Vercel breach traced to AI tool after employee grants unrestricted Google Workspace access

AI cloud company Vercel breached after employee grants AI tool unrestricted access to Google Workspace -- hacker seeking $2 million for stolen data

The culprit? An infostealer infection from a Roblox cheat download. Vercel, the cloud platform behind the widely used Next.js web framework, has acknowledged a security breach after an attacker compromised a third-party AI tool called Context.ai and used it to gain access to a Vercel employee's enterprise Google Workspace account. The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility, reportedly seeking $2 million for the stolen data. Vercel said it has engaged Google-owned incident response firm Mandiant, notified law enforcement, and contacted a limited subset of affected customers directly. According to Vercel's bulletin, the breach didn't start with them but instead with Context.ai, an enterprise AI platform that builds agents trained on company-specific knowledge. At least one Vercel employee had signed up for Context.ai's AI Office Suite using their corporate account and granted it "Allow All" OAuth permissions, Context.ai explained in its own security notice, which says that "Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace." The attacker exploited that broad access to take over the employee's Vercel Google Workspace account and move laterally into internal systems. Cybersecurity firm Hudson Rock claims to have traced Context.ai's own compromise back further to an employee infected by Lumma Stealer malware after downloading Roblox game exploit scripts in February. The stolen credentials reportedly included Google Workspace logins along with keys for Supabase, Datadog, and Authkit, Hudson Rock reported, but Vercel hadn't independently confirmed this at the time of writing. Context.ai also acknowledged that it detected and blocked unauthorized access to its AWS environment in March, but said it later learned the attacker had also compromised OAuth tokens for some consumer users. Vercel described the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems." The company said environment variables marked as "sensitive" are encrypted at rest and were not accessed, but that variables stored without that designation should be treated as potentially exposed. The company instructed customers to audit activity logs, rotate any API keys, tokens, or database credentials stored in non-sensitive environment variables, and review recent deployments for anything unexpected. Vercel has since rolled out new dashboard features, including an overview page for environment variables and an improved interface for managing sensitive variable settings. CEO Guillermo Rauch said on X that the company had analyzed its supply chain and confirmed that Next.js, Turbopack, and its other open source projects weren't affected. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Next.js developer Vercel warns customer creds compromised

Blames outfit called Context.ai, which reckons an agentic OAuth tangle caused the incident Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess. A Vercel security bulletin says that on April 19, the company "identified a security incident that involved unauthorized access to certain internal Vercel systems" and led to credential compromise for "a limited subset of customers." The company contacted those customers and "recommended an immediate rotation of credentials." "We continue to investigate whether and what data was exfiltrated and we will contact customers if we discover further evidence of compromise," the bulletin states, adding that the company has "deployed extensive protection measures and monitoring. Our services remain operational." Vercel has named the source of the mess: Context.ai has also published a security bulletin that reveals a March incident that saw it identify and stop a security incident involving unauthorized access to its AWS environment. Context.ai hired CrowdStrike to conduct an investigation, and closed its AWS rig. "Today, based on information provided by Vercel and some additional internal investigation, we learned that, during the incident last month, the unauthorized actor also likely compromised OAuth tokens for some of our consumer users," the company admitted. The company's consumer clients used a product called the AI Office suite that Context.ai describes as a "workspace designed to help users work with AI agents to build presentations, documents, and spreadsheets. The AI Office suite offered a feature that allowed consumer users to enable AI agents to perform actions across their external applications, facilitated via another 3rd-party service." Back to Context.ai's bulletin, which says whoever attacked its systems "appears to have used a compromised OAuth token to access Vercel's Google Workspace. Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions." Context.ai thinks Vercel's internal OAuth configurations "appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace." All of the actors in this mess made mistakes. Context.ai clearly didn't have great infosec. CrowdStrike's investigation appears to have missed a trick or two. Vercel didn't lock down its Google Workspace. And now the world has an example of an agentic AI product linking to third-party services and causing trouble, just the kind of risk infosec experts have warned about. ®

Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain

One employee at Vercel adopted an AI tool. One employee at that AI vendor got hit with an infostealer. That combination created a walk-in path to Vercel's production environments through an OAuth grant that nobody had reviewed. Vercel, the cloud platform behind Next.js and its millions of weekly npm downloads, confirmed on Sunday that attackers gained unauthorized access to internal systems. Mandiant was brought in. Law enforcement was notified. Investigations remain active. An update on Monday confirmed that Vercel collaborated with GitHub, Microsoft, npm, and Socket to verify that no Vercel npm packages were compromised. Vercel also announced it is now defaulting environment variable creation to "sensitive." Next.js, Turbopack, AI SDK, and all Vercel-published npm packages remain uncompromised after a coordinated audit with GitHub, Microsoft, npm, and Socket. Context.ai was the entry point. OX Security's analysis found that a Vercel employee installed the Context.ai browser extension and signed into it using a corporate Google Workspace account, granting broad OAuth permissions. When Context.ai was breached, the attacker inherited that employee's Workspace access, pivoted into Vercel environments, and escalated privileges by sifting through environment variables not marked as "sensitive." Vercel's bulletin states that variables marked sensitive are stored in a manner that prevents them from being read. Variables without that designation were accessible in plaintext through the dashboard and API, and the attacker used them as the escalation path. CEO Guillermo Rauch described the attacker as "highly sophisticated and, I strongly suspect, significantly accelerated by AI." Jaime Blasco, CTO of Nudge Security, independently surfaced a second OAuth grant tied to Context.ai's Chrome extension, matching the client ID from Vercel's published IOC to Context.ai's Google account before Rauch's public statement. The Hacker News reported that Google removed Context.ai's Chrome extension from the Chrome Web Store on March 27. Per The Hacker News and Nudge Security, that extension embedded a second OAuth grant enabling read access to users' Google Drive files. Patient zero. A Roblox cheat and a Lumma Stealer infection Hudson Rock published forensic evidence on Monday, reporting that the breach origin traces to a February 2026 Lumma Stealer infection on a Context.ai employee's machine. According to Hudson Rock, browser history showed the employee downloading Roblox auto-farm scripts and game exploit executors. Harvested credentials included Google Workspace logins, Supabase keys, Datadog tokens, Authkit credentials, and the [email protected] account. Hudson Rock identified the infected user as a core member of "context-inc," Context.ai's tenant on the Vercel platform, with administrative access to production environment variable dashboards. Context.ai published its own bulletin on Sunday (updated Monday), disclosing that the breach affects its deprecated AI Office Suite consumer product, not its enterprise Bedrock offering (Context.ai's agent infrastructure product, unrelated to AWS Bedrock). Context.ai says it detected unauthorized access to its AWS environment in March, hired CrowdStrike to investigate, and shut down the environment. Its updated bulletin then disclosed that the scope was broader than initially understood: the attacker also compromised OAuth tokens for consumer users, and one of those tokens opened the door to Vercel's Google Workspace. Dwell time is the detail that should concern security directors. Nearly a month separated Context.ai's March detection from the Vercel disclosure on Sunday. A separate Trend Micro analysis references an intrusion beginning as early as June 2024 -- a finding that, if confirmed, would extend the dwell time to roughly 22 months. VentureBeat could not independently reconcile that timeline with Hudson Rock's February 2026 dating; Trend Micro did not respond to a request for comment before publication. Where detection goes blind Security directors can use this table to benchmark their own detection stack against the four-hop kill chain this breach exploited. What's confirmed vs. what's claimed Vercel's bulletin confirms unauthorized access to internal systems, a limited subset of affected customers, and two IOCs tied to Context.ai's