ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked.

Someone posted on BreachForums today claiming to be ShinyHunters, offering Vercel's internal data for $2 million. Source code. NPM tokens. GitHub tokens. 580 employee records. A screenshot of an internal Enterprise dashboard.

Vercel confirmed a breach. "Unauthorized access to certain internal Vercel systems." Law enforcement notified. IR firm engaged.

Then the twist: actual ShinyHunters-affiliated threat actors told BleepingComputer they had nothing to do with it.

So who's wearing the mask?

We pulled every ShinyHunters indicator in our index and ran the thread.

We have 20 ShinyHunters IOCs indexed from EclecticIQ's January 2026 report. Ten IPs. Ten phishing domains. The pattern is unmistakable: Evilginx phishing pages impersonating corporate SSO portals. okta-louisvuitton.com. corporate-microsoft.com. workday-hubspot.com. workday-nike.com. All registered through Tucows with Njalla privacy protection.

We checked if that pattern extended to Vercel. We searched for vercel-sso.com.

It exists. Registered September 2, 2025. Cloudflare registrar. Resolves to 52.200.3.33 on AWS. Created seven months before the breach. Pre-staged infrastructure following the exact ShinyHunters naming convention.

The registrar is different — Cloudflare instead of Tucows. That's either an evolution in tradecraft or a different operator using the same playbook. The ShinyHunters pattern of company-sso.com is publicly documented. Anyone who read the EclecticIQ or Unit 42 reports could replicate it.

This is the problem with brand-name threat actors. ShinyHunters isn't a person. It's a franchise. The Scattered Spider / LAPSUS$ / ShinyHunters convergence that Obsidian Security and Picus documented in 2025 means the TTP playbook is shared across loosely affiliated operators. Someone can fly the flag without being in the group chat.

What matters isn't who posted on BreachForums. What matters is what was stolen and what it enables.

Vercel hosts frontends for thousands of applications, including a significant chunk of the Web3 and DeFi ecosystem. NPM tokens and GitHub tokens from Vercel's internal systems aren't just access to Vercel — they're potential supply chain access to every application that deploys through Vercel's build pipeline.

That's why the ask is $2 million. The employee PII is the proof of access. The NPM tokens are the real payload.

If you deploy through Vercel, do what their bulletin says: rotate your environment variables, rotate your GitHub tokens, audit your build logs for cached credentials, and review your account activity for anything that happened before today.

If you consume threat intelligence, the ShinyHunters indicators are in our STIX feed. All 20 IOCs — IPs, phishing domains, file hashes — indexed and correlatable across 1,086,742 indicators. The MITRE mapping covers T1566.002 (SSO phishing), T1111 (MFA interception via Evilginx), T1528 (stolen application tokens), and T1195 (supply chain compromise).

We found vercel-sso.com seven months after someone registered it. The question isn't whether ShinyHunters did this. The question is why nobody flagged a domain called vercel-sso.com in September 2025.

analytics.dugganusa.com/stix/pricing

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com