Paradigm Shift Multimedia
Paradigm Shift Multimedia

+44 7902 778216  ·  Mon–Fri 9am–6pm GMT

Journal
Insight

The Vercel Hack Is Not a Developer Problem. It's Your Problem

Vercel confirmed a breach on 19 April 2026. The headlines conflated the platform incident with Next.js itself — and asked the wrong question entirely. This briefing explains the three layers of web security every business should understand, and what to ask your digital partner before the next incident makes the decision for you.

4 min read
Vercel breach Next.js business security

On 19 April 2026, Vercel — the cloud infrastructure company behind the Next.js web framework and one of the most widely used deployment platforms in the world — confirmed a security breach involving unauthorised access to its internal systems.

Within hours, a threat actor claiming affiliation with the ShinyHunters cybercrime group posted on BreachForums offering what they described as stolen Vercel data — including customer API keys, source code, database credentials, and internal deployment access — for a reported asking price of two million dollars.

The immediate reaction across the developer and business communities was predictable: panic, hot takes, and a flood of questions that conflated several distinct issues into one. Is Next.js compromised? Is it safe to host on Vercel? Should businesses be moving to WordPress? Is any framework actually secure?

This briefing separates what actually happened from what is being assumed, explains the three distinct layers of web security that the Vercel incident makes visible, and provides business owners with the questions they should be putting to their digital partners right now.

SECTION 1: WHAT ACTUALLY HAPPENED AT VERCEL

The Vercel breach was not caused by a vulnerability in Next.js. The framework itself was not compromised. Vercel CEO Guillermo Rauch confirmed this directly, stating that a supply chain analysis found Next.js, Turbopack, and all of Vercel's open source projects remained safe. In collaboration with GitHub, Microsoft, npm, and Socket, Vercel confirmed that no published npm packages were tampered with as a result of the incident.

The breach originated elsewhere entirely — and its origin story is one that any organisation using modern software tools needs to understand.

The entry point was a third-party AI productivity tool called Context.ai, used by at least one Vercel employee. That employee had connected their enterprise Google Workspace account to the tool and granted it broad "Allow All" permissions. In February 2026, a threat actor compromised Context.ai using Lumma Stealer malware. The harvested credentials included Google Workspace access — which the attacker used to escalate privileges into Vercel's internal environment.

Once inside, the attacker was able to access Vercel systems and read environment variables that had not been designated as "sensitive." Environment variables are the configuration settings that applications use to connect to databases, external services, payment providers, and APIs. Variables marked as sensitive in Vercel are stored encrypted and were not accessed. Variables left unencrypted — those classified as non-sensitive — were exposed.

Vercel reached out to the affected subset of customers and advised immediate rotation of all non-sensitive credentials. The company engaged Google's Mandiant cybersecurity division, notified law enforcement, and has been publishing updates as the investigation progresses.

At the time of this briefing, the full scope of downstream impact remains under active investigation.

SECTION 2: THE THREE LAYERS OF WEB SECURITY MOST BUSINESSES DON'T DISTINGUISH

The Vercel incident, and the confusion it has generated, reveals a structural gap in how most businesses think about the security of their digital presence. There is a widespread tendency to treat "website security" as a single question with a single answer. In practice, it operates across three distinct and independent layers — each with different risk profiles, different failure modes, and different responsibilities.

Understanding these layers is not a technical exercise. It is a commercial one. Security incidents that affect businesses are almost always the result of a failure at one specific layer — and the correct response depends entirely on identifying which one.

The First Layer: The Framework

The framework is the underlying code that determines how a website or web application is built. In the context of this discussion, the primary frameworks in question are Next.js and WordPress.

Next.js is a React-based framework maintained by Vercel. It is used to build modern, high-performance web applications and is the framework of choice for a significant portion of the current generation of business websites and digital products. It recorded more than 520 million downloads in 2025 alone.

WordPress powers approximately 43 per cent of all websites on the internet. It is the world's most widely deployed content management system and the most common choice for business websites built in the previous decade.

Both frameworks have had significant security vulnerabilities at the code level. In December 2025, a critical vulnerability tracked as CVE-2025-55182 was identified in React Server Components — the protocol that underpins modern Next.js applications. The severity score was 10.0 — the maximum possible rating. The vulnerability allowed unauthenticated attackers to execute arbitrary code on affected servers by sending a specially crafted request, with no login or authentication required. Researchers found that 40 per cent of cloud environments contained vulnerable instances of Next.js or React at the time of discovery.

