Vercel reportedly breached by ShinyHunters, non sensitive secrets at risk
Posted by arduinoRPi4@reddit | programming | View on Reddit | 76 comments
https://x.com/DiffeKey/status/2045813085408051670
Malwarebeasts@reddit
Initial attack vector identified - https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/
iNoles@reddit
"vercel.com/context-inc/valinor/settings/environment-variables: This is where highly sensitive secrets, API keys, and deployment configurations are managed." awful security
Loud-Maintenance7953@reddit
🎯 Vercel Breach: Inside the Hack Score: 6/7 | 🔥 Streak: 4 ✅✅✅✅❌✅✅
Bet you can't beat me 👇 https://trivana.ai/play/vercel-breach-inside-the-hack-33a34e0b?ref=challenge&s=6&t=7&by=CosmicLegend11&streak=4&rank=1&dur=77
Loud-Maintenance7953@reddit
🎯 Vercel Breach: Inside the Hack Score: 6/7 | 🔥 Streak: 4 ✅✅✅✅❌✅✅
Bet you can't beat me 👇 https://trivana.ai/play/vercel-breach-inside-the-hack-33a34e0b?ref=challenge&s=6&t=7&by=CosmicLegend11&streak=4&rank=1&dur=77
fnork@reddit
Yup, yup, yup. JavaScript world is still JavaScript world. Donvote me all you want. I'm never getting in your boat.
chucker23n@reddit
Is there something about this attack that would’ve been harder in a different ecosystem?
myironlung42@reddit
No
myironlung42@reddit
you mean frontend right, cause node is fine in this instance :p
myironlung42@reddit
lolwut? Downvote me if you want but I'm right
fnork@reddit
*EDIT: LOL RIGHT IN THE FEEFEES
programming-ModTeam@reddit
Your post or comment was removed for the following reason or reasons:
Your post or comment was overly uncivil.
fnork@reddit
Oh no! The horror!
bluegardener@reddit
A lot of us downvoted you for your no context stupidity, not out of any affection for JS or this company.
fnork@reddit
How would you know that?
bluegardener@reddit
That you don’t have any meaningful context about the breach? That people are downvoting you for other reasons?
breakslow@reddit
What the fuck does this even mean?
You're in the boat my dude, you use a web browser.
rastaman1994@reddit
You have no choice if you ever do frontend work. Maybe with WASM? Not sure how mature that is nowadays.
Logical-Pea-4135@reddit
The modern JavaScript movement identifies with JavaScript. That's the impossibility of separating the insanity of the ecosystem from the script language. It's a convenient story line to imply you have to accept blatently poor engineering.
cake-day-on-feb-29@reddit
Wow, I wonder what I'm doing? Since I don't use JavaScript and am doing front end work? Or maybe I'm not? Is my employer lying to me? Am I secretly doing backend?
fnork@reddit
No dice.
No problem.
Glizzy_Cannon@reddit
The fearmongering on this sub will always be hilarious. Complete opposite of the actual real world. Common for most reddit subs though
AutomateAway@reddit
non sensitive secrets is an oxymoron
sluttysaurus@reddit
Not really, here’s my non sensitive secret: i love eating cream cheese while im stewing in the tub
insanitybit2@reddit
That's not a secret.
sluttysaurus@reddit
What would you call it?
Full-Spectral@reddit
Oh, I guess no one told you about that Youtube video?
AutomateAway@reddit
your cream cheese habits won’t get you robbed
insanitybit2@reddit
It seems that env vars are considered "non sensitive" by default too, so it's extremely likely that people have been setting up actual secrets the default way.
abandonplanetearth@reddit
It's not an oxymoron. The color of your underwear is an example of a real life non sensitive secret. I can think of hundreds of examples.
Chisignal@reddit
Genuine question, can you think of a non-sensitive secret in the context of CI/CD?
I feel like anything that's a secret and not just an env var is a secret because it has some potential to be misused
abandonplanetearth@reddit
You can have a CI var called defaultLang set to "en", or something different depending on the region you are deploying to.
It's an env var, but it's not sensitive.
AutomateAway@reddit
the color of your underwear wouldn’t assist someone in breaking into your house
unapologeticjerk@reddit
But if you're drunk and young (see also: dumb) enough at the bar, that data could easily assist at breaking into someone else's drunk pants. Arguably this is more valuable than having access to their broken Hello World Vercel app.
arduinoRPi4@reddit (OP)
Oops, meant env vars marked non sensitive
longshot@reddit
PORT=3000
hongooi@reddit
PASSWORD=PASSWORD
AutomateAway@reddit
you joke but i’ve seen this shit in unsecured env variables
OMGItsCheezWTF@reddit
I once had a security review flag an unsecured variable in a bunch of gitlab pipelines at an old company. SECRET=changeme.
Turns out not one single part of the application ever actually used that environment variable, whoever made the original pipeline had just included it for some unknown reason. I had to tell the security team that I was not going to be rotating the credential, just removing it, because it wasn't ever actually in use for anything. Which took far longer than the investigation because they wanted detailed explanation of why it wasn't being rotated.
