News & Updates
The latest news and updates from companies in the WLTH portfolio.
The Vercel Breach Wasn't Just a Hack. It Was a Trust Failure
Last weekend, Vercel, the company behind Next.js and one of the most widely used deployment platforms in the world, confirmed a security breach. Hackers breached its internal systems. They walked out with API keys, source code, and employee records. A threat actor has listed the stolen data on BreachForums for $2 million. If you host anything on Vercel, this is your problem too. If you've built on Lovable, it's actually worse. I've been through a major security breach before. At Evernote, we had to reset over 50 million user accounts in one bad weekend. What I learned is that the founders who survive these moments are the ones who had already thought about it once, before anything happened. Most hadn't. Here's what you need to understand about both incidents and what to do when you find yourself facing a secruity threat.
Vercel Confirms Security Breach - Set of Customer Account Compromised
Web infrastructure platform Vercel has disclosed a significant security incident involving unauthorized access to internal systems, tracing the attack chain back to a compromise of Context.ai, a third-party AI productivity tool used by one of its employees. Vercel first published its security bulletin on April 19, 2026, confirming that an attacker successfully gained a foothold in its internal environment by exploiting a compromised Google Workspace OAuth application belonging to Context.ai. The attacker leveraged that access to hijack an individual Vercel employee's Google Workspace account, subsequently pivoting into Vercel's internal environment to enumerate and decrypt non-sensitive environment variables. The incident follows what analysts are calling a textbook OAuth supply chain attack. Context.ai, which builds AI evaluation and analytics tools, has integrated its "Office Suite" consumer app with Google Workspace via OAuth. A Lumma Stealer malware infection on a Context.ai employee's machine in February 2026 resulted in OAuth tokens being collected by the threat actor in March, which were later weaponized to access Vercel's corporate environment. Vercel Confirms Security Breach Security firm OX Security noted the intrusion began when the Vercel employee installed the Context.ai browser extension and signed in using their enterprise Google account with broad "Allow All" permissions. Vercel initially identified a limited subset of customers whose non-sensitive environment variables, including API keys, tokens, database credentials, and signing keys, were compromised and reached out to those customers immediately for credential rotation. Following an expanded investigation, the company uncovered two additional findings: a small number of additional accounts compromised in this incident, and a separate set of customer accounts showing evidence of prior, independent compromise potentially stemming from social engineering or malware. Critically, environment variables marked as "sensitive" in Vercel, which are stored in an encrypted, non-readable format, show no evidence of being accessed. Vercel CEO Guillermo Rauch described the attacker as "highly sophisticated" based on their operational velocity and in-depth knowledge of Vercel's product API surface. A threat actor operating under the ShinyHunters persona has since claimed responsibility, reportedly attempting to sell stolen data, including internal databases, source code, and employee records, for $2 million on underground cybercriminal forums. Vercel stated it has received no ransom communication from the threat actor. In collaboration with GitHub, Microsoft, npm, and Socket, Vercel's security team confirmed that no Vercel-published npm packages have been compromised and that the software supply chain remains intact. Vercel is urging all customers to take the following steps immediately: * Rotate all non-sensitive environment variables (API keys, tokens, database credentials, signing keys) -- deleting a project or account is not sufficient to eliminate risk * Enable multi-factor authentication using an authenticator app or passkey * Mark future secrets as "sensitive" to prevent them from being readable via the dashboard * Review activity logs in the Vercel dashboard or CLI for suspicious behavior * Audit recent deployments for unexpected or unauthorized activity and ensure Deployment Protection is set to Standard at a minimum Vercel has published one Indicator of Compromise (IOC) to assist the wider security community: the OAuth App Client ID . Google Workspace administrators are advised to check for usage of this OAuth application immediately, as Context.ai's compromise potentially affected hundreds of users across multiple organizations. Vercel has engaged Google Mandiant and additional cybersecurity firms to assist with investigation and remediation, and the company says it is actively shipping product enhancements, including stronger environment variable management defaults and improved security oversight tooling.
Cyber Incident: How a Roblox Cheat Download Exposed the Hidden Weakness Inside Vercel
One employee, one bad download, and one cyber incident later, a $2 million ransom listing was tied to a chain that began with a Roblox cheat search and ended inside Vercel's internal systems. The immediate shock is not the malware itself, but how quickly a private browsing mistake in February 2026 became a platform-level exposure. Verified fact: Hudson Rock researchers reverse-engineered the victim's browser history and found the employee at Context. ai had been searching for and downloading "auto-farm" scripts and game exploit executors. One of those downloads contained Lumma Stealer, which silently harvested browser-saved credentials, API keys, session cookies, and OAuth tokens. Informed analysis: The scale of the aftermath shows that the real weakness was not just infected software, but the trust placed in connected accounts and broad permissions. What does this cyber incident reveal about the first point of failure? The central question is not how a Roblox cheat got onto a machine. It is why a single browser session could open a path from a small AI startup to one of the most important cloud development platforms. The context given here is narrow, but it is enough to show a layered chain of access: a browser infection, a credential harvest, a dormant database of stolen login material, and then a takeover that reached into enterprise systems. Hudson Rock's reconstruction places the origin in February 2026, when the employee was searching for game exploit tools. Lumma Stealer then collected whatever the browser had stored, including Google Workspace logins and OAuth tokens. Those credentials remained in a database for two months before someone noticed the email address belonged to a core engineer at Context. ai. That sequence matters because it turns a personal mistake into an organizational breach only after a delay. How did OAuth permissions turn into the bridge into Vercel? On April 19, 2026, Vercel confirmed that an attacker had used the stolen credentials to breach Context. ai, steal the OAuth tokens of its customers, and move into the Google Workspace of a Vercel employee who had signed up for Context. ai's product. That employee had granted "Allow All" permissions on their enterprise account. The permissions box, as described in the context, requested broad read access to the user's entire Google Workspace environment, including Drive. This is the critical hinge in the story. The attacker did not need to break into Vercel directly. They moved through a third-party AI tool already trusted by one employee. Once the attacker had that foothold, they entered Vercel's internal systems and took customer environment variables that had not been flagged as sensitive. Vercel's own statement framed the event as originating from "a small, third-party AI tool" whose Google Workspace OAuth app was caught in a broader compromise. Verified fact: a threat actor then listed what they claimed was Vercel's internal database for sale on BreachForums at $2 million. Informed analysis: The ransom figure signals that the value in this case was not just stolen access, but the perceived reach of the compromised data and accounts. Who is implicated, and who appears to benefit from the chain of trust? The context points to several parties in the chain. Context. ai is implicated because its OAuth app and infrastructure were part of the compromise. The employee at Vercel is implicated only in the sense that they accepted broad permissions on a work account, which became the bridge into deeper systems. Vercel is implicated because its internal systems held customer environment variables that were not flagged as sensitive, creating an exposure path once the attacker reached inside. What benefits from this structure is the attacker, who only needed one infected browser and one permissive grant. What also benefits, in a more systemic sense, are the hidden assumptions embedded in workplace software: that a trusted tool remains safe, that a login is isolated, and that broad access will not be abused. This cyber incident shows how those assumptions can fail together. There is also a broader lesson embedded in the way the breach unfolded. The malware did not target Vercel first. It harvested credentials from a small startup employee, waited, and then enabled lateral movement through a chain of software trust. That means the attack surface was not a single company's perimeter, but the permissions relationships between companies, employees, and their cloud accounts. What should the public understand about the real risk now? The facts here support a careful but firm conclusion: the breach was not only about stolen credentials, and not only about one employee's mistake. It was about how broad OAuth permissions, third-party AI tools, and stored browser credentials can combine into a single operational failure. Once the attacker obtained Context. ai credentials, the path to Vercel did not require a dramatic exploit. It required trust already granted. Verified fact: Vercel confirmed that customer environment variables were lifted and that the incident originated from a small third-party AI tool whose Google Workspace OAuth app was compromised. Informed analysis: If that is the model, then the accountability question is no longer limited to malware removal. It extends to permission design, customer data handling, and the default settings that let a broad grant become an enterprise doorway. The public should read this as a warning about the hidden cost of convenience. A cyber incident that started with a Roblox cheat download became a test of how much trust organizations place in browser sessions, connected apps, and broad access to work accounts. The lesson is plain: the weakest link may not be the company under attack, but the quiet permission granted long before the attack reached it. That is the real meaning of this cyber incident.
