On April 19, 2026, Vercel - the hosting platform behind Next.js, Turbopack, and a significant portion of the modern web - confirmed a security incident in which an unauthorized actor gained access to internal systems, customer environments, and a subset of environment variables. Within hours, a threat actor claiming affiliation with ShinyHunters was listing stolen Vercel data on BreachForums with a $2 million asking price.
The root cause wasn't a zero-day in Vercel. It wasn't phishing against a Vercel engineer. It was a third-party AI productivity tool - Context.ai - that one employee had connected to their corporate Google Workspace account months earlier with "Allow All" OAuth consent. When Context.ai was breached, that single OAuth token became a bridge straight into Vercel's internal environment.
CEO Guillermo Rauch described the attackers as "highly sophisticated and, I strongly suspect, significantly accelerated by AI," moving with "surprising velocity and in-depth understanding of Vercel."
This is the anatomy of an OAuth supply-chain compromise - and why identity, not the network, is now the perimeter.
Timeline of the Attack
| Date / Time | Event |
|---|---|
| Feb 2026 | A Context.ai employee workstation is infected with Lumma Stealer, exfiltrating Google Workspace credentials, Supabase keys, Datadog keys, and Authkit logins |
| Mar 2026 | Unauthorized actor gains access to Context.ai's AWS environment; Context detects and blocks the intrusion, engages CrowdStrike for forensics |
| Mar 2026 | Attacker silently compromises OAuth tokens belonging to Context.ai's consumer AI Office Suite users |
| Apr 19, 02:02 AM ET | "ShinyHunters" persona posts a BreachForums listing claiming access to Vercel internal systems, source code, npm and GitHub tokens |
| Apr 19, morning | Attacker contacts Vercel staff directly via "VercelCloud" handle on Telegram/DM; Vercel publishes initial security bulletin |
| Apr 19, 11:04 AM PST | Vercel publishes OAuth Client ID as an Indicator of Compromise (IOC) for community investigation |
| Apr 19, 06:01 PM PST | Vercel updates bulletin with attack-origin attribution and remediation guidance |
| Apr 20, 04:08 AM UTC | CEO Guillermo Rauch publicly names Context.ai as the third-party source of compromise |
| Apr 20 | Crypto projects hosted on Vercel begin emergency API-key rotations; Context.ai publishes its own security update |
The Attack Chain, Visualized
The intrusion walked across four independent security boundaries - each one a commonly overlooked trust relationship in modern SaaS environments.
┌──────────────────────┐ Lumma ┌──────────────────────┐
│ Context.ai │ Stealer │ Context.ai AWS │
│ Employee Laptop ├─────────────▶│ (Consumer AI Suite) │
│ (Feb 2026) │ credentials │ breached Mar 2026 │
└──────────────────────┘ └──────────┬───────────┘
│
│ Exfiltrate OAuth
│ refresh tokens
▼
┌──────────────────────┐ "Allow All" ┌──────────────────────┐
│ Vercel Employee │ OAuth grant │ Attacker-Controlled │
│ Google Workspace │◀───────────────┤ OAuth Token Replay │
│ (enterprise SSO) │ │ Client ID: 110671.. │
└──────────┬───────────┘ └──────────────────────┘
│
│ Google SSO trust
▼
┌──────────────────────┐ ┌──────────────────────┐
│ Vercel Internal │ enumerate │ Customer Projects │
│ Dashboard & Admin ├───────────────▶│ + Non-Sensitive │
│ Console │ env vars │ Environment Vars │
└──────────────────────┘ └──────────────────────┘
Each hop in the chain was "normal behavior" from the perspective of the system being attacked. No malware landed on Vercel. No exploit ran. The attacker just used valid tokens - which is exactly why traditional EDR, WAF, and CSPM tooling didn't catch it.
Stage 1 - The Initial Breach at Context.ai
Context.ai's AI Office Suite is a consumer product launched in June 2025 that lets AI agents take actions across third-party apps via OAuth. Users sign in with Google (or Microsoft) and grant the suite broad scopes: Gmail, Drive, Calendar, Contacts, and Workspace admin APIs.
In February 2026, a Context.ai employee's machine was infected with Lumma Stealer - the infostealer responsible for a massive share of 2024–2026 browser-token theft before Microsoft's takedown operation against its C2 infrastructure. Lumma specialises in dumping:
- Browser-stored cookies (including Google session cookies)
- Saved passwords and autofill vaults
- OAuth refresh tokens left in plaintext config files
- Cloud CLI credential caches (
~/.aws/credentials,gcloudtokens)
The stolen credentials reportedly included Google Workspace access plus keys to Supabase, Datadog, and Authkit - giving the attacker a full map of Context.ai's production stack.
By March 2026, that access was used to pivot into Context.ai's AWS environment. Context detected the intrusion, engaged CrowdStrike, and believed the incident was contained. What they didn't realise until weeks later was that the attacker had already copied consumer OAuth tokens - including refresh tokens that remained valid even after Context.ai reset its internal credentials.
Stage 2 - The Pivot Into Vercel
This is the hop that matters most for every SaaS engineering team reading this.