Google Workspace OAuth apps. Rauch confirmed that Next.js, Turbopack, and Vercel's open-source projects are unaffected. Separately, a threat actor using the ShinyHunters name posted on BreachForums claiming to hold Vercel's internal database, employee accounts, and GitHub and NPM tokens, with a $2M asking price. Austin Larsen, principal threat analyst at Google Threat Intelligence, assessed the claimant as "likely an imposter." Actors previously linked to ShinyHunters have denied involvement. None of these claims has been independently verified. Six governance failures the Vercel breach exposed 1. AI tool OAuth scopes go unaudited. Context.ai's own bulletin states that a Vercel employee granted "Allow All" permissions using a corporate account. Most security teams have no inventory of which AI tools their employees have granted OAuth access to. CrowdStrike CTO Elia Zaitsev put it bluntly at RSAC 2026: "Don't give an agent access to everything just because you're lazy. Give it access to only what it needs to get the job done." Jeff Pollard, VP and principal analyst at Forrester, told Cybersecurity Dive that the attack is a reminder about third-party risk management concerns and AI tool permissions. 2. Environment variable classification is doing real security work. Vercel distinguishes between variables marked "sensitive" (stored in a manner that prevents reading) and those without that designation (accessible in plaintext through the dashboard and API). Attackers used the accessible variables as the escalation path. A developer convenience toggle determined the blast radius. Vercel has since changed its default: new environment variables now default to sensitive. "Modern controls get deployed, but if legacy tokens or keys aren't retired, the system quietly favors them," Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, told VentureBeat. 3. Infostealer-to-SaaS-to-supply-chain escalation chains lack detection coverage. Hudson Rock's reporting reveals a kill chain that crossed four organizational boundaries. No single detection layer covers that chain. Context.ai's updated bulletin acknowledged that the scope extended beyond what was initially identified during its CrowdStrike-led investigation. 4. Dwell time between vendor detection and customer notification exceeds attacker timelines. Context.ai detected the AWS compromise in March. Vercel disclosed on Sunday. Every CISO should ask their vendors: what is your contractual notification window after detecting unauthorized access that could affect downstream customers? 5. Third-party AI tools are the new shadow IT. Vercel's bulletin describes Context.ai as "a small, third-party AI tool." Grip Security's March 2026 analysis of 23,000 SaaS environments found a 490% year-over-year increase in AI-related attacks. Vercel is the latest enterprise to learn this the hard way. 6. AI-accelerated attackers compress response timelines. Rauch's assessment of AI acceleration comes from what his IR team observed. CrowdStrike's 2026 Global Threat Report puts the baseline at a 29-minute average eCrime breakout time, 65% faster than 2024. Security director action plan Run both IoC checks today Search your Google Workspace admin console (Security > API Controls > Manage Third-Party App Access) for two OAuth App IDs. The first is 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com, tied to Context.ai's Office Suite. The second is 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com, tied to Context.ai's Chrome extension and granting Google Drive read access. If either touched your environment, you are in the blast radius regardless of what Vercel discloses next. What this means for security directors Forget the Vercel brand name for a moment. What happened here is the first major proof case that AI agent OAuth integrations create a breach class that most enterprise security programs cannot detect, scope, or contain. A Roblox cheat download in February led to production infrastructure access in April. Four organizational boundaries, two cloud providers, and one identity perimeter. No zero-day required. For most enterprises, employees have connected AI tools to corporate Google Workspace, Microsoft 365 or Slack instances with broad OAuth scopes -- without security teams knowing. The Vercel breach is the case study for what that exposure looks like when an attacker finds it first.