The Vercel Hack: How One AI Tool Cracked Open the Internet's Deployment Stack
A supply chain attack originating from a third-party AI assistant has exposed customer credentials at one of the web's most critical infrastructure providers -- and no one saw it coming. On the morning of April 19, 2026, engineers across the internet refreshed their dashboards to find an unsettling message from Vercel the cloud deployment platform that quietly underpins millions of websites, serverless functions, and frontend applications. The company had been breached. Hackers had found their way inside not through some zero-day exploit or brute-force attack against Vercel's own perimeter, but through something far more mundane and far more dangerous: a single employee's AI productivity tool. In less than 48 hours, a forum post on BreachForums claimed access to Vercel's source code, API keys, GitHub tokens, and NPM tokens enough, the threat actor boasted, to mount "the largest supply chain attack ever." The asking price: $2 million in Bitcoin. This is the full story of how it happened, why it matters, and what every developer should do right now. What is Vercel, and Why Should You Care? If you have deployed a React app, a Next.js site, or virtually any modern JavaScript frontend in the last few years, there is a very good chance you have used Vercel. The company was founded in 2015, originally as ZEIT, and has since become the dominant platform for frontend deployment a cloud layer sitting between your code repository and the open internet. Vercel is the official steward of Next.js, the React framework with over 520 million NPM downloads in 2025 alone. It runs serverless functions, edge compute, CI/CD pipelines, and preview deployments for companies ranging from scrappy startups to...
Vercel data breach: How hackers targeted the cloud company and offered its data for sale for $2 million
Cloud development platform Vercel confirmed a security breach after an employee's Google Workspace account was compromised via a third-party AI vulnerability. Attackers gained unauthorized access to internal systems, targeting non-sensitive environment variables. The data, including source code and API keys, is reportedly being sold for $2 million. American cloud development platform Vercel on Sunday confirmed a security breach allowing an attacker to gain unauthorised access to data for a "limited subset of customers". "We've identified a security incident that involved unauthorized access to certain internal Vercel systems. We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement," the company wrote in a blogpost. What was the data breach about? The data breach occurred after a employee's Google Workspace account was compromised via a vulnerability at the third-party AI platform Context.ai. Vercel CEO Guillermo Rauch confirmed that hackers exploited this foothold to infiltrate internal systems with "surprising speed", suggesting the attackers likely used AI-driven tools to navigate the company's infrastructure and identify technical vulnerabilities. The intruders specifically targeted environment variables, focusing on those marked as 'non-sensitive,' a convenience feature now undergoing a rigorous security review. Although Vercel emphasises that sensitive data remained encrypted at rest and that the impact was limited to a small number of customers, the fallout has escalated into a high-stakes extortion attempt. The threat actor, identified by some as the group ShinyHunters, listed Vercel's data for sale on BreachForums for $2 million. The hackers claim to have exfiltrated source code, internal databases, and API keys. "Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as "non-sensitive". Unfortunately, the attacker got further access through their enumeration," CEO Rauch wrote in a post on X. Per The Information, last September, Vercel raised $300 million at a $9.3 billion valuation. How is Vercel currently tackling the breach? The company is prioritising investigation, customer communication, tightening security, and cleaning affected systems. Vercel has confirmed that core tools and projects such as Next.js and Turbopack remain secure and uncompromised. Vercel has partnered with Google's Mandiant team and law enforcement to investigate the full scope of the breach. The company has already begun rolling out new safeguards, specifically enhancing the visibility and control of environment variables within its dashboard. Rauch has committed to transforming this incident into a catalyst for the 'strongest security response possible' for the platform. "At the moment, we believe the number of customers with security impact to be quite limited. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitisation of our environments. We've deployed extensive protection measures and monitoring," Rauch added in his post. Further, Vercel has directly contacted affected individuals, advising them to immediately change their sensitive credentials, such as passwords and API keys, and monitor access logs to check if attackers have already accessed these keys and prevent further unauthorised activity.
'No npm packages compromised,' confirms Vercel after security attack - AMBCrypto
Vercel, a Web3 infrastructure provider, has finally provided a breather to the crypto community as it announced that no Node Package Manager (npm) package was affected in the attack. For context, npm is like an app store for code, facilitating speedy development by enabling managing and reusing code instead of redoing everything. The confirmation on this was made by the Vercel security team in collaboration with GitHub, Microsoft, npm, and Socket. This disclosure comes on the heels of a bunch of Vercel's customers credentials getting attacked as the hacker got access to customers's API keys. Though the attack was initially aimed at the Context.ai. The "keys" (OAuth tokens), however, attached to the AI tool gave the attacker access to the employee's Google Workspace. And Vercel, being one of the organizations of the OAuth app, got dragged in. Despite npm being safe from getting attacked, Vercel didn't have a laid-back attitude. The Web3 infrastructure provider went ahead and added another layer of security with a minimum 2-step authentication method. The first was an authenticator app configuration, and the other was initiating a passkey. The Vercel team also noted, Deleting your Vercel projects or account is not sufficient to eliminate risk. Instead, they recommend reviewing and rotating unmasked "sensitive" environment variables. Additionally, the Vercel security team also urged customers to review and investigate the activity log. Applauding his team's move, Vercel's CEO Guillermo Rauch noted, Though everything looks clean on the surface, an important question pops up -- how, despite such a kind of attack, was nothing compromised? Notably, there were screenshots circulating on X concerning Vercel striking a deal to sell their company's internal database in return for $2 million USD. However, it's still unknown whether it was actually Vercel or the hacker who was manipulating the customers. This is because in another screenshot, Vercel clearly asked the exploiter to stop texting its employees. In conclusion, despite getting access to Google Workspace, the attacker was only able to majorly access non-sensitive variables, which were nothing but useless text. Lastly, the wrongdoer also couldn't rewrite the actual source code hosted on GitHub or GitLab. Hence, despite the attack, no major loss was incurred.
Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain - RocketNews
One employee at Vercel adopted an AI tool. One employee at that AI vendor got hit with an infostealer. That combination created a walk-in path to Vercel's production environments through an OAuth grant that nobody had reviewed.Vercel, the cloud platform behind Next.js and its millions of weekly npm downloads, confirmed on Sunday that attackers gained unauthorized access to internal systems. Mandiant was brought in. Law enforcement was notified. Investigations remain active. An update on Monday confirmed that Vercel collaborated with GitHub, Microsoft, npm, and Socket to verify that no Vercel npm packages were compromised. Vercel also announced it is now defaulting environment variable creation to "sensitive." Next.js, Turbopack, AI SDK, and all Vercel-published npm packages remain uncompromised after a coordinated audit with GitHub, Microsoft, npm, and Socket.Context.ai was the entry point. OX Security's analysis found that a Vercel employee installed the Context.ai browser extension and signed into it using a corporate Google Workspace account, granting broad OAuth permissions. When Context.ai was breached, the attacker inherited that employee's Workspace access, pivoted into Vercel environments, and escalated privileges by sifting through environment variables not marked as "sensitive." Vercel's bulletin states that variables marked sensitive are stored in a manner that prevents them from being read. Variables without that designation were accessible in plaintext through the dashboard and API, and the attacker used them as the escalation path.CEO Guillermo Rauch described the attacker as "highly sophisticated and, I strongly suspect, significantly accelerated by AI." Jaime Blasco, CTO of Nudge Security, independently surfaced a second OAuth grant tied to Context.ai's Chrome extension, matching the client ID from Vercel's published IOC to Context.ai's Google account before Rauch's public ...
Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain
One employee at Vercel adopted an AI tool. One employee at that AI vendor got hit with an infostealer. That combination created a walk-in path to Vercel's production environments through an OAuth grant that nobody had reviewed. Vercel, the cloud platform behind Next.js and its millions of weekly npm downloads, confirmed on Sunday that attackers gained unauthorized access to internal systems. Mandiant was brought in. Law enforcement was notified. Investigations remain active. An update on Monday confirmed that Vercel collaborated with GitHub, Microsoft, npm, and Socket to verify that no Vercel npm packages were compromised. Vercel also announced it is now defaulting environment variable creation to "sensitive." Next.js, Turbopack, AI SDK, and all Vercel-published npm packages remain uncompromised after a coordinated audit with GitHub, Microsoft, npm, and Socket. Context.ai was the entry point. OX Security's analysis found that a Vercel employee installed the Context.ai browser extension and signed into it using a corporate Google Workspace account, granting broad OAuth permissions. When Context.ai was breached, the attacker inherited that employee's Workspace access, pivoted into Vercel environments, and escalated privileges by sifting through environment variables not marked as "sensitive." Vercel's bulletin states that variables marked sensitive are stored in a manner that prevents them from being read. Variables without that designation were accessible in plaintext through the dashboard and API, and the attacker used them as the escalation path. CEO Guillermo Rauch described the attacker as "highly sophisticated and, I strongly suspect, significantly accelerated by AI." Jaime Blasco, CTO of Nudge Security, independently surfaced a second OAuth grant tied to Context.ai's Chrome extension, matching the client ID from Vercel's published IOC to Context.ai's Google account before Rauch's public statement. The Hacker News reported that Google removed Context.ai's Chrome extension from the Chrome Web Store on March 27. Per The Hacker News and Nudge Security, that extension embedded a second OAuth grant enabling read access to users' Google Drive files. Patient zero. A Roblox cheat and a Lumma Stealer infection Hudson Rock published forensic evidence on Monday, reporting that the breach origin traces to a February 2026 Lumma Stealer infection on a Context.ai employee's machine. According to Hudson Rock, browser history showed the employee downloading Roblox auto-farm scripts and game exploit executors. Harvested credentials included Google Workspace logins, Supabase keys, Datadog tokens, Authkit credentials, and the [email protected] account. Hudson Rock identified the infected user as a core member of "context-inc," Context.ai's tenant on the Vercel platform, with administrative access to production environment variable dashboards. Context.ai published its own bulletin on Sunday (updated Monday), disclosing that the breach affects its deprecated AI Office Suite consumer product, not its enterprise Bedrock offering (Context.ai's agent infrastructure product, unrelated to AWS Bedrock). Context.ai says it detected unauthorized access to its AWS environment in March, hired CrowdStrike to investigate, and shut down the environment. Its updated bulletin then disclosed that the scope was broader than initially understood: the attacker also compromised OAuth tokens for consumer users, and one of those tokens opened the door to Vercel's Google Workspace. Dwell time is the detail that should concern security directors. Nearly a month separated Context.ai's March detection from the Vercel disclosure on Sunday. A separate Trend Micro analysis references an intrusion beginning as early as June 2024 -- a finding that, if confirmed, would extend the dwell time to roughly 22 months. VentureBeat could not independently reconcile that timeline with Hudson Rock's February 2026 dating; Trend Micro did not respond to a request for comment before publication. Where detection goes blind Security directors can use this table to benchmark their own detection stack against the four-hop kill chain this breach exploited. What's confirmed vs. what's claimed Vercel's bulletin confirms unauthorized access to internal systems, a limited subset of affected customers, and two IOCs tied to Context.ai's Google Workspace OAuth apps. Rauch confirmed that Next.js, Turbopack, and Vercel's open-source projects are unaffected. Separately, a threat actor using the ShinyHunters name posted on BreachForums claiming to hold Vercel's internal database, employee accounts, and GitHub and NPM tokens, with a $2M asking price. Austin Larsen, principal threat analyst at Google Threat Intelligence, assessed the claimant as "likely an imposter." Actors previously linked to ShinyHunters have denied involvement. None of these claims has been independently verified. Six governance failures the Vercel breach exposed 1. AI tool OAuth scopes go unaudited. Context.ai's own bulletin states that a Vercel employee granted "Allow All" permissions using a corporate account. Most security teams have no inventory of which AI tools their employees have granted OAuth access to. CrowdStrike CTO Elia Zaitsev put it bluntly at RSAC 2026: "Don't give an agent access to everything just because you're lazy. Give it access to only what it needs to get the job done." Jeff Pollard, VP and principal analyst at Forrester, told Cybersecurity Dive that the attack is a reminder about third-party risk management concerns and AI tool permissions. 2. Environment variable classification is doing real security work. Vercel distinguishes between variables marked "sensitive" (stored in a manner that prevents reading) and those without that designation (accessible in plaintext through the dashboard and API). Attackers used the accessible variables as the escalation path. A developer convenience toggle determined the blast radius. Vercel has since changed its default: new environment variables now default to sensitive. "Modern controls get deployed, but if legacy tokens or keys aren't retired, the system quietly favors them," Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, told VentureBeat. 3. Infostealer-to-SaaS-to-supply-chain escalation chains lack detection coverage. Hudson Rock's reporting reveals a kill chain that crossed four organizational boundaries. No single detection layer covers that chain. Context.ai's updated bulletin acknowledged that the scope extended beyond what was initially identified during its CrowdStrike-led investigation. 4. Dwell time between vendor detection and customer notification exceeds attacker timelines. Context.ai detected the AWS compromise in March. Vercel disclosed on Sunday. Every CISO should ask their vendors: what is your contractual notification window after detecting unauthorized access that could affect downstream customers? 5. Third-party AI tools are the new shadow IT. Vercel's bulletin describes Context.ai as "a small, third-party AI tool." Grip Security's March 2026 analysis of 23,000 SaaS environments found a 490% year-over-year increase in AI-related attacks. Vercel is the latest enterprise to learn this the hard way. 6. AI-accelerated attackers compress response timelines. Rauch's assessment of AI acceleration comes from what his IR team observed. CrowdStrike's 2026 Global Threat Report puts the baseline at a 29-minute average eCrime breakout time, 65% faster than 2024. Security director action plan Run both IoC checks today Search your Google Workspace admin console (Security > API Controls > Manage Third-Party App Access) for two OAuth App IDs. The first is 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com, tied to Context.ai's Office Suite. The second is 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com, tied to Context.ai's Chrome extension and granting Google Drive read access. If either touched your environment, you are in the blast radius regardless of what Vercel discloses next. What this means for security directors Forget the Vercel brand name for a moment. What happened here is the first major proof case that AI agent OAuth integrations create a breach class that most enterprise security programs cannot detect, scope, or contain. A Roblox cheat download in February led to production infrastructure access in April. Four organizational boundaries, two cloud providers, and one identity perimeter. No zero-day required. For most enterprises, employees have connected AI tools to corporate Google Workspace, Microsoft 365 or Slack instances with broad OAuth scopes -- without security teams knowing. The Vercel breach is the case study for what that exposure looks like when an attacker finds it first.
How A Roblox Cheat Download Triggered A $2 Million Hack At Vercel
The Vercel Breach Started With A Roblox Cheat. It Ended With The Entire AI-Security Thesis. On a random day in February 2026, an employee at a small AI startup called Context.ai went looking for something on the internet. They were not trying to steal credentials or pivot into a billion-dollar cloud company. They were trying to cheat at Roblox. Specifically, according to Hudson Rock researchers who reverse-engineered the victim's browser history, the employee was searching for and downloading "auto-farm" scripts and game exploit executors, the kind of tool that automates grinding inside an online game. Hidden in one of those downloads was Lumma Stealer, one of the most widely distributed pieces of infostealer malware currently in circulation. What Lumma Stealer does is simple. It waits on the infected machine and quietly exfiltrates every credential the user's browser has ever saved. Google Workspace logins. API keys. Session cookies. OAuth tokens. It does not care which of those belong to a game account and which belong to a company email. It harvests everything and ships it to a criminal marketplace, where it sits until someone figures out what it is worth. For two months, those credentials sat in a database. Then someone noticed the email address belonged to a core engineer at Context.ai, a company that builds AI "Office Suite" agents on top of enterprise Google Workspace accounts. On April 19, 2026, Vercel confirmed that an attacker had used those credentials to breach Context.ai, steal the OAuth tokens of its customers, and pivot into the Google Workspace of a Vercel employee who had signed up for Context.ai's product and granted it "Allow All" permissions on their enterprise account. From there, the attacker moved into Vercel's internal systems and lifted customer environment variables that had not been flagged as sensitive. A threat actor then listed what they claimed was Vercel's internal database for sale on BreachForums at $2 million. One employee. One bad download. Two months later, a $2 million ransom listing against one of the most important cloud development platforms on the internet. This is what an AI supply-chain attack actually looks like. And this is why intelligence alone is no longer a moat. The part of this story that matters for enterprise software is not the malware. Infostealers have been around for years. The part that matters is the OAuth grant. Here is what happened in plain language. A Vercel employee wanted to try a promising new AI tool. They found Context.ai's "AI Office Suite," clicked the sign-up button with their work Google account, and when the permissions screen asked them to grant the tool access to their files and email, they clicked allow. The permissions box, as configured by Context.ai, requested broad read access to the user's entire Google Workspace environment, including Drive. The employee did what most employees do. They did not read the box. They clicked through. Months later, when the attacker took over Context.ai's infrastructure, that single OAuth grant became the bridge. The attacker did not need to hack Vercel. They needed to hack the AI startup whose software a Vercel employee had already given the keys to. Vercel's own post-incident language is worth reading: "The incident originated from a small, third-party AI tool whose Google Workspace OAuth app was the subject of a broader compromise, potentially affecting its hundreds of users across many organizations." Vercel has now rotated environment variables and changed the default setting so that new variables are marked "sensitive" by default. They are, in effect, assuming that the employees at their partner companies will continue to click through OAuth consent screens without reading them, because that is what employees do, and the only way to stop the bleeding is to stop trusting the upstream. The real story is not that Context.ai was sloppy. It is that the enterprise AI era has a trust problem that nobody priced in. For most of the last year, the loudest voices in the market have been declaring that SaaS is dying. AI agents will replace the apps. Workflows will collapse. Software budgets will rotate from seat-based licenses to AI compute. The Vercel breach is the data point that argues back. Here is the underlying claim the Vercel timeline makes: That is why Microsoft and Google Workspace are integrating AI directly into the products enterprises already trust, rather than letting a thousand AI startups build OAuth wrappers around the same data. It is why Oracle, whose revenue growth has surprised the market repeatedly over the last two quarters, keeps selling. A Fortune 500 company will always choose a legacy secure wall over a clever open door. The most valuable incumbents are the ones that already own the identity layer. That is what just got reconfirmed. For a pure-play on this thesis, the most obvious beneficiary is the cybersecurity stack that enterprises will now have to put between themselves and every AI tool their employees want to use. Palo Alto Networks is the clearest example. In the company's FY2025 results released August 18: In May 2025, Palo Alto acquired Protect AI and rolled its technology into a new platform called Prisma AIRS, designed specifically to scan AI models, monitor runtime behavior, manage AI agent identities, and govern the exact kind of third-party OAuth grant that caused the Vercel incident. In other words, they built a product for the attack pattern that was happening before they had a name for it. The logic is direct. Every new AI deployment inside a regulated enterprise now has to pass through a security review. Every security review needs a platform that can govern identity, runtime, and data flow across hundreds of third-party AI tools. A fragmented security stack of point solutions cannot do this, because the Vercel attack moved laterally across systems in a way a single-point tool would have missed. A platform that treats AI security as one problem, rather than twelve tools duct-taped together, is what the next decade of enterprise AI has to run on top of. Palo Alto is not the only company that will benefit. Microsoft benefits. CrowdStrike benefits. CyberArk, which Palo Alto has announced plans to acquire for identity security, benefits. Anyone who owns a piece of the identity or runtime security layer in the enterprise AI stack benefits. The Vercel breach is the starting gun, not the finish line. There is a useful thing to do with an event like this. Separate the part that is a story from the part that is a thesis. The story is that one bored engineer downloading a Roblox cheat script in February 2026 cost one of the most important cloud platforms on the internet enough data to attract a $2 million ransom demand. That is a great story. It will get retold at security conferences for a decade. The thesis is that every enterprise AI deployment now has to pay a security tax, and most of the market has not priced it in. OAuth grants persist. Infostealers are cheap. The list of third-party AI tools that any enterprise has accumulated in the last 18 months is long, loosely governed, and written in a language most CISOs cannot fully audit. The companies that will survive this era are not the ones with the smartest AI. They are the ones the enterprise already trusts enough to let inside the wall. For everyone else, the price of admission just went up.
