I'm on a macbook pro, Google Chrome 147.0.7727.56.
Clicking the Vercel logo at the top left of the page hard crashes my Chrome app. Like, immediate crash.
What an interesting bug.
embedding-shape 12 minutes ago [-]
Huh, curiously; I'm on Arch Linux, crash happens in Google Chrome (147.0.7727.101) for me too, but not in Firefox (149.0.2) nor even in Chromium (147.0.7727.101).
burnte 32 minutes ago [-]
I'm running 147.0.7727.57 and this doesn't happen. Macbook Air M5. VERY interesting.
> Vercel has reportedly been breached by ShinyHunters.
otterley 33 minutes ago [-]
Who is this “theo” person and why are multiple people quoting him? He seems to have little to say that’s substantive at this point.
koito17 6 minutes ago [-]
> He seems to have little to say that’s substantive
That's because he's an e-celeb. His goal is to generate impressions (and advertisement revenue) on social media. It just happens that he chooses software-adjacent topics.
gordonhart 25 minutes ago [-]
He’s a tech influencer, probably getting quoted here because he has the biggest reach of people covering this so far.
MikeNotThePope 26 minutes ago [-]
Theo Browne is a reasonably well known YouTuber & YC founder.
We run on Vercel and I wonder if / how long before we're alerted about a leak. Quick look online suggests environment variables marked as sensitive are ok, but to which extent I wonder.
He doesn't work at Vercel but he is the type to never pass up any opportunity to chase clout.
threecheese 25 minutes ago [-]
Almost like that’s his job.
Hey, I’m with you - I think social media needs to die specifically for this reason. I’m reminded of the term “snake oil” - it’s like the dawn of newspapers again.
OsrsNeedsf2P 2 hours ago [-]
The lack of details makes me wonder how large this "subset" of users really is
To be fair journalists often do this too, eg. "[company] was breached, people within the company claim"
eddythompson80 27 minutes ago [-]
Isn’t he a Vercel evangelist though?
troupo 17 minutes ago [-]
He is "whatever gives me short-term boost in popularity". Including doing 180 turns on whatever he's evangelizing or bashing.
eddythompson80 12 minutes ago [-]
Fair enough. That’s probably a better description from what I’ve seen from him. I remember that arc browser shelling.
nozzlegear 3 minutes ago [-]
> @theo: "I have reason to believe this is credible. If you are using Vercel, it’s a good idea to roll your secrets and env vars."
> @ErdalToprak: "And use your own vps or k3s cluster there’s no reason in 2026 to delegate your infra to a middle man except if you’re at AWS level needs"
> @theo: "This is still a stupid take"
lol, okay. Thanks for the insight, Theo, whoever you are.
techpression 44 minutes ago [-]
”Any host” of what? That’s such a non-descriptive statement and clearly not true at face value.
recursivegirth 32 minutes ago [-]
Ah, Theo with his vast insights and connections into everything. That man gets around, and his content is worth it's cost.
Theo's content boils down to the same boring formula.
1. Whatever buzzword headline is trending at the time
2. Immediate sponsored ad that is supposed to make you sympathize with Theo cause he "vets" his sponsors.
3. The man makes you listen to a "that totally happened" story that he somehow always involved himself personally.
4. Man serves you up an ad for his t3.chat and how it's the greatest thing in the world and how he should be paid more for his infinite wisdom.
5. A rag on Claude or OpenAI (whichever is leading at the time)
6. 5-10 minutes of paraphrasing an article without critical thought or analysis on the video topic.
I used to enjoy his content when he was still in his Ping era, but it's clear hes drunken the YT marketer kool-aid. I've moved on, his content gets recommend now and again, but I can't entertain his non-sense anymore.
neom 26 minutes ago [-]
I don't watch his content, but I felt comfortable posting his link as I believe he's generally considered a reputable guy? His tweets sometimes come up in my for you tab and he seems reasonable and knowledgable generally? Maybe I'm wrong and shouldn't have linked to him as a source.
steve_adams_86 17 minutes ago [-]
He's kind of like an LLM in that his content has the surface texture of something substantial, and sometimes it's backed by substance, yet it's often half-true or totally off the mark too. You'll notice if you're previously acquainted with what he's talking about, otherwise he seems to be as you described.
