Vercel, a major cloud app hosting provider, announced that hackers had breached its internal systems and stolen sensitive customer credentials. The breach originated when one of Vercel’s employees downloaded an app made by Context AI and connected it to their corporate Google account. Hackers exploited this connection to gain access to some of Vercel’s internal systems.

While Vercel's widely used Next.js and Turbopack projects were not affected, the company has contacted customers whose data was compromised. In a statement on X, CEO Guillermo Rauch advised customers to rotate any non-sensitive keys and credentials in their app deployments.

The hackers are selling access to stolen API keys, source code, and database data online, claiming to represent the ShinyHunters hacking group. Vercel stated that it was investigating the incident and had sought answers from Context AI. The breach is part of a growing trend of supply chain hacks targeting software developers whose code is widely used across the web.

Vercel did not disclose how many customers could be affected, but warned of potential downstream breaches spanning the tech industry. Context AI confirmed it had a previous breach in March involving its consumer app and now believes the incident may have affected more users than initially thought.