Vercel Breach: How a Roblox Cheat Download Led to a $2M Data Heist Through AI Tool OAuth Abuse
Vercel, the cloud platform behind Next.js and one of the most widely used deployment infrastructures for modern web applications, confirmed on April 19, 2026 that attackers gained unauthorized access to its internal systems and compromised customer credentials. A threat actor claiming the ShinyHunters identity is attempting to sell the stolen data for $2 million on BreachForums, claiming access to customer API keys, source code, and database information. The attack chain is a case study in how AI tool adoption, overly permissive OAuth grants, and a single employee's poor security hygiene can cascade into a breach affecting potentially thousands of organizations. It started with a Roblox cheat download. It ended with customer secrets exposed across one of the internet's most critical deployment platforms. The Attack Chain: From Game Cheats to Enterprise Breach Phase 1: Lumma Stealer Infects a Context.ai Employee (February 2026) The breach did not start at Vercel. It started at Context.ai, a third-party AI office suite tool that builds agents trained on company-specific knowledge. According to research published by Hudson Rock on April 20, a Context.ai employee was infected with Lumma Stealer malware in February 2026. The infection vector was remarkably mundane: browser history logs indicate the employee was actively searching for and downloading Roblox "auto-farm" scripts and game exploit executors. These types of downloads are notorious distribution channels for infostealer malware. The Lumma Stealer infection harvested corporate credentials from the employee's machine, including Google Workspace credentials along with keys and logins for Supabase, Datadog, and Authkit. Hudson Rock states they obtained this compromised credential data over a month before the Vercel breach became public. Had the infostealer infection been identified and the exposed credentials revoked at that point, the entire downstream attack could have been prevented. Phase 2: Context.ai AWS Environment Compromised (March 2026) Using the stolen credentials, the attacker gained access to Context.ai's AWS environment. In a security advisory published on April 20, Context.ai confirmed unauthorized access to their infrastructure and stated that the attacker "likely compromised OAuth tokens for some of our consumer users." Context.ai described the breach as broader than initially believed, having first notified only one customer before realizing the scope extended further. The critical detail: Context.ai operates as a Google Workspace OAuth application. When users sign up for the platform, they grant it permissions to access their Google Workspace data. The OAuth tokens the attacker obtained from Context.ai's compromised AWS environment provided authenticated access to every Google Workspace account that had authorized the Context.ai application. Phase 3: Vercel Employee's Google Workspace Account Hijacked At least one Vercel employee had signed up for Context.ai's AI Office Suite using their Vercel enterprise Google account and granted it "Allow All" permissions. This is the pivot point where the breach jumped from an AI startup to one of the internet's most critical deployment platforms. Context.ai's own security notice stated plainly that "Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions. Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace." Using the compromised OAuth token, the attacker took over the Vercel employee's Google Workspace account. From there, they gained access to Vercel's internal environments and customer environment variables that were not marked as "sensitive" in Vercel's system. Phase 4: Customer Data Accessed and Exfiltrated Once inside Vercel's internal systems, the attacker demonstrated what Vercel described as "surprising velocity and in-depth understanding of Vercel's systems." Vercel CEO Guillermo Rauch stated on X that the company believes the attacking group to be "highly sophisticated" and "strongly suspect, significantly accelerated by AI." The attacker accessed customer environment variables, the settings where developers store API keys, database credentials, signing keys, and other secrets needed to run their applications. Environment variables marked as "sensitive" in Vercel are encrypted at rest and cannot be read through the dashboard or API. Vercel stated they do not have evidence that sensitive-marked variables were accessed. However, environment variables not explicitly marked as sensitive were exposed. For many Vercel customers, this means API keys, database connection strings, third-party service tokens, and other production credentials may have been compromised. The threat actor then listed the stolen data for sale on BreachForums for $2 million, claiming it included access keys, source code, and databases. The real ShinyHunters group denied involvement in the breach to multiple publications, suggesting the listing may be from someone impersonating the well-known extortion operation. The Scale of Impact Vercel's Position in the Web Infrastructure Stack The severity of this breach extends beyond Vercel itself because of the platform's position in the modern web infrastructure stack. Vercel provides hosting and deployment infrastructure for millions of developers, with a dominant position in the JavaScript and React ecosystem. The company developed and maintains Next.js, one of the most widely used web frameworks. Its services include serverless functions, edge computing, and CI/CD pipelines that power production applications for companies across every industry. When Vercel customer environment variables are compromised, the blast radius extends to every service those variables authenticate against: databases, payment processors, AI model providers, cloud infrastructure accounts, and third-party APIs. A single compromised environment variable can grant an attacker the same access that the application itself holds. Crypto Projects Scramble to Rotate Credentials The breach has triggered particular urgency in the Web3 and cryptocurrency space, where many projects host critical wallet interfaces and dashboards on Vercel. Solana-based exchange Orca confirmed it uses Vercel but stated its on-chain protocol and user funds were not affected. Multiple other crypto teams are scrambling to rotate API keys and audit their code. This concern is well-founded. Environment variables in crypto applications often contain private keys, wallet credentials, and exchange API tokens. Exposure of these credentials could enable direct theft of funds, not just data access. Broader Downstream Risk Vercel warned that the Context.ai compromise is not limited to Vercel. The compromised OAuth application potentially affected "hundreds of users across many organizations." Any organization whose employees authorized the Context.ai Google Workspace OAuth application may be at risk of the same type of account takeover. Vercel published the OAuth application identifier (110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) as an indicator of compromise. Google Workspace administrators across every organization should check whether this application was authorized in their environment. Why This Breach Matters The Shadow AI Problem This breach is a textbook example of what security practitioners call "shadow AI": employees adopting AI tools with corporate credentials without IT or security team approval, granting those tools broad access to enterprise systems. The Vercel employee who signed up for Context.ai did not go through a vendor security review. They signed up for an AI tool, authenticated with their corporate Google account, and clicked "Allow All" on the OAuth permissions dialog. That single action created a trust chain from an unknown third-party AI startup directly into Vercel's enterprise Google Workspace. When building the CIAM platform that scaled to serve over a billion users, we implemented strict OAuth scope management from the early days. Every third-party application requesting access to user data had to justify its permission scope, and overly broad permission grants were flagged and blocked. The lesson was clear then and it is clear now: OAuth is not just an authentication protocol. It is an authorization protocol, and the "Allow All" button is the most dangerous permission grant in modern enterprise security. The proliferation of AI tools has made this problem exponentially worse. Every AI assistant, AI office suite, AI code helper, and AI meeting summarizer that asks for Google Workspace access is creating exactly the type of trust chain that this breach exploited. Most organizations have no visibility into which AI tools their employees have authorized, what permissions those tools hold, or what data they can access. OAuth as an Attack Vector The Vercel breach demonstrates why OAuth has become one of the most consequential attack surfaces in cloud security. OAuth tokens are bearer credentials. Whoever possesses a valid OAuth token can act with the full permissions that token was granted, regardless of whether they are the original authorized user. When an organization like Context.ai stores OAuth tokens in its infrastructure, and that infrastructure is compromised, every token becomes accessible to the attacker. The tokens do not need to be cracked or brute-forced. They are valid, unexpired credentials that authenticate the bearer to the target service. The "Allow All" permissions grant compounds the problem. When a user authorizes an OAuth application with broad permissions, they are not just granting access to one specific dataset. They are creating a persistent credential that provides ongoing access to their entire workspace: emails, documents, calendar, contacts, and administrative functions. For organizations running Google Workspace, the defense is straightforward but requires proactive configuration. Administrators should restrict which third-party OAuth applications can be authorized, require approval for new OAuth grants, regularly audit existing OAuth grants for excessive permissions, and immediately revoke access for any application that is compromised or decommissioned. The Infostealer-to-Enterprise Pipeline The attack chain from Roblox cheats to enterprise breach follows a pattern that cybersecurity teams are seeing with increasing frequency. Infostealer malware targeting individuals creates a reservoir of compromised credentials that attackers later operationalize against corporate targets. Hudson Rock's timeline makes this painfully clear. The Context.ai employee was infected in February 2026. The credentials were harvested and available in criminal databases for over a month. The Vercel breach was disclosed in April. Had any monitoring system flagged the compromised credentials during that intervening month, the attack could have been stopped before it started. This is not an edge case. Infostealer infections are among the most common malware vectors globally. Lumma Stealer specifically has become one of the dominant credential-harvesting tools in the cybercriminal ecosystem. Credentials stolen by infostealers are systematically packaged, sold, and eventually used by more sophisticated threat actors for targeted operations. The path from a compromised personal device to an enterprise breach is now well-trodden. What Organizations Should Do Immediate Actions Check for the Context.ai OAuth application. Google Workspace administrators should immediately check whether the OAuth application identifier has been authorized in their environment. If it has, revoke access immediately and begin incident