WordPress's framework-level vulnerabilities operate differently. The core WordPress software is reasonably well maintained. The exposure comes from its plugin ecosystem. The average WordPress site runs between 20 and 30 plugins. In 2025, critical vulnerabilities were found in widely used plugins including Elementor, WPForms, and All in One SEO — collectively installed across more than 15 million sites. Each plugin represents an independently maintained codebase with its own update cycle, its own security record, and its own exposure.

The key distinction is this: Next.js vulnerabilities tend to be fewer, more severe when they occur, and patched rapidly at the source. WordPress vulnerabilities are more numerous, distributed across thousands of plugins with inconsistent maintenance standards, and dependent on site owners applying updates promptly — which research consistently shows many do not.

The Second Layer: The Platform

The platform is the infrastructure on which the website or application runs. This is where the Vercel breach occurred.

A breach at the platform layer does not mean the framework is insecure. A break-in at the building housing a safe does not mean the safe itself has been cracked. The distinction matters because the remediation actions are entirely different.

Vercel is one platform among several on which Next.js applications can be deployed. It is the most popular, and Vercel's relationship with Next.js as both framework maintainer and preferred deployment platform has led to their names being used interchangeably in many discussions. They are not the same product. Next.js can be deployed on AWS, Google Cloud, Azure, Netlium, Railway, and self-hosted infrastructure — none of which were involved in this incident.

WordPress deployments face an equivalent platform-layer risk. A WordPress site hosted on a poorly configured or under-resourced shared hosting environment carries significantly more platform-level exposure than one hosted on a dedicated, professionally managed server with regular security auditing.

The platform question is one of operational security — credential management, access controls, third-party integrations, and monitoring. These are decisions made by the infrastructure provider and, in some cases, by the development team managing the deployment. They are not determined by which framework was used to build the website.

The Third Layer: Developer and Configuration Decisions

The third layer is where the majority of real-world security incidents affecting business websites originate. It encompasses the decisions made by the development team during and after the build — how credentials are stored, which third-party services are granted access, whether environment variables are appropriately classified, how dependencies are managed, and whether security practices are reviewed on a regular basis.

The Vercel breach was amplified at this layer. An employee used an enterprise account to connect to a third-party AI tool and granted it broad permissions without adequate governance. The environment variables that were exposed were those left unencrypted — a configuration choice, not a platform failure.

The same pattern appears across the history of significant web security incidents. The technical vulnerability is rarely the whole story. Human decisions about configuration, access, and maintenance are consistently the factor that determines whether a vulnerability becomes a breach and how far a breach extends.

SECTION 3: THE QUESTION THIS RAISES FOR BUSINESS OWNERS

The Vercel breach, set alongside the critical Next.js vulnerabilities disclosed in late 2025, presents business owners with a legitimate and important question — one that goes beyond the specifics of any single incident.

The question is not: "Is Next.js safe, or should I switch to WordPress?" Both frameworks have security records that disqualify either from being described as categorically safe or unsafe. The meaningful question is: "What does my digital partner do to manage security risk across all three layers, on an ongoing basis?"

Most business websites are built once, deployed, and maintained reactively — updates applied when something breaks, security reviewed when something goes wrong. This model was already inadequate before the current threat environment. In 2026, with AI-accelerated attack tooling enabling faster exploitation of vulnerabilities, a longer dwell time between breach and detection, and an expanding ecosystem of third-party integrations creating new lateral movement paths, it is not a defensible approach.

The critical React Server Components vulnerability disclosed in December 2025 had a 100 per cent exploitation success rate in researcher testing and was being actively exploited in the wild at the time of disclosure. Researchers found that 40 per cent of cloud environments were running vulnerable versions. The patch was available. The exposure was a question of whether site owners and their technical partners applied it promptly.

The Vercel breach had been running undetected for an estimated 22 months before disclosure. The initial access point — a compromised third-party AI tool — is representative of an attack pattern that Trend Micro, Safe Security, and other researchers have identified as the defining characteristic of the current threat landscape: the entry point is almost never the target itself. It is a trusted tool inside the target's ecosystem.

SECTION 4: WHAT RESPONSIBLE DIGITAL PARTNERSHIP LOOKS LIKE

Businesses engaging digital agencies, development studios, or technology partners to build and maintain their web presence should expect their partners to take an active and structured approach to security across all three layers described above.

At the framework layer, this means maintaining current versions of all core packages and dependencies, monitoring security advisories from framework maintainers, and applying critical patches within defined timeframes — not on an ad hoc basis. For both Next.js and WordPress environments, this is a process discipline question, not a technical complexity question.