Worth_Trust_3825@reddit
it may have been used at some point but never removed after it's no longer being used
oscarolim@reddit
Or it was just a placeholder. I tend to create sample env files with obvious fake values that still get flagged now and then.
zelmak@reddit
You’d be shocked at home many people store secrets in plaintext for convenience
AutomateAway@reddit
oh i know, i’ve worked in some fast and loose shops before. we’d fail multiple audits pretty quickly if we did that at my current workplace.
Somepotato@reddit
hunter2
cecil721@reddit
"Confidential"
anderson_the_one@reddit
“Non sensitive” env vars still matter. They map the stack, expose vendor names, and show which knobs exist to flip. Maybe none of them is a credential, but they still shorten the next move for an attacker.
insanitybit2@reddit
"non sensitive" here means "not explicitly marked as a secret". It's wording they've chosen to push blame onto customers for choosing the default path, which is unprotected.
Your sensitive secrets are *absolutely* at risk because "non sensitive" is the default marker.
EVERYTHINGGOESINCAPS@reddit
No this is in their systems any environment cars that don't have a sensitive flag - Until you do that any keys/secrets can still be manually viewed/copied.
anderson_the_one@reddit
Yep. "Non-sensitive" is just metadata, not reality. If that flag is wrong, you are not leaking harmless config, you are leaking real secrets with a false sense of safety.
AutomateAway@reddit
I would argue that stuff like this should still be stored in key vaults, but in the industry i work in, we tend to err on the side of caution when it comes to determining if an env variable justifies being stored as a secret or not.
BrilliantWaltz6397@reddit
https://www.techupkeep.dev/blog/vercel-breachforums-supply-chain
Vercel reported a breach in their internal systems and are warning devs to rotate their env keys.
They have narrowed down the IOC to "a third-party AI tool whose Google Workspace OAuth app was the subject of a broader compromise"
Remember to rotate your env vars just to be safe and check for usage of this oauth app - 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
Stay safe!
QuickQuirk@reddit
I wonder what the rrd party AI tool was, and why it had sufficient access to vercels systems to cause this breach.
OOMKilla@reddit
the vercel post says it was context.ai — their google workspace oauth app was compromised https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
QuickQuirk@reddit
I've been screaming in our company that these sorts of tools (like MCP servers) are a security nightmare. I expect more of this sort of thing in the coming weeks.
I just need to keep the CEO in line for just long enough for this sort of story to sneak through the VC reality distortion fields.
ph0n3Ix@reddit
If there's any humor left in the universe, it'll end up being something like "CI/CD Security Enhancer Agent Pro"
cs_irl@reddit
How can you rotate non-sensitive environment variables?!
Reeywhaar@reddit
Chisignal@reddit
SirReal14@reddit
Vercel is awful, can't believe anyone pays for that garbage. Migrate off.
TheBloodyMummers@reddit
I'm hosting a next.js site on their free tier, haven't had any issues, what kind of problems have you had and what alternatives do you suggest? Thanks
SirReal14@reddit
I dislike next.js, and I think if you use it enough you will too, but for a drop-in replacement Netlify is much better than Vercel at their own game.
femio@reddit
this is just fanboyism. dislike vercel all you want but at least stop fear mongering about it in a security-focused thread
SirReal14@reddit
Who or what am I fanboying?
Due_Rich_616@reddit
14 year account with 25 comments
IPreferTheTermMidget@reddit
Dunno if anyone else experienced this, but I tried to migrate to their main page by clicking on their logo in the link above and it crashed chrome twice.
wesleybrooks9391@reddit
Ugh, that's not good. ShinyHunters again? Ain't surprised, they've been busy. Hope my personal stuff isn't out there, gotta check my auth tokens now. I always figured a breach was eventually coming, just hoped it wouldn't be soon.
programming-ModTeam@reddit
No content written mostly by an LLM. If you don't want to write it, we don't want to read it.
That_Country_7682@reddit
"non sensitive secrets" is doing some incredible heavy lifting in that headline
RaccoonElaborate@reddit
They named their company vercel lmao
afl_ext@reddit
All of there years avoiding next finally paid off!!!!!!
breakslow@reddit
You can host next without vercel.
Maybe-monad@reddit
Next works fine in Docker on a VPS
Initial-Bus-8063@reddit
I self host so using next is best for me lol
PreciselyWrong@reddit
Trust me, you made the right choice even before this
Garden1252@reddit
i used to pray for times like this
strakelabs@reddit
Sucks this happen to them. One of many reasons to also have your keys behind a proxy.
fragglerock@reddit
https://xcancel.com/DiffeKey/status/2045813085408051670
https://cdn.xcancel.com/pic/71CE8FEC72A23/media%2FHGQv-FuWEAAVjgZ.jpg%3Fname%3Dsmall%26format%3Dwebp