Vercel, the company that provides Next.js, confirms it has suffered a security breach involving unauthorised access to internal systems via a compromised third-party AI tool.
The attack was claimed by the group ShinyHunters, which says it has stolen GitHub/NPM tokens, environment variables and parts of the Next.js source code.
The company says core Next.js/Turbopack projects have not been directly affected.
However, reports indicate that attackers may have accessed source code and customer data.
Next.js, one of the most widely used web frameworks on the Internet, is downloaded about 6-million times a week, with a significant number of organisations relying on it.
“This is not a theoretical risk but an active security incident involving a widely used library, which significantly increases the potential impact,” says Lotem Finkelstein, vice-president: research at Check Point.
“Given its broad adoption, even a single compromise can quickly translate into large-scale exposure across organisations, so organisations need to make sure the right security measures are in place to prevent any exposure related to this library.”
He adds that incidents like this are particularly challenging because there is a lack of immediate visibility.
“Many organisations are not fully aware of where and how such dependencies are embedded across their environments, which can delay detection and response at scale,” Finkelstein adds.