Developer tools provider Vercel discloses a breach that exposed some users’ data

A hacker stole a limited amount of customer data from Vercel Inc., a major supplier of developer tools.

The company disclosed the incident on Sunday afternoon.

Vercel, which received a $9.3 billion valuation last year, provides tools that help developers build web applications. It also uses cloud infrastructure that can be used to host those applications. The Vercel product line is powered by Node.js, a popular open source development framework.

The company refers to a safety report that the breach started with a third-party product called Context.ai. It is a cloud platform that uses artificial intelligence to automate business operations. Notably, it can be integrated with third-party services such as Google Workspace. According to the security report, a hacker compromised Context.ai and used it to log into the Google Workspace account of a Vercel employee.

The compromised account gave the threat actor access to certain customer environment variables. In Vercel deployments, a local variable is a data structure that holds a single piece of information. Those snippets of data can be a secret such as a database password or encryption key.

Vercel enables customers to protect secrets using a feature called sensitive environment variables. According to the company, the breach compromised data points that did not have the feature enabled. The fact that affected customers chose not to use this feature may suggest that the compromised data was less important, which could help limit the impact of the breach. However, it is possible that some affected users simply forgot to enable it.

Vercel estimates that the number of customers affected by the breach is “very limited.” However, the company noted that other Context.ai users may also be affected.

“Hudson Rock has evidence linking the Context AI breach to the stealthy, point-of-care malware,” said Aaron Walton, senior intelligence analyst at Expel Inc.-backed cybersecurity firm.

Data stolen from Vercel it is reported that included information about hundreds of employees. Hackers also gain access to many of the app’s activation keys, which serve the same role as passwords. Some of those API keys are reportedly associated with GitHub repositories.

Vercel employees help maintain the GitHub repository for Node.js, the popular development framework that powers the company’s product portfolio. The software maker also maintains other open source projects. Access to open source projects can enable hackers to launch supply chain attacks with the potential to compromise large numbers of developers.

In a posted at X, Vercel CEO Guillermo Rauch assured users that “we have analyzed our supply chain, ensuring that Next.js, Turbopack, and our many open source projects remain safe for our community.” He added that the company has hired Google LLC’s Mandiant cybersecurity business to help investigate the incident.

Vercel advises customers to replace their sensitive environment variables. Additionally, the company recommends that administrators review activity logs for potential signs of malicious activity. As part of its response to the breach, Vercel has released a dashboard that will make it easier for customers to manage and monitor environmental variables.

Photo: Vercel