response procedures. Vercel customers: Rotate non-sensitive environment variables. If any environment variables contain secrets (API keys, tokens, database credentials, signing keys) that were not marked as "sensitive" in Vercel, those values should be treated as potentially exposed and rotated immediately. Review environment variable management as a priority. Audit recent Vercel deployments. Check for unexpected or suspicious deployments in your Vercel account. Review activity logs through the Vercel dashboard or CLI for any unauthorized actions. Delete any deployments that look suspicious. Enable Vercel's sensitive environment variables feature. Going forward, mark all secrets as "sensitive" so they are encrypted at rest and cannot be read through the dashboard or API. This Month Audit all OAuth grants in your Google Workspace. Use the Admin Console to review every third-party application that has been granted access. Remove any applications that are not actively used or officially approved. This should become a regular practice, not a one-time response to this breach. Implement OAuth application whitelisting. Configure your Google Workspace to restrict OAuth access to pre-approved applications only. This prevents employees from granting enterprise access to unapproved AI tools or other third-party services without IT review. Deploy infostealer monitoring. Services that monitor criminal marketplaces and credential databases for your organization's domains can provide early warning when employee credentials are compromised. The Context.ai credentials were available for over a month before being used. Detection during that window would have prevented the cascade. This Quarter Establish an AI tool governance policy. The shadow AI problem is not going away. Organizations need clear policies defining which AI tools employees can use with corporate accounts, what permission scopes are acceptable, and what review process new AI tools must go through before being authorized. This is not about blocking AI adoption. It is about managing the identity and access implications of AI adoption. Implement zero trust for environment variables and secrets. Secrets management should follow zero trust principles: short-lived credentials instead of permanent API keys, automatic rotation on a defined schedule, and segmentation so that compromise of one secret does not expose the entire environment. Tools like HashiCorp Vault, AWS Secrets Manager, or cloud-native secrets management should replace environment variables for production secrets wherever possible. Review your OAuth threat model. OAuth is not just a developer convenience. It is an attack surface. Every OAuth grant in your environment represents a trust relationship that an attacker can exploit if the third party is compromised. Map your OAuth dependencies, assess the risk each one represents, and build monitoring for anomalous OAuth token usage. The Bottom Line The Vercel breach traces a remarkably clear line from individual carelessness to enterprise compromise: a Context.ai employee downloads Roblox cheats, gets infected with Lumma Stealer, loses their corporate credentials, and those credentials are used to compromise Context.ai's infrastructure. Context.ai's compromised OAuth tokens give the attacker access to a Vercel employee's Google Workspace. The employee had granted the AI tool "Allow All" permissions. The attacker uses that access to reach Vercel's internal systems and access customer environment variables. A threat actor then lists the data for $2 million. Every link in this chain represents a failure of identity governance. Failure to detect an infostealer infection. Failure to restrict OAuth permissions. Failure to monitor third-party access tokens. Failure to enforce the principle of least privilege. Failure to separate sensitive from non-sensitive secrets in the deployment pipeline. The Vercel breach is not a story about a sophisticated zero-day exploit or a novel attack technique. It is a story about the consequences of granting broad permissions to third-party AI tools without understanding what those permissions mean. In 2026, when every employee has access to dozens of AI tools and each one requests OAuth access to corporate systems, this is the breach pattern that will define the era. The question for every organization is not whether their employees are using unauthorized AI tools with corporate credentials. They are. The question is whether the organization has the identity infrastructure, the OAuth governance, and the secrets management architecture to contain the inevitable compromise when one of those tools is breached. Key Takeaways * Vercel confirmed on April 19, 2026 that attackers gained unauthorized access to internal systems, with a threat actor selling stolen data for $2 million on BreachForums * The attack originated from a compromised Context.ai employee infected with Lumma Stealer malware after downloading Roblox game exploit scripts in February 2026 * The attacker used stolen credentials to compromise Context.ai's AWS environment and exfiltrate OAuth tokens for Google Workspace users * A Vercel employee had signed up for Context.ai's AI Office Suite using their enterprise Google account with "Allow All" OAuth permissions, creating the pivot point into Vercel's systems * Customer environment variables not marked as "sensitive" in Vercel were exposed, potentially including API keys, database credentials, and signing keys * Environment variables marked as "sensitive" are encrypted at rest and Vercel reports no evidence they were accessed * The compromised OAuth token was available for over a month before being operationalized, meaning early detection could have prevented the cascade * Vercel described the attacker as "highly sophisticated" with "surprising velocity," potentially accelerated by AI * The breach has critical implications for crypto projects hosting wallet interfaces on Vercel, with teams scrambling to rotate credentials * Context.ai's compromised OAuth application potentially affects hundreds of users across many organizations, not just Vercel * Google Workspace administrators should immediately check for OAuth application ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com * The breach highlights the shadow AI problem: employees granting enterprise OAuth access to unapproved AI tools without security review Related Reading on guptadeepak.com: * Machine Identity Management: The Complete Enterprise Guide - Why OAuth tokens, API keys, and service credentials are the fastest-growing attack surface * Authentication Best Practices for 2026 - Modern approaches to credential management and secrets rotation * Zero Trust Security Architecture - Implementing least-privilege access for cloud environments and third-party integrations * FIDO2 Implementation Guide - Phishing-resistant authentication that eliminates credential theft as an attack vector * What is CIAM? - Understanding identity governance across customer and enterprise contexts * Customer Identity Hub - Comprehensive resources on identity architecture and OAuth security * AI Agent Authentication and Security - How AI tool proliferation creates new identity attack surfaces * Passkeys at Scale: Enterprise Deployment Playbook - Eliminating the credential theft that started this breach chain Need help with AI visibility for your B2B SaaS? GrackerAI helps cybersecurity and B2B SaaS companies get cited by ChatGPT, Perplexity, and Google AI Overviews through Generative Engine Optimization. Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve over 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.
Cloud platform Vercel says company breached through third-party AI tool
A cloud platform popular among developers announced a cyberattack this weekend that was traced back to a third-party AI tool installed on an employee's device. On Sunday, a hacker claimed to have internal databases and access to multiple employee accounts at Vercel. The hacker floated ideas of cascading global supply chain attacks through several important libraries owned by Vercel, including one that was already tangentially involved in another cyber incident in December. Vercel released a statement acknowledging a breach and warning a "limited subset of customers" that their Vercel credentials were compromised. The company has reached out to the affected customers and told them to rotate their credentials immediately. Vercel is still investigating to see if there are more customers impacted. The company said it traced the incident back to the compromise of Context.ai, a third-party AI tool used by a Vercel employee. "The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as 'sensitive,'" Vercel explained. "Environment variables marked as 'sensitive' in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed." Mandiant has been hired to assist with the investigation and law enforcement is now involved. Vercel claimed the attacker is "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems." Vercel warned that deleting Vercel projects or accounts is not enough to eliminate potential customer risk. The company said compromised secrets "may still provide access to production systems, so you must rotate them before deleting your projects or account." March incident Context.ai released its own response, explaining that their tool was meant to help people use AI agents to build presentations and spreadsheets. One feature was a browser extension that allowed the AI agent to "perform actions across their external applications." In March, Context.ai said it discovered and stopped a cyberattack involving unauthorized access to their AWS environment. The company hired CrowdStrike to investigate the attack and "informed a customer we identified as impacted." "Recently, based on information provided by Vercel and additional internal investigation, we learned that, during the incident last month, the unauthorized actor also likely compromised OAuth tokens for some of our consumer users," the AI company said. "We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace." The impacted Vercel employee signed up for the Context.ai suite using their work account. Context.ai barbed that Vercel's internal authorization configurations "appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace." Context.ai says it contacted other customers when informed of how Vercel was breached. Multiple cybersecurity research companies traced the breaches back to an infostealer infection on February 17 allegedly involving the device of a Context.ai employee. Cybersecurity firm Hudson Rock said logs show the employee was searching for Roblox game exploits, which are often laden with malware and infostealers specifically. Cequence Security CISO Randolph Barr said Vercel has a massive footprint in the developer community, particularly for modern web apps and workflows. "The bigger concern is the exposure of environment variables and tokens, which can open doors to follow-on access if teams don't move quickly to lock things down," he said. The hackers allegedly behind the incident claimed to be part of ShinyHunters, a noted cybercriminal organization behind several recent attacks. The group used its communications channels to deny its involvement in the Vercel breach. The hacker demanded a $2 million ransom. Vercel did not respond to requests for comment. Vercel CEO Guillermo Rauch said he believed the attackers were "significantly accelerated by AI" because they "moved with surprising velocity and in-depth understanding of Vercel." He urged all customers to rotate their credentials and monitor access to their Vercel environments and linked services.