At the platform layer, this means applying the principle of least privilege to all third-party integrations — granting access only to what is necessary and reviewing those grants on a regular basis. It means ensuring that all credentials and secrets stored in deployment environments are classified appropriately, encrypted where possible, and rotated on a defined schedule. It means monitoring access logs for anomalous activity and having a defined incident response process that does not begin with reading a news article.

At the configuration and decision layer, this means building with security as a design consideration rather than an afterthought. API keys stored in environment variables, third-party OAuth integrations, external service connections — each of these is a potential attack surface. A responsible digital partner inventories and reviews these surfaces proactively, not reactively.

The Vercel breach did not require a sophisticated exploit. It required a single employee connecting a productivity tool to their enterprise account with overly broad permissions. The prevention was not a technical control. It was a governance process — the kind of process that a professionally structured digital partner should have in place and should be able to articulate to their clients.

SECTION 5: THE FRAMEWORK COMPARISON — AN HONEST ASSESSMENT

Given that the Vercel breach has revived the Next.js versus WordPress debate, it is worth providing a clear-eyed assessment of where each framework genuinely stands in 2026.

Next.js, when properly maintained and deployed with good security practices, offers a significantly smaller default attack surface than a comparable WordPress installation. It does not have a plugin ecosystem of independently maintained code. Its vulnerabilities, when they occur, are addressed at the framework level by a well-resourced team with a rapid response history. It does not attract the volume of automated bot-driven attacks that target WordPress login pages and known plugin vulnerabilities daily.

WordPress, deployed with disciplined plugin management, current versions across all components, a hardened server configuration, and a proactive maintenance approach, can be operated securely at scale. It powers some of the most trafficked websites in the world. The security failures associated with WordPress are, in the majority of cases, failures of maintenance discipline rather than fundamental framework insecurity.

The honest answer to "which is safer" is: neither, without the processes that surround them. The framework choice matters less than the practices of the team responsible for ongoing maintenance, monitoring, and incident response.

What the Vercel breach specifically illustrates — and what it adds to the conversation beyond any framework comparison — is that the security perimeter of a modern website extends well beyond the website itself. Every third-party integration, every AI tool connected to a development environment, every OAuth grant made by every person with access to a deployment platform is a potential entry point. Managing that perimeter is the operational security challenge of the current era, and it is a challenge that the tool vendors alone cannot solve.

CONCLUSION

The Vercel breach is a significant incident. It is not evidence that Next.js is compromised or that businesses should make reactive technology decisions based on a platform-level security event that is still under active investigation.

It is evidence that the threat landscape facing businesses operating web infrastructure in 2026 is more complex, more interconnected, and more dependent on operational security practices than most discussions about framework choice acknowledge.

The right response for business owners is not to switch frameworks. It is to ask their digital partners better questions — about how they manage dependencies, how they govern third-party integrations, how they respond to critical security advisories, and how quickly they would know if something had gone wrong.

Security is not a feature that a framework provides. It is a discipline that a team maintains. The distinction between Vercel the platform and Next.js the framework is one example of the precision required to think about this clearly. The broader principle — that the entry point for modern attacks is rarely the obvious target — is the lesson that extends well beyond this incident.

Paradigm Shift Multimedia builds digital systems with security considerations embedded at every layer of the process. If you would like to discuss your current web infrastructure, the tools connected to your deployment environment, or your approach to ongoing security maintenance, we would welcome the conversation.

ABOUT PARADIGM SHIFT MULTIMEDIA

Paradigm Shift Multimedia is a London-based digital studio operating across software development, creative production, and brand strategy. We design and build digital products that are commercially effective, architecturally sound, and built for the long term.

For a technical developer perspective on the same incident — including specific Next.js vulnerability history, CVE references, and a framework security comparison from a development standpoint — read the companion article at mikeadeleye.dev

Continue Reading

More from the Journal

All articles
Your Checkout Is a Legal Document — What the AA's £4.2 Million Fine Means for UK BusinessesCase Study
7 min read

Your Checkout Is a Legal Document — What the AA's £4.2 Million Fine Means for UK Businesses

The CMA just issued its first fine under new consumer law powers. The AA's £3 hidden fee cost £5 million. This briefing explains what the DMCCA means for every UK business with an online checkout — and the actions required now.

You've Been Paying a £720-a-Year Hidden Tax on Your Meta Ads. Apple Collects It. Nobody Told You.Insight
4 min read

You've Been Paying a £720-a-Year Hidden Tax on Your Meta Ads. Apple Collects It. Nobody Told You.