How Vercel, a Major Website Platform, Faced Multiple Security Problems in 2025-2026

Vercel is a company that helps developers build and publish websites on the internet. In late 2025 and early 2026, it faced several serious security incidents — break-ins and vulnerabilities that threatened websites built on its platform. Understanding what happened offers a window into why cybersecurity in modern web development is so complicated.

A Supply Chain Attack Targeting Code Libraries

On September 8, 2025, Vercel announced a serious breach affecting npm — think of it as a vast online library where developers download pre-written code to use in their own projects.

The breach compromised the account of someone with administrative access to DuckDB, a database tool used by many companies to analyze large amounts of data. When a hacker gained control of that single account, they were able to inject malicious code into the library. Other developers unknowingly downloaded the compromised code, potentially exposing their own applications and companies.

Vercel published details about how the attack spread. This is a pattern we have seen before: one weak point — in this case, stolen login credentials — can cascade outward and compromise many organizations downstream.

A Long-Running Vulnerability in Next.js

Vercel also operates Next.js, a popular tool that makes it easier for developers to build websites. In February 2025, security researchers privately reported a serious flaw in how Next.js handled a feature called "middleware" — essentially security checkpoints that sit between a user's request and the actual website code.

The vulnerability was first reported on February 27, 2025. The company took nearly a month to publish a full response on March 5, 2025. While that may sound like a long time, fixing security issues in complex software tools often requires careful coordination.

Vercel then released patches — fixes for the flaw — across multiple older versions of Next.js:

• Next.js 13.5.9 was patched on March 22, 2025
• Next.js 12.3.5 was patched on March 23, 2025

The staggered timeline reflects a real-world challenge: millions of websites use different older versions of Next.js, and Vercel had to decide which versions to fix. If a website's security relied on that middleware feature and never received a patch, it became vulnerable.

Streamlining How Security Reports Arrive

After the middleware incident, Vercel made a decision about how it would accept security reports. It shut down two email addresses where researchers could report problems and instead directed all Next.js security issues through GitHub's private reporting system.

Analysis: This change makes sense from Vercel's internal operations standpoint — it consolidates communication into one place. However, it creates a new dependency: if a researcher cannot access GitHub, or if their organization has policies against using it, they now have fewer options for reporting security problems to Vercel. This is a trade-off between internal efficiency and accessibility.

The Broader Threat Landscape in 2025

The Vercel incidents did not occur in isolation. Throughout 2025, a hacking group called ShinyHunters, active since 2019, stepped up their activities.

ShinyHunters claimed responsibility for breaking into Salesforce — a massive cloud platform that many companies use to manage customer relationships. The group targeted companies that had not properly secured their guest user access controls, beginning in September 2025. They also previously launched a dark web forum called BreachForums after compromising the original one.

During this same period, Agence France-Presse (a major international news agency) detected an attack on its computer systems. The company announced that the attack affected its news distribution service — the infrastructure that delivers news to clients around the world. This illustrates how even established, well-resourced organizations can become targets.

An Unexplained Breach in April 2026

In April 2026, Vercel disclosed that someone had gained unauthorized access to some of its internal systems. The company published limited details in a security bulletin, but the specifics remain vague.

Worth flagging: Because Vercel hosts millions of websites — including many belonging to large corporations — this breach is more serious than it might initially seem. The unclear details about what data the hackers could access, and what they may have taken, warrant attention from anyone running important websites on Vercel's platform.

Compliance and Broader Security Investments

Throughout this period, Vercel maintained certifications showing it meets industry standards for handling credit card data securely. The company also updated its documentation to reflect its use of third-party partners — particularly for artificial intelligence features.

One claim circulated online that Vercel paid $1 million to security researchers for hardening its firewall, though this information lacks confirmation from Vercel itself and comes from sources of uncertain reliability.

What This Means for Website Builders and Users

For anyone running a website or online business on Vercel, or using Next.js as the underlying technology, these incidents raise important questions.

If your website relies on Next.js's middleware feature for logging users in or controlling access, the vulnerability meant attackers could potentially bypass that security layer — defeating a core protection. Companies needed to patch their websites, which required knowing about the flaw and having the technical capacity to update.

The npm supply chain attack is equally important to understand: if you downloaded code libraries from npm without checking whether they were trustworthy, you could have unknowingly pulled malicious code into your application.

In this author's view: The clustering of multiple serious security incidents around one platform provider raises a legitimate concern. Vercel has been transparent and communicative during these incidents, which is good. But the frequency of incidents also suggests a broader lesson: if too many important websites and businesses all rely on a single platform, one security failure can ripple outward and affect many companies at once.

The shift to GitHub-only vulnerability reporting is efficient for Vercel internally, but it may create blind spots for enterprise security teams managing complex systems. Organizations should make sure they can keep up with security updates across all the platforms and tools they depend on.

As websites and online services become increasingly critical infrastructure — running e-commerce, banking, healthcare, news — the security of the platforms that host them matters more than ever. The events of 2025-2026 offer a case study in how these risks cascade, and why both the companies that build the platforms and the organizations that use them need to think carefully about security.