AI-pwned: Vercel breach traced to stolen employee creds
CEO suspects silicon sidekick behind 'surprising velocity' breach - cyber crims shop stolen data for $2M Vercel's CEO reckons the crooks behind its recent breach likely had a helping hand from AI, saying the attackers moved with "surprising velocity" and a deep understanding of the company's infrastructure. In a public update following the incident, Guillermo Rauch reckons the intrusion began with a compromised employee account linked to Context.ai. An attacker used that access to hijack the employee's Vercel Google Workspace account to drill into the company's systems. From there, the hacker poked around environment variables - including ones not marked as sensitive - and used that to get deeper in. Rauch says the attacker may not have been working alone. "We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI," Rauch said. "They moved with surprising velocity and in-depth understanding of Vercel." Rauch didn't go into detail on the AI claim, saying only that the cyber baddies didn't hang about. They got in, found what they needed, and kept moving - no fancy exploit chain, just OAuth abuse and too much trust. Researchers at Hudson Rock point to a February infostealer infection as the likely starting point, with Lumma stealer malware lifting corporate credentials from an employee's machine. The same system was used to download Roblox "auto-farm" scripts and exploit tools - a common way these infections get a foothold. Vercel says customer environment variables are encrypted at rest, but it also allows some to be marked as "non-sensitive." That distinction looks to have mattered once the attacker got inside, giving them a set of values that didn't carry the same level of protection and were easier to sift through. So far, Vercel thinks the number of affected customers is "quite limited," and that it has contacted those at risk. It's also urging users to rotate credentials, keep an eye on access logs, and take another look at what they've marked as sensitive. Behind the scenes, Rauch says Vercel is working with external incident responders, industry peers, and law enforcement, with help from Google-owned Mandiant. Outside the company, the story is already taking on a life of its own. Researchers at OX Security claim data allegedly stolen in the breach is being offered for sale on BreachForums for $2 million, including API keys, deployment credentials, GitHub and npm tokens, and what's described as internal database records. The same listing reportedly includes a file containing details on hundreds of Vercel employees. The post carries the "ShinyHunters" name, but the group says it's not involved. That leaves the usual uncertainty about who's actually behind the listing. Vercel, for its part, published an update today saying it has confirmed that no npm packages published by Vercel had been compromised. "There is no evidence of tampering, and we believe the supply chain remains safe," the statement adds. For now, Vercel is in cleanup mode and telling customers to rotate credentials. If the attackers really were moving with AI in the loop, they didn't need much else beyond access that worked. ®
Vercel Data Breach Exposes Limited Internal Access Through Third-Party Tool
Cloud development platform Vercel has confirmed a security breach that allowed an attacker to access parts of its internal systems, tracing the incident back to a compromised third-party tool used by one of its employees. The company said the intrusion began with Context.ai, an external AI service integrated into an employee's workflow. Through that entry point, the attacker was able to take control of the employee's Google Workspace account, extending their reach into certain Vercel environments. According to the company, the access obtained did not include information classified as sensitive. The exposed data was limited to environments and variables that had not been marked under stricter security controls. Even so, the nature of the breach has raised concern, given the platform's role in supporting widely used development frameworks such as Next.js. Vercel described the attacker as highly capable, pointing to the speed and precision of the operation as signs of a deep familiarity with its internal systems. The company did not elaborate on how long the access persisted or when the breach was first detected. In response, Vercel has brought in incident response firm Mandiant alongside other cybersecurity partners. It is also coordinating with law enforcement and working directly with Context.ai to determine how the initial compromise occurred. The company said it has been in close contact with several major technology partners, including GitHub, Microsoft, npm, and Socket. It stressed that no npm packages were affected as a result of the breach, an assurance likely aimed at preventing wider concern across the developer ecosystem. The episode underscores how vulnerabilities can emerge not from core infrastructure but from tools layered around it. In this case, a single compromised account appears to have been enough to create a pathway into internal systems, even if only partially. Vercel has not indicated whether any user data was impacted, and no further technical details have been released so far. For now, the company's focus remains on understanding the scope of the breach and tightening the points where external services intersect with internal access. Read more: Titan 2 Elite Brings Physical Keyboards Back with Modern Power The incident leaves a narrow but notable mark on a platform trusted by a large share of the developer community, particularly those building modern web applications. How it addresses those trust concerns may matter as much as the technical response itself.
Everything we know about the Vercel data breach so far
An OAuth supply chain compromise saw 'non-sensitive' Vercel data compromised and some internal systems accessed Cloud development platform Vercel has confirmed it experienced a data breach after hackers claimed to have accessed its systems. The Vercel platform is best known for supporting frameworks like Next.js, used by around two-thirds of JavaScript developers. The attackers gained entry through the compromise of Context.ai, a third-party AI tool used by a Vercel employee. That access was then used to take over the employee's Google Workspace account, giving the hackers access to some Vercel environments and variables that weren't marked as 'sensitive'. "We assess the attacker as highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems," the company said in a statement. "We are working with Mandiant, additional cybersecurity firms, industry peers, and law enforcement. We have also engaged Context.ai directly to understand the full scope of the underlying compromise." Vercel added that it worked closely with GitHub, Microsoft, npm, and Socket in the wake of the breach, stating that no npm packages were compromised. "There is no evidence of tampering, and we believe the supply chain remains safe," Vercel continued. Vercel said it has identified a number of customers whose non-sensitive environment variables - those that decrypt to plaintext - were compromised. The company has contacted affected customers and recommended an immediate rotation of credentials. Vercel added it will keep customers updated if it finds any evidence of further compromise. A threat group claiming to be ShinyHunters has claimed responsibility for the attack in a post on Telegram, offering data that includes access keys, source code, and databases for sale, along with access to internal deployments and API keys The attackers said they had been in touch with Vercel and were demanding a ransom of $2 million. However, Austin Larsen, principal threat analyst at Google Threat Intelligence, cast doubt on these claims in a post on LinkedIn. In this instance, the threat actors behind the attack could be bluffing. "It is likely this is an imposter attempting to use an established name to inflate their notoriety," he said. Vercel advised customers to add an additional layer of security by requiring at least two methods of authentication, configuring an authenticator app, and creating a passkey. The company emphasized that simply deleting a project or account won't work, as compromised secrets could still provide threat actors with access to production systems. Users are advised to rotate them first. Customers should also take advantage of the sensitive environment variables feature so that secret values are protected from being read in the future. Similarly, users are advised to review account activity logs and environments for suspicious activity, either through the dashboard or CLI. Other tips included: Vercel said the attack on Context's Google Workspace OAuth app was the subject of a "broader compromise, potentially affecting its hundreds of users across many organisations". Meanwhile, Context AI has confirmed that the hackers "likely compromised OAuth tokens for some of our consumer users". The firm said it in the process of contacting everyone identified as potentially impacted, with specific guidance on next steps. Jaime Blasco, CTO of Nudge Security, advised users to switch to an "admin-managed consent" model when dealing with third-party applications. "Start with OAuth consent. Most Google Workspace and Microsoft 365 environments are still configured to let any employee grant third-party apps access to their enterprise account," he said. "Inventory what you already have. OAuth grants accumulate, People try a tool, forget about it, leave the company, and the grant keeps living in the tenant with whatever scopes it asked for. Quarterly audits aren't enough especially when now we have agents using these grants. You need continuous visibility into who granted what, what scopes they granted, and whether the integration is even still being used."
