Vercel Data Breach Traced to Third-Party AI Tool

A recent security incident at cloud platform Vercel has highlighted the risks of third-party integrations. The breach, which exposed internal systems and a limited set of customer credentials, was traced back to a compromised AI tool used by an employee. This event underscores the critical importance of robust supply chain security and the dangers of overly permissive OAuth grants.

The intrusion began when attackers compromised Context.ai, a third-party AI office suite. They used this access to hijack a Vercel employee’s Google Workspace account. From there, the threat actors were able to infiltrate certain Vercel environments and access environment variables that were not designated as sensitive. Vercel CEO Guillermo Rauch confirmed that while the company encrypts all customer variables at rest, the attacker exploited the ability to label some as non-sensitive. Affected customers have been directly notified and advised to take immediate action, including rotating all credentials and deployment tokens, reviewing account logs, and leveraging the sensitive environment variables feature for future protection.

Investigators, including experts from Google Mandiant, determined the initial access vector was a compromised OAuth app linked to Context.ai. The app’s unique identifier has been publicly shared to help other organizations check for exposure. Security researchers have linked this identifier to a now-removed Chrome browser extension for Context.ai, which was delisted on March 27. This suggests Vercel is likely not the only victim, prompting warnings for all Google Workspace administrators to audit their systems.

In a separate advisory, Context.ai confirmed an earlier breach of its AWS environment. The company stated that unauthorized actors likely compromised OAuth tokens for some users during that incident. While Vercel is not a Context customer, at least one employee signed up for the AI suite using their corporate account and granted broad “Allow All” permissions. This action, combined with Vercel’s internal OAuth settings, allowed the attacker to pivot into Vercel’s enterprise Google Workspace.

The breach was subsequently claimed on BreachForums by an actor purporting to be the ShinyHunters group, who attempted to sell the data for a potential supply chain attack. The legitimate ShinyHunters have since denied involvement. Rauch described the attackers as highly sophisticated, suggesting their speed and precision were “significantly accelerated by AI.”

New analysis from Hudson Rock provides a possible origin for the Context.ai compromise. Evidence from a February 2026 Lumma stealer infection indicates a Context.ai employee with high-level access was infected while searching for game exploits. The stolen data included corporate credentials for Google Workspace, Supabase, and the critical support@context.ai account. This cache of developer and administrative tools gave the attackers the precise leverage needed to escalate privileges and ultimately pivot to Vercel’s infrastructure. Context.ai has updated its security advisory but has not yet detailed the initial access method. Vercel has implemented additional monitoring, involved law enforcement, and audited its supply chain to ensure the safety of its open-source projects.