[DigitalToday reporter Chi-gyu Hwang] Developer tools company Vercel has suffered a leak of some customer data, SiliconANGLE reported on April 20 local time.

Vercel disclosed the incident late on the night of April 19. Valued at $9.3 billion last year, Vercel provides tools and cloud infrastructure for developers to build web applications based on the open-source development framework Node.js.

In a security notice, Vercel said the breach began at an external product, Context.ai. Context.ai is an AI workflow automation cloud platform that integrates with third-party services such as Google Workspace. After compromising Context.ai, hackers used it to log into a Vercel employee Google Workspace account.

Using the compromised account, the attacker accessed some customers’ environment variables. Environment variables are data structures that contain secret information such as database passwords or encryption keys. Vercel said it separately offers a feature to protect sensitive environment variables, and that the data exposed this time were those for which the feature was not enabled.

It added that because the affected customers were not using that feature, the leaked data may not be highly important.

The leaked data reportedly included information on hundreds of employees and several API keys. Some of the API keys are also connected to GitHub repositories. Vercel employees manage the Node.js GitHub repository and maintain other open-source projects. SiliconANGLE reported that, as a result, open-source project access rights carry the risk of supply-chain attacks that could infect many developers.

Vercel CEO Guillermo Rauch (기예르모 라우치) said on X that an analysis of the supply chain showed Next.js, Turbopack and various open-source projects were safe. Vercel is investigating the incident through Google Mandiant cybersecurity services.

It also advised customers to replace non-sensitive environment variables and review activity logs for signs of malicious activity. It also introduced a dashboard to make it easier to manage and monitor environment variables.