Vercel Hack Confirmed Breach Linked to Third-Party AI Tool
The cloud platform Vercel has confirmed that attackers breached its internal systems, affecting a "limited subset" of customers and exposing some non-sensitive environment variables. In its official disclosure, Vercel said it was investigating the incident with external experts and had informed law enforcement. The company maintained that its core services remain operational and that it has contacted affected users. It urged them to rotate credentials and review their environment variables. How the breach happened: Attackers compromised Context.ai, a third-party AI tool, to gain access to Vercel. They took over an employee's Google Workspace account using a compromised OAuth token linked to Context's AI Office Suite. This access allowed attackers to move further into Vercel's systems and view environment variables that the company had not marked as "sensitive." The company said it protected sensitive variables and found no evidence of unauthorised access. CEO explains internal escalation: Vercel CEO Guillermo Rauch confirmed the sequence in an X post, stating: "Through a series of maneuvers that escalated from our colleague's compromised Vercel Google Workspace account, the attacker got further access to Vercel environments." He added: "We do have a capability, however, to designate environment variables as 'non-sensitive'. Unfortunately, the attacker got further access through their enumeration." Rauch described the attackers as "highly sophisticated" and said the company is focusing on investigation, customer communication, and strengthening security systems. Hackers claim stolen data, identity remains unclear: The disclosure followed a threat actor posting on a hacking forum claiming to be selling Vercel data, including access keys, source code, and database contents. The actor said they had access to "multiple employee accounts" and internal deployments. However, the hacker claimed links to the ShinyHunters group, which later denied involvement when cybersecurity outlet BleepingComputer contacted it. The authenticity of the leaked data has not been independently verified. Reports also indicate that the attacker shared a dataset of around 580 employee records and screenshots of internal dashboards, and claimed to be discussing ransom payments of up to $2 million, though Vercel has not confirmed any such negotiations. Context AI acknowledges earlier breach: Context.ai said the root incident occurred earlier in its now-deprecated AI Office Suite. Attackers gained unauthorised access to its AWS environment and compromised the OAuth tokens of some users. The company stated that one such token was used to access Vercel systems. It has since shut down the affected environment and is working with the cybersecurity firm CrowdStrike to assess the full impact. Context.ai added that its enterprise products, which run in customer-controlled environments, are not affected. What remains unclear: Vercel has not disclosed how many users were affected by the breach and is still investigating whether attackers exfiltrated any additional data. The company has confirmed that attackers did not compromise its open-source projects, including Next.js. The incident highlights the growing risks of supply-chain attacks, where breaching one service can open access to multiple platforms through linked accounts and integrations.
Vercel data breach: How hackers targeted the cloud company and offered its data for sale for $2 million - The Economic Times
American cloud development platform Vercel on Sunday confirmed a security breach allowing an attacker to gain unauthorised access to data for a "limited subset of customers". "We've identified a security incident that involved unauthorized access to certain internal Vercel systems. We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement," the company wrote in a blogpost. What was the data breach about? The data breach occurred after a employee's Google Workspace account was compromised via a vulnerability at the third-party AI platform Context.ai. Vercel CEO Guillermo Rauch confirmed that hackers exploited this foothold to infiltrate internal systems with "surprising speed", suggesting the attackers likely used AI-driven tools to navigate the company's infrastructure and identify technical vulnerabilities. The intruders specifically targeted environment variables, focusing on those marked as 'non-sensitive,' a convenience feature now undergoing a rigorous security review. Although Vercel emphasises that sensitive data remained encrypted at rest and that the impact was limited to a small number of customers, the fallout has escalated into a high-stakes extortion attempt. The threat actor, identified by some as the group ShinyHunters, listed Vercel's data for sale on BreachForums for $2 million. The hackers claim to have exfiltrated source code, internal databases, and API keys. "Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as "non-sensitive". Unfortunately, the attacker got further access through their enumeration," CEO Rauch wrote in a post on X. Per The Information, last September, Vercel raised $300 million at a $9.3 billion valuation. How is Vercel currently tackling the breach? The company is prioritising investigation, customer communication, tightening security, and cleaning affected systems. Vercel has confirmed that core tools and projects such as Next.js and Turbopack remain secure and uncompromised. Vercel has partnered with Google's Mandiant team and law enforcement to investigate the full scope of the breach. The company has already begun rolling out new safeguards, specifically enhancing the visibility and control of environment variables within its dashboard. Rauch has committed to transforming this incident into a catalyst for the 'strongest security response possible' for the platform. "At the moment, we believe the number of customers with security impact to be quite limited. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitisation of our environments. We've deployed extensive protection measures and monitoring," Rauch added in his post. Further, Vercel has directly contacted affected individuals, advising them to immediately change their sensitive credentials, such as passwords and API keys, and monitor access logs to check if attackers have already accessed these keys and prevent further unauthorised activity.
Vercel data breach exposes SA developer community
Vercel - the US-based company behind Next.js, one of the most widely used web frameworks on the internet - has disclosed a security incident in which attackers gained access to internal systems via a compromised third-party artificial intelligence (AI) tool. The cloud-based platform automates deployment from code repositories, delivers sites via a global edge network for speed, and provides tools like serverless functions and preview environments, making it a popular choice for developers using React and similar technologies. According to Google, Vercel is used in South Africa and operates a data centre in Cape Town, as part of its Edge Network, ensuring low-latency hosting for local users. "We've identified a security incident that involved unauthorised access to certain internal Vercel systems," says the company in a statement. "We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement and will update this page as the investigation progresses. The company says it initially identified a limited subset of customers whose non-sensitive environment variables stored on Vercel (those that decrypt to plaintext) were compromised. "We reached out to that subset and recommended an immediate rotation of credentials. We continue to investigate whether and what data was exfiltrated and we will contact customers if we discover further evidence of compromise. We've deployed extensive protection measures and monitoring. Our services remain operational." According to the company, the incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. It explains that the attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as "sensitive". Environment variables marked as "sensitive" in Vercel are stored in a manner that prevents them from being read, and "we currently do not have evidence that those values were accessed," says the company. "We assess the attacker as highly-sophisticated based on their operational velocity and detailed understanding of Vercel's systems. We are working with Mandiant, additional cyber security firms, industry peers and law enforcement. We have also engaged Context.ai directly to understand the full scope of the underlying compromise. "In collaboration with GitHub, Microsoft, npm and Socket, our security team has confirmed that no npm packages published by Vercel have been compromised. There is no evidence of tampering, and we believe the supply chain remains safe." Lotem Finkelstein, research VP at Check Point Software Technologies, says while Vercel has stated that a limited number of customers were directly affected, the broader implications for organisations relying on Next.js are significant and still developing. He notes that given Next.js sees approximately six million weekly downloads, the potential blast radius for organisations is significant, and the story is still actively developing. "This is not a theoretical risk but an active security incident involving a widely used library, which significantly increases the potential impact," Finkelstein says. "Given its broad adoption, even a single compromise can quickly translate into large-scale exposure across organisations, so organisations need to make sure the right security measures are in place to prevent any exposure related to this library. "What makes incidents like this particularly challenging is the lack of immediate visibility - many organisations are not fully aware of where and how such dependencies are embedded across their environments, which can delay detection and response at scale."