'Highly Sophisticated,' AI-Powered Hackers Behind Vercel Breach: CEO - Decrypt

Many crypto frontends use Vercel to host their UI, with the company advising immediate credential rotation. Vercel's CEO said a "highly sophisticated," potentially AI-assisted hacking group was behind a recent security incident that exposed some customer credentials following a breach of internal systems. "We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI," CEO Guillermo Rauch tweeted, adding that the attackers "moved with surprising velocity and in-depth understanding of Vercel." The company, which is a cloud platform for developers, said Sunday it had identified unauthorized access to certain internal systems and was actively investigating. The incident affected a limited subset of customers whose credentials were compromised, prompting the company to advise immediate credential rotation. The breach originated from the compromise of Context.ai, a third-party AI tool used by a Vercel employee, which allowed attackers to take over the employee's Google Workspace account and gain access to some Vercel environments and non-sensitive environment variables. The disclosure highlights growing concerns about the security risks posed by third-party integrations and AI-powered tooling, as attackers increasingly exploit supply chain vulnerabilities to gain footholds inside organizations. Natalie Newson, CertiK senior blockchain security researcher, told Decrypt the event has triggered urgency among crypto developers specifically. "Because many crypto frontends use Vercel to host their UI, a breach can allow attackers to implant a wallet drainer. Users interacting with a trusted page won't be expecting anything malicious to occur," she said, adding that,"Exploits in the crypto space can lead to substantial financial losses." Even if smart contracts remain secure, front end compromises still pose risks. "Front end compromises can be particularly damaging for end users," she noted, pointing to the CoW Swap incident in April in which one user saw $316k drained from their wallet. She said the rising trend of agentic AI has led to many users posting the latest apps and extensions to improve productivity and malicious actors are taking advantage of this trend. "Companies should be extra cautious when utilising new AI apps and extensions while reviewing internal security models to ensure that if a breach does occur the impact remains as limited as possible," she said. Rauch said the attack unfolded through "a series of maneuvers" beginning with the compromised employee account and escalating into broader access to internal environments. While Vercel stores customer environment variables encrypted at rest, the company allows some variables to be marked as non-sensitive, which the attackers were able to access. The company believes the number of affected customers is limited and said it has contacted those potentially impacted as a priority. Vercel has since deployed additional monitoring and protection measures, while also reviewing its supply chain to ensure the safety of projects such as Next.js and Turbopack. John Woods, CEO of Nillion, told Decrypt that "limited subset" usually means the observed affected-customer set appears limited so far, but it does not necessarily rule out broader internal movement or wider downstream risk. "In modern cloud platforms, blast radius is not only about how many customers were visibly impacted at first, but also about what the compromised systems could reach behind the scenes," Woods said. He recommended companies follow a variety of best practices to avoid this sort of situation. "Lock down OAuth grants, use least privilege, enforce strict controls around sensitive environment variables, separate frontend deployment from secret or signing authority, and monitor deployments and logs closely," he said. "For anyone whose credentials may have been taken, the immediate priority is to revoke access, rotate credentials, and review every system those credentials could reach," he added, noting that, "At a higher level, the lesson is to avoid architectures where one compromise can reach too much." It is not yet clear who is behind the attack. Screenshots have surfaced of a user with the name of the hacking group "ShinyHunters" claiming on a forum to have breached Vercel and to be selling access to company data, including source code, API keys and internal systems. The actor, who may also be impersonating ShinyHunters, also claimed to have discussed a $2 million ransom demand with the company. Vercel did not immediately respond to a request to confirm those claims.

Developer tooling provider Vercel discloses breach that exposed some users' data - SiliconANGLE

Developer tooling provider Vercel discloses breach that exposed some users' data A hacker has stolen a limited amount of customer data from Vercel Inc., a major developer tooling provider. The company disclosed the incident late Sunday. Vercel, which received a $9.3 billion valuation last year, provides tools that help developers build web applications. It also operates cloud infrastructure that can be used to host those applications. Vercel's product suite is underpinned by Node.js, a popular open-source development framework. The company stated in a security bulletin that the breach started with an external product called Context.ai. It's a cloud platform that uses artificial intelligence to automate business tasks. Notably, it can be integrated with third-party services such as Google Workspace. According to the security bulletin, a hacker compromised Context.ai and used it to log into a Vercel staffer's Google Workspace account. The compromised account gave the threat actor access to some customers' environment variables. In Vercel deployments, an environment variable is a data structure that holds a single piece of information. That data snippet can be a secret such as a database password or encryption key. Vercel enables customers to secure secrets using a feature called sensitive environment variables. According to the company, the breach only compromised data points that didn't have the feature enabled. The fact that affected customers opted not to use the feature may suggest the compromised data wasn't particularly important, which may help limit the impact of the breach. However, it's also possible some impacted users simply forgot to enable it. Vercel estimates that the number of customers affected by the breach is "quite limited." However, the company noted that other users of Context.ai may also be affected. "Hudson Rock has evidence linking the Context AI breach to an infostealing malware, pinpointing a likely entry point for patient zero," said Aaron Walton, a senior threat intelligence analyst at venture-backed cybersecurity company Expel Inc. "Infostealers have emerged as one of the more consequential threats facing businesses today." The data trove stolen from Vercel reportedly included information about hundreds of employees. The hackers also gained access to a number of application programming interface keys, which serve a similar role to passwords. Some of those API keys are reportedly associated with GitHub repositories. Vercel employees help maintain the GitHub repository for Node.js, the popular development framework that powers the company's product portfolio. The software maker also maintains other open-source projects. Access to open-source projects can enable hackers to launch supply chain attacks with the potential to compromise a large number of developers. In a post on X, Vercel Chief Executive Officer Guillermo Rauch reassured users that "we've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community." He added that the company has hired Google LLC's Mandiant cybersecurity services business to help it investigate the incident. Vercel is advising customers to replace their non-sensitive environment variables. Additionally, the company is recommending that administrators review activity logs for potential signs of malicious activity. As part of its response to the breach, Vercel has rolled out a dashboard that will make it easier for customers to manage and monitor environment variables.