered with, and advised developers to rotate any non-sensitive environment variables and review audit logs. #Vercel #ShinyHunters
Keypoints
- A threat actor claiming to be ShinyHunters says it breached Vercel and is offering a large supply chain attack for sale.
- Allegedly stolen assets include proprietary source code, database access keys, NPM and GitHub tokens, and 580 employee records.
- Vercel reports core services remain operational, has engaged Mandiant and Context, and notified law enforcement.
- Developers should rotate any environment variables not marked as “sensitive” immediately and review audit logs for suspicious activity.
- The primary concern is potential tampering of Next.js or Turbo.js, which could enable a widespread supply chain compromise.
Read More: https://securityonline.info/vercel-breach-2026-nextjs-supply-chain-threat/