I don't think he's a bad guy or that he's trying to be misleading. I suspect he wants his content to actually carry value, but he produces too much for that to be possible. Primarily he's a performer, not a technologist.
arabsson 3 minutes ago [-]
I agree with this comment. YouTube's summarize this video feature has been a godsend when it comes to Theo's videos.
threetonesun 16 minutes ago [-]
Nothing on x.com is reputable at this point.
rvz 1 hours ago [-]
I do remember that OpenAI did use Vercel a year ago. They might have likely moved off of it to something better.
sreekanth850 17 minutes ago [-]
Too much of uncontrolled vibecoding?
steve1977 12 minutes ago [-]
While I would agree, unfortunately with JavaScript vibecoding is not even necessary to run into issues.
ofabioroma 1 hours ago [-]
Time to ipo
2 hours ago [-]
0xy 1 hours ago [-]
This is why you pay a real provider for serious business needs, not an AWS reseller. Next.js is a fundamentally insecure framework, as server components are an anti-pattern full of magic leading to stuff like the below. Given their standards for framework security, it's not hard to believe their business' control plane is just as insecure (and probably built using the same insecure framework).
Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.
People say "Next.js is the new PHP" because it's the most popular and prominent tooling out there, and so by sheer number of available targets it's the one that comes up the most when things go wrong like this.
But there are more people trying to secure this framework and the underlying tools than there would be on some obscure framework or something the average company built themselves.
Also "pay a real provider", what does that mean? Are you again implying that the average company should be responsible for _more_ of their own security in their hosting stack, not less?
Most companies have _zero_ security engineers.. Using a vertically-integrated hosting company like Vercel (or other similar companies, perhaps with different tech stacks - this opinion has nothing to do with Next or Node) is very likely their best and most secure option based on what they are able to invest in that area.
embedding-shape 1 hours ago [-]
> Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.
Wasn't unheard of back in the day, that you leaked things via PHP templates, like serializing and adding the whole user object including private details in a Twig template or whatever, it just happened the other way around kind of. This was before a fat frontend and thin backend was the prevalent architecture, many built their "frontends" from templates with just sprinkles of JavaScript back then.
jccx70 1 hours ago [-]
[dead]
rvz 1 hours ago [-]
There is no serious reason to use Vercel, other than for those being locked into the NextJs ecosystem and demo projects.
allthetime 21 minutes ago [-]
I recently got hit by a car on my bike. While I was starting the claim filing process the web portal for ICBC (British Columbia insurance) was acting a little funky / stalling / and then gave me a weird access error. Down at the bottom of the error page was a little grey underlined link that said “vercel”.
I’m not exactly surprised, but it seems like the unserious, ill-informed and lazy are taking over. There is absolutely zero reason why a large, essential public service should be overspending and running on an unnecessary managed service like vercel… yet, here we are.
mikert89 1 hours ago [-]
Much as I want to rip on vercel, its clear that ai is going to lead to mass security breaches. The attack surface is so large, and ai agents are working around the clock. This is a new normal. Open source software is going to change, companies wont be running random repos off github anymore
sph 29 minutes ago [-]
Your entire recent posting history is "software engineering is over, AI has won."
What's your agenda here?
mikert89 21 minutes ago [-]
how many recent security breaches have we seen?
nozzlegear 6 minutes ago [-]
How many can unequivocally be attributed to malicious AI?
bossyTeacher 24 minutes ago [-]
Paid by a Sama minion, I bet.
goalieca 24 minutes ago [-]
Slop coding and makeshift sites being thrown up with abandon at breakneck speeds is going to buy me a lot of minivans.
tcp_handshaker 36 minutes ago [-]
>> ai is going to lead to mass security breaches.
Let that be the end of Microsoft. Was forced to use their shitty products for years, by corporate inertia and their free Teams and Azure licenses, first-dose-is-free, curse.
lijok 1 hours ago [-]
ShinyHunters are a phishing group. What does this have to do with AI agents?
mikert89 60 minutes ago [-]
Run ai agents around the clock to do hyper targeted fishing
cj 48 minutes ago [-]
I feel like humans would be better at hyper targeting.