Vercel Employee's AI Tool Access Led to Data Breach
In a cascading illustration of unintended consequences, threat actors compromised an AI tool vendor, then used that access this past weekend to compromise software security vendor Vercel, and possibly other organizations, downstream. Vercel yesterday disclosed it was breached via a third-party AI tool, Context.ai. While Vercel is not a Context customer, the attacker appears to have used a compromised OAuth token belonging to a Vercel employee who signed up for Context's AI Office Suite using their Vercel Google Workspace account, granting "Allow All" permissions in the process. In a security bulletin on its website, Vercel said that this "enabled [the attacker] to gain access to some Vercel environments and environment variables that were not marked as 'sensitive,'" the company said in its online statement. As Hudson Rock pointed out in a blog post, the Context attack was apparently caused by an employee downloading cheats for the popular online game Roblox, and one of these scripts apparently contained an infostealer. "No exploit. No zero-day," David Lindner, chief information security officer (CISO) of Contrast Security, tells Dark Reading. "Just an unsanctioned AI tool, an overpermissioned OAuth grant, and a gaming cheat download. Vercel is now working with Mandiant on a breach that a threat actor [allegedly ShinyHunters] is selling for $2 million. Your employees are doing the same things on their machines right now. The question is whether you know about it." "Operational Velocity, Detailed Understanding" Vercel noted that variables marked "sensitive" are stored in a way that prevents them from being read, and that the company has no evidence such variables were accessed. Vercel is working with Mandiant for its incident response alongside other security firms, peers, Context.ai itself, and law enforcement. "We assess the attacker as highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems," the company said. Once Context learned of the OAuth theft, the company said it informed impacted customers along with next steps. "While we are continuing to assess this incident, the theft of the OAuth tokens occurred prior to the AWS environment being shut down," Context's notification read. Further expanding the downstream impact, Vercel identified a limited subset of customers whose Vercel credentials were compromised; the company contacted them and recommended immediate credential rotation. Only those contacted are believed to have been compromised at this time. Dark Reading asked Vercel whether accessed variables, even if they weren't marked "sensitive," may have contained sensitive data given customers were compromised. The company declined to respond directly but emphasized that it has "contacted customers that we believe could be at risk of being compromised." "We continue to investigate whether and what data was exfiltrated and we will contact customers if we discover further evidence of compromise," the spokesperson says. We've deployed extensive protection measures and monitoring. Our services remain operational. We will continue to keep the Security Bulletin updated as well." Context, meanwhile, shared its own security advisory yesterday concerning an attack against a deprecated legacy consumer product, the Context AI Office Suite. Context said that last month, it "identified and stopped" a breach involving unauthorized access to its AWS environment. While the company engaged CrowdStrike, conducted an investigation, closed the AWS environment, and took steps to fully deprecate the associated Office Suite product, Context learned through Vercel's breach and additional investigation that the unidentified actor "also likely compromised OAuth tokens for some of our consumer users." Context Bedrock, the company's current platform product, is unaffected. Dark Reading has contacted Context for additional information. Attacks Emphasize Importance of AI Data Security Although some key details remain unknown (a given since both incidents remain under investigation), the supply-chain incident calls attention to the risks posed by AI products when data security isn't appropriately locked down. AI tools require a wide range of permissions and privileges to work, meaning that without prioritizing segmentation, zero trust, and least privilege principles, organizations remain at increased risk. It is unclear if the Vercel employee's Context AI Office Suite instance was sanctioned or an example of "shadow AI," what happens when employees use AI tools without IT oversight. Either way, it acts as a reminder to create an AI governance framework and emphasize expectations for how AI can and cannot be deployed using company resources. Vercel's blog contains indicators of compromise and recommendations. Customers should review their activity log, review and rotate environmental variables, use the sensitive environment variables going forward, investigate recent deployments for unexpected or suspicious activity, ensure that "Deployment Protection" is set to at least Standard, and to rotate Deployment Protection tokens if set. Jaime Blasco, chief technology officer (CTO) at Nudge Security, tells Dark Reading that organizations who don't want something like this to happen to them should start with OAuth consent. "Most Google Workspace and Microsoft 365 environments are still configured to let any employee grant third-party apps access to their enterprise account. Move to admin-managed consent. New apps get reviewed before they can touch corporate data. That one change would have blocked a Vercel employee from granting Context.ai enterprise-wide scopes in the first place," Blasco says. "That being said, there are hundreds of SaaS platforms that allow Oauth grants to be created and most of them allow to block these grants or gate this functionality behind an enterprise license." OAuth: The New Attack Surface Blasco says OAuth tokens are "the new attack surface," as played out in the Salesloft Drift attack, Gainsight attack, and others. Attackers compromise a small AI or SaaS vendor, steal the OAuth tokens held on behalf of customers, and conduct additional attacks downstream. "None of this required a novel AI attack technique," he says. "Agentic AI makes it worse because these platforms sit at the center of a hub of OAuth grants with expansive scopes, usually at young companies without mature security programs behind them. OAuth is the new lateral movement. Until the industry treats OAuth tokens as high-value credentials, we're going to keep reading the same breach writeup with the vendor names swapped out." Guillaume Valadon, cybersecurity researcher at GitGuardian, says the mechanics of these attacks reflect "the same identity and credential problems we've been writing about for 15 years." "What AI has really changed is the distribution of trust: teams are wiring dozens of new SaaS integrations into their core identity providers and code hosts faster than they can vet them, and each one becomes a pre-authorized path that an attacker inherits the moment the vendor is popped," Valadon says. "APIs, tokens, and OAuth scopes are still the softest part of the stack -- AI didn't create that problem, it just massively expanded the surface that depends on it."
Developer tooling provider Vercel discloses breach that exposed some users' data - SiliconANGLE
Developer tooling provider Vercel discloses breach that exposed some users' data A hacker has stolen a limited amount of customer data from Vercel Inc., a major developer tooling provider. The company disclosed the incident late Sunday. Vercel, which received a $9.3 billion valuation last year, provides tools that help developers build web applications. It also operates cloud infrastructure that can be used to host those applications. Vercel's product suite is underpinned by Node.js, a popular open-source development framework. The company stated in a security bulletin that the breach started with an external product called Context.ai. It's a cloud platform that uses artificial intelligence to automate business tasks. Notably, it can be integrated with third-party services such as Google Workspace. According to the security bulletin, a hacker compromised Context.ai and used it to log into a Vercel staffer's Google Workspace account. The compromised account gave the threat actor access to some customers' environment variables. In Vercel deployments, an environment variable is a data structure that holds a single piece of information. That data snippet can be a secret such as a database password or encryption key. Vercel enables customers to secure secrets using a feature called sensitive environment variables. According to the company, the breach only compromised data points that didn't have the feature enabled. The fact that affected customers opted not to use the feature may suggest the compromised data wasn't particularly important, which may help limit the impact of the breach. However, it's also possible some impacted users simply forgot to enable it. Vercel estimates that the number of customers affected by the breach is "quite limited." However, the company noted that other users of Context.ai may also be affected. "Hudson Rock has evidence linking the Context AI breach to an infostealing malware, pinpointing a likely entry point for patient zero," said Aaron Walton, a senior threat intelligence analyst at venture-backed cybersecurity company Expel Inc. "Infostealers have emerged as one of the more consequential threats facing businesses today." The data trove stolen from Vercel reportedly included information about hundreds of employees. The hackers also gained access to a number of application programming interface keys, which serve a similar role to passwords. Some of those API keys are reportedly associated with GitHub repositories. Vercel employees help maintain the GitHub repository for Node.js, the popular development framework that powers the company's product portfolio. The software maker also maintains other open-source projects. Access to open-source projects can enable hackers to launch supply chain attacks with the potential to compromise a large number of developers. In a post on X, Vercel Chief Executive Officer Guillermo Rauch reassured users that "we've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community." He added that the company has hired Google LLC's Mandiant cybersecurity services business to help it investigate the incident. Vercel is advising customers to replace their non-sensitive environment variables. Additionally, the company is recommending that administrators review activity logs for potential signs of malicious activity. As part of its response to the breach, Vercel has rolled out a dashboard that will make it easier for customers to manage and monitor environment variables.
Vercel Confirms Major Security Incident as Hacker Claims $2M Ransom Demand
Vercel confirms a security incident after a threat actor claims internal access and demands a $2M ransom, raising concerns about API keys, CI/CD pipelines, and cloud security. Cloud development platform Vercel has confirmed a security incident involving unauthorized access to internal systems, after a threat actor claimed to be selling stolen company data online. "We've identified a security incident that involved unauthorized access to certain internal Vercel systems," the company said in its advisory. Threat actor claims access to Vercel systems Vercel sits at the center of modern web development workflows, providing hosting, deployment, and serverless infrastructure for applications built with frameworks like Next.js. That position makes it a high-value target: access to internal systems could expose not just the platform, but also developer environments, CI/CD pipelines, and dependent production applications. According to BleepingComputer, the threat actor claims access to sensitive internal data, raising concerns about the exposure of credentials, source code, and deployment systems. The threat actor -- claiming affiliation with the ShinyHunters group -- alleges they are selling access to Vercel data, including API keys, database contents, and internal deployment infrastructure. In forum posts, the actor claimed to possess credentials such as GitHub and npm tokens, as well as access to multiple employee accounts that could be used to interact with internal systems. To support these claims, the attacker shared a sample dataset reportedly containing 580 employee records, including names, corporate email addresses, account status, and activity timestamps. A screenshot of what appears to be an internal enterprise dashboard was also posted. However, neither the dataset nor the screenshot has been independently verified, leaving uncertainty around the scope and authenticity of the alleged breach. If the claims prove accurate, the incident points to a potential compromise of systems tied to identity and access management or development workflows. Exposed API keys or tokens could allow attackers to access code repositories, manipulate deployment pipelines, or interact with production services -- effectively turning a single compromised entry point into broader control of the environment. The threat actor also claimed to have discussed a $2 million ransom demand with Vercel, though the company has not confirmed whether any such negotiations are taking place. Reducing risk from platform-level threats In response to potential credential exposure or unauthorized access, organizations should take steps to reduce risk and secure their environments. Issues affecting development platforms can extend beyond a single system, impacting pipelines, integrations, and production workloads. * Rotate and revoke all environment variables, API keys, and access tokens, prioritizing CI/CD pipelines and third-party integrations. * Enforce short-lived credentials and secure secret storage to reduce the risk of long-term credential exposure. * Audit and restrict access controls using the principle of least privilege, including tightening permissions for users, services, and integrations. * Monitor logs and enable anomaly detection to identify unusual API activity, deployments, or access patterns. * Validate the integrity of builds, dependencies, and deployments, and redeploy from known-good sources if compromise is suspected. * Segment environments and apply network controls to limit lateral movement and potential data exfiltration. * Test incident response plans with scenarios around credential-based and supply chain attacks. Together, these measures help organizations build resilience and contain potential incidents by reducing the blast radius of any single point of compromise. Shift toward platform-level attacks This incident reflects a broader shift, with attackers increasingly targeting developer platforms and cloud-native infrastructure as centralized points of access. Rather than focusing on individual applications, they aim to provide services that manage code, deployments, and credentials at scale. As organizations adopt more integrated and serverless architectures, the potential impact of a single compromise can extend across multiple systems.
