Vercel April 2026 security incident

https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

105•colesantiago•1h ago

Comments

lukewarm707•1h ago

"a security incident that involved unauthorized access to certain internal Vercel systems."

could they be a little more specific?

OsrsNeedsf2P•1h ago

The lack of details makes me wonder how large this "subset" of users really is

MattIPv4•1h ago

https://x.com/theo/status/2045862972342313374

> I have reason to believe this is credible.

https://x.com/theo/status/2045870216555499636

> Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution

https://x.com/theo/status/2045871215705747965

> Everything I know about this hack suggests it could happen to any host

https://x.com/DiffeKey/status/2045813085408051670

> Vercel has reportedly been breached by ShinyHunters.

otterley•3m ago

Who is this “theo” person and why are multiple people quoting him? He seems to have little to say that’s substantive at this point.

ofabioroma•56m ago

Time to ipo

neom•55m ago

https://x.com/theo/status/2045871215705747965 - "Everything I know about this hack suggests it could happen to any host"

He also suggests in another post that Linear and GitHub could also be pwned?

Either way, hugops to all the SRE/DevOps out there, seems like it's going to be a busy Sunday for many.

rvz•45m ago

I do remember that OpenAI did use Vercel a year ago. They might have likely moved off of it to something better.

embedding-shape•44m ago

Based on what, "feels like it"? Claiming that Cloudflare is affected by the same hack has to come from somewhere, but where is that coming from?

gruez•39m ago

from his "sources".

> Here’s what I’ve managed to get from my sources:

>3. The method of compromise was likely used to hit multiple companies other than Vercel.

https://x.com/theo/status/2045870216555499636

To be fair journalists often do this too, eg. "[company] was breached, people within the company claim"

phillipcarter•16m ago

I don't know if I'd trust some random programmer-streamer-influencer on anything other than the topic of streamer-influencing.

hvb2•2m ago

The link at the top of the page it to vercel acknowledging it...

techpression•14m ago

”Any host” of what? That’s such a non-descriptive statement and clearly not true at face value.

jtreminio•51m ago

I'm on a macbook pro, Google Chrome 147.0.7727.56.

Clicking the Vercel logo at the top left of the page hard crashes my Chrome app. Like, immediate crash.

What an interesting bug.

farnulfo•43m ago

Same hard crash on Chrome Windows 11

itaintmagic•36m ago

Do you have a chrome://crashes/ entry ?

burnte•2m ago

I'm running 147.0.7727.57 and this doesn't happen. Macbook Air M5. VERY interesting.

rvz•46m ago

There is no serious reason to use Vercel, other than for those being locked into the NextJs ecosystem and demo projects.

gneray•44m ago

Oy vey: https://x.com/theo/status/2045862972342313374?s=46

rubiquity•12m ago

He doesn't work at Vercel but he is the type to never pass up any opportunity to chase clout.

0xy•42m ago

This is why you pay a real provider for serious business needs, not an AWS reseller. Next.js is a fundamentally insecure framework, as server components are an anti-pattern full of magic leading to stuff like the below. Given their standards for framework security, it's not hard to believe their business' control plane is just as insecure (and probably built using the same insecure framework).

Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

https://aws.amazon.com/security/security-bulletins/rss/aws-2...

embedding-shape•37m ago

> Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

Wasn't unheard of back in the day, that you leaked things via PHP templates, like serializing and adding the whole user object including private details in a Twig template or whatever, it just happened the other way around kind of. This was before a fat frontend and thin backend was the prevalent architecture, many built their "frontends" from templates with just sprinkles of JavaScript back then.

sbarre•18m ago

People say "Next.js is the new PHP" because it's the most popular and prominent tooling out there, and so by sheer number of available targets it's the one that comes up the most when things go wrong like this.

But there are more people trying to secure this framework and the underlying tools than there would be on some obscure framework or something the average company built themselves.

Also "pay a real provider", what does that mean? Are you again implying that the average company should be responsible for _more_ of their own security in their hosting stack, not less?

Most companies have _zero_ security engineers.. Using a vertically-integrated hosting company like Vercel (or other similar companies, perhaps with different tech stacks - this opinion has nothing to do with Next or Node) is very likely their best and most secure option based on what they are able to invest in that area.

mikert89•34m ago

Much as I want to rip on vercel, its clear that ai is going to lead to mass security breaches. The attack surface is so large, and ai agents are working around the clock. This is a new normal. Open source software is going to change, companies wont be running random repos off github anymore

lijok•32m ago

ShinyHunters are a phishing group. What does this have to do with AI agents?

mikert89•30m ago

Run ai agents around the clock to do hyper targeted fishing

cj•18m ago

I feel like humans would be better at hyper targeting.

AI agents have the benefit of working at scale, probably "better" used for mass targeting.

freedomben•10m ago

I disagree. Many humans are phishing in a different language than their native tongue, and LLMs are way better at sounding legit/professional than many of them. The best spear-phishing will still be humans, but AI definitely raises the bar.

tcp_handshaker•6m ago

>> ai is going to lead to mass security breaches.

Let that be the end of Microsoft. Was forced to use their shitty products for years, by corporate inertia and free Teams and Azure licenses, free dose is free, curse.

adithyasrin•8m ago

We run on Vercel and I wonder if / how long before we're alerted about a leak. Quick look online suggests environment variables marked as sensitive are ok, but to which extent I wonder.

Passmark: Open-source Playwright library for AI regression testing

Sandboxed AI agent orchestration platform

AI agents will win over human employees

The Secret Life of Circuits

Turtle WoW classic server announces shutdown after Blizzard wins injunction

Claude Brain

Per-Screen Virtual Desktops Is Finally on KDE Plasma

Against an Endless Present

What Category Is Prune?

Have your agent post Markdown/HTML/JSX to internet

Show HN: Find jobs and know your fit before you apply

Who Voted You King?

Ηuman collective intelligence through space, body and material symbols

Moonspans

The first compliance-native Git platform

Show HN: Ratio Royale – A playable simulation of the Dead Internet theory

Tesla owner uses emergency solar to trickle charge after running out of battery

I've fired one of Americas most powerful lasers heres what a shot day looks like

Steal My Password (Technique)

When I Quit My PhD

What we once had (at the height of the XMPP era of the Internet) (2023)

One codebase → every store, registry, CDN, and channel. Ads on every network

Scoring 500 Show HN pages for AI design slop

Ask HN: What makes a good Product Manager

Git Blame: From Passive-Aggressive Forensics to Active-Aggressive Emails [pdf]

Deploying Gemma 4 26B on an RTX 5090

Vercel Says Internal Systems Hit in Breach

Reflections on Chi 2026

The Draft Is Done. Now I Need Reviewers and Feedback (Elm Language)

Claude Opus 4.7 API removes sampling parameters