Cloud development platform Vercel said it’s investigating a possible wider impact of a supply-chain attack that could impact “hundreds of users across many organizations.”
In an update to its security bulletin regarding an attack that gave adversaries limited unauthorized access to its internal systems it said:
“Our investigation has revealed that the incident originated from a small, third-party AI tool whose Google Workspace OAuth app was the subject of a broader compromise, potentially affecting its hundreds of users across many organizations.” – Vercel’s security bulletin updated late Wednesday.
From AI Tool to Internal Systems
Vercel confirmed earlier this week that attackers gained unauthorized access to its internal systems through a compromised third-party AI tool, in what security researchers are calling a textbook example of OAuth-enabled supply chain escalation.
Exposure was limited to non-sensitive environment variables, and the investigation is ongoing with Google Mandiant, according to Vercel. Security researchers are calling the attack a textbook example of OAuth-enabled supply chain escalation.
Vercel said it is “actively” updating its platform to harden cybersecurity defenses. Improvements include:
- Better environment variable management, with stronger defaults, improved safeguards.
- New team-wide management and security overview of environment variable.
- Easier to use activity log, including deep-linking to filtered views and higher information density.
The breach, publicly disclosed April 19, originated at Context.ai, an AI productivity tool used by at least one Vercel employee who had connected the application to their corporate Google Workspace account. In a statement from Vercel’s CEO Guillermo Rauch, he said the attacker exploited that OAuth trust relationship to hijack the employee’s Google account and pivot into Vercel’s internal environments.
What the Attacker Actually Reached
Attacker access included developer-stored credentials such as API keys and access tokens that had not been explicitly marked as sensitive within Vercel’s platform. Exposure was limited to individual team accounts, not a single master key unlocking every customer’s credentials across the platform, according to Vercel.
The company confirmed its Next.js open-source framework and Turbopack projects were not affected. The company said it has notified affected customers and is continuing its investigation.
The Entry point: Trust Abused
On Tuesday, Trend Micro researchers said the initial compromise occurred in February 2026 via Lumma Stealer malware — not through an unknown mechanism — giving the attacker a dwell time of approximately two months before public disclosure.
Context.ai said it identified and stopped unauthorized access to its AWS environment last month and later learned that compromised OAuth tokens included one used to access Vercel’s Google Workspace environment.
Peeling Back the Attack Details
A threat actor using the ShinyHunters name posted on BreachForums on April 19 claiming to possess Vercel’s internal database, source code, employee account data, and API keys, and listing the package for $2 million in Bitcoin, according to BleepingComputer reporting.
The posting included a file purportedly containing records for 580 Vercel employees. Vercel said it has not received any ransom communication, and representatives of the ShinyHunters group denied involvement. Investigators have not publicly attributed the attack.
Vercel said it is working with Google’s Mandiant incident response team, law enforcement and industry partners. The company also published an indicator of compromise tied to the malicious OAuth application and urged Google Workspace administrators to audit connected apps and permissions.
The Bigger Risk: OAuth Sprawl
An indicator of compromise is the compromised OAuth app which has been identified as: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.
Security analysts said the incident reflects a broader pattern in which attackers target developer-adjacent tools, particularly those with broad OAuth permissions, as a pathway into enterprise environments.
Trend Micro researchers described the attack chain as part of a broader 2026 convergence of incidents targeting credentials stored across CI/CD pipelines, package registries, and deployment platforms.
Vercel said it will continue updating its public security bulletin as new details emerge.