AI agents have the benefit of working at scale, probably "better" used for mass targeting.
mikert89 31 minutes ago [-]
this like is saying email marketing is done better if you hand write every email. Thats true, but the hit rate is so low, that you are better off generating 1 million hyper personalized emails and firing them off into the ether
freedomben 40 minutes ago [-]
I disagree. Many humans are phishing in a different language than their native tongue, and LLMs are way better at sounding legit/professional than many of them. The best spear-phishing will still be humans, but AI definitely raises the bar.
Rendered at 16:22:07 GMT+0000 (Coordinated Universal Time) with Vercel.
Clicking the Vercel logo at the top left of the page hard crashes my Chrome app. Like, immediate crash.
What an interesting bug.
https://x.com/theo/status/2045862972342313374
> I have reason to believe this is credible.
https://x.com/theo/status/2045870216555499636
> Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution
https://x.com/theo/status/2045871215705747965
> Everything I know about this hack suggests it could happen to any host
https://x.com/DiffeKey/status/2045813085408051670
> Vercel has reportedly been breached by ShinyHunters.
That's because he's an e-celeb. His goal is to generate impressions (and advertisement revenue) on social media. It just happens that he chooses software-adjacent topics.
https://t3.gg/
Hey, I’m with you - I think social media needs to die specifically for this reason. I’m reminded of the term “snake oil” - it’s like the dawn of newspapers again.
He also suggests in another post that Linear and GitHub could also be pwned?
Either way, hugops to all the SRE/DevOps out there, seems like it's going to be a busy Sunday for many.
> Here’s what I’ve managed to get from my sources:
>3. The method of compromise was likely used to hit multiple companies other than Vercel.
https://x.com/theo/status/2045870216555499636
To be fair journalists often do this too, eg. "[company] was breached, people within the company claim"
> @ErdalToprak: "And use your own vps or k3s cluster there’s no reason in 2026 to delegate your infra to a middle man except if you’re at AWS level needs"
> @theo: "This is still a stupid take"
lol, okay. Thanks for the insight, Theo, whoever you are.
Theo's content boils down to the same boring formula. 1. Whatever buzzword headline is trending at the time 2. Immediate sponsored ad that is supposed to make you sympathize with Theo cause he "vets" his sponsors. 3. The man makes you listen to a "that totally happened" story that he somehow always involved himself personally. 4. Man serves you up an ad for his t3.chat and how it's the greatest thing in the world and how he should be paid more for his infinite wisdom. 5. A rag on Claude or OpenAI (whichever is leading at the time) 6. 5-10 minutes of paraphrasing an article without critical thought or analysis on the video topic.
I used to enjoy his content when he was still in his Ping era, but it's clear hes drunken the YT marketer kool-aid. I've moved on, his content gets recommend now and again, but I can't entertain his non-sense anymore.
I don't think he's a bad guy or that he's trying to be misleading. I suspect he wants his content to actually carry value, but he produces too much for that to be possible. Primarily he's a performer, not a technologist.
Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.
https://aws.amazon.com/security/security-bulletins/rss/aws-2...
But there are more people trying to secure this framework and the underlying tools than there would be on some obscure framework or something the average company built themselves.
Also "pay a real provider", what does that mean? Are you again implying that the average company should be responsible for _more_ of their own security in their hosting stack, not less?
Most companies have _zero_ security engineers.. Using a vertically-integrated hosting company like Vercel (or other similar companies, perhaps with different tech stacks - this opinion has nothing to do with Next or Node) is very likely their best and most secure option based on what they are able to invest in that area.
Wasn't unheard of back in the day, that you leaked things via PHP templates, like serializing and adding the whole user object including private details in a Twig template or whatever, it just happened the other way around kind of. This was before a fat frontend and thin backend was the prevalent architecture, many built their "frontends" from templates with just sprinkles of JavaScript back then.
I’m not exactly surprised, but it seems like the unserious, ill-informed and lazy are taking over. There is absolutely zero reason why a large, essential public service should be overspending and running on an unnecessary managed service like vercel… yet, here we are.
What's your agenda here?
Let that be the end of Microsoft. Was forced to use their shitty products for years, by corporate inertia and their free Teams and Azure licenses, first-dose-is-free, curse.
AI agents have the benefit of working at scale, probably "better" used for mass targeting.