At some point before the breach, a Vercel employee signed up for Context.ai's AI Office Suite using their corporate Vercel Google Workspace account. During OAuth consent, they clicked "Allow All" on the permission screen.
Two critical configuration gaps converged here:
| Weakness | What Went Wrong |
|---|---|
| OAuth app allowlisting in Google Workspace | Vercel's Workspace did not restrict which third-party OAuth apps employees could connect to enterprise accounts |
| Scope granularity | Context.ai's consent screen requested blanket Workspace permissions rather than minimum-scope access |
| Token lifetime | Google refresh tokens remain valid indefinitely unless explicitly revoked or the underlying password changes |
| Lack of token-use anomaly detection | No alert fired when the refresh token was replayed from a new IP / ASN weeks later |
When the attacker replayed the stolen refresh token, Google's OAuth infrastructure - behaving exactly as designed - issued a fresh access token for the Vercel employee's Workspace account. From Vercel's perspective, a legitimate employee simply logged in.
The IOC Vercel later published to help other tenants hunt for cross-contamination:
OAuth Client ID:
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
Any Google Workspace administrator should search their Security > Investigation Tool logs for authorization events involving that client ID, revoke any active grants, and audit the affected user's token usage for the last 90 days.
Stage 3 - Lateral Movement Into Vercel's Internal Environment
With the employee's Workspace session established, the attacker inherited everything that account could reach via Google SSO:
- Vercel's internal dashboard
- The team's project list and deployment history
- Environment variables not flagged as "sensitive"
- Source-code previews rendered inside the Vercel UI
- Integration tokens for connected services (GitHub, Slack, Datadog, Sentry, etc.)
Vercel's bulletin confirmed that environment variables marked Sensitive (which are stored encrypted and cannot be re-read through the dashboard) were not accessed. However, any env var left at the default "plaintext" level - which in most Next.js projects includes things like database URLs, Stripe publishable keys, analytics keys, feature flags, and internal API endpoints - was fair game.
The attacker's ShinyHunters-branded BreachForums listing claimed additionally:
- Access keys and source code from multiple internal repositories
- Several employee accounts with deployment privileges
@vercelnpm tokens (the doomsday scenario for Next.js supply chain)- GitHub tokens linked to Vercel integrations
- Internal user-table schema (a partial screenshot was posted as proof)
Rauch later stated after a supply-chain audit: "Next.js, Turbopack, and Vercel's open-source projects remain safe." But the potential blast radius - Next.js alone sees roughly 6 million weekly npm downloads - is why the crypto and Web3 community in particular spent April 20 rotating every secret in sight.
Stage 4 - Extortion and Public Pressure
Rather than quietly monetising the access, the threat actor chose a high-visibility extortion play:
- Asking price: $2,000,000 USD
- Negotiable floor: $500,000 in Bitcoin
- Pressure tactic: direct DM contact with Vercel employees from the "VercelCloud" handle
- Proof of breach: screenshots of internal Vercel admin UI and user-table schema posted publicly
This mirrors ShinyHunters' standard extortion playbook from the AT&T, Wattpad, and Tokopedia breaches - though the group itself has publicly distanced itself from this specific incident, suggesting either an affiliate operation or a reputation-borrowing copycat.
Why This Matters for Engineering Teams
The Vercel incident is a near-perfect case study for three compounding trends reshaping enterprise attack surface:
1. SaaS-to-SaaS OAuth is the new lateral-movement highway
The average enterprise now has hundreds of OAuth grants across Google Workspace and Microsoft 365 - many from AI productivity tools that employees signed up for during 2024–2026 without IT review. Each of those grants is a persistent, password-independent backdoor into corporate data. A breach of any one of those vendors becomes a breach of every tenant that granted them broad scopes.
2. Infostealers industrialise the initial access
Lumma, Redline, and Remus (Lumma's 64-bit successor) turn a single employee click into a complete credential dump within seconds. The February 2026 Lumma infection of one Context.ai employee ultimately compromised a Fortune-500 hosting provider two months later. There is no patch for this - only token hygiene, device health attestation, and phishing-resistant MFA.
3. "Non-sensitive" environment variables are a fiction
Most teams treat env-var sensitivity as a binary: secrets go in a vault, everything else is config. In practice, "non-sensitive" env vars routinely leak:
- Internal API base URLs (map of the backend)
- Feature flag keys (reveal unreleased features)
- Analytics project IDs (enable cross-site tracking)
- Publishable keys (useful for chaining into related attacks)
- Third-party service identifiers that reveal vendor topology
In the Vercel breach, these were the only variables accessed - and for many customers, that was still enough to force a full credential rotation.
Detection: Hunting for the Same Attack in Your Own Stack
If you run Google Workspace, run these hunts now:
Admin Console Queries
# Google Workspace Security Investigation Tool
# Filter: OAuth Token Events
application_name = "OAuth Token"
client_id = "110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com"
Broader Third-Party OAuth Audit
| Check | Command / Path |
|---|---|
| List all third-party OAuth grants | Admin Console → Security → API Controls → App Access Control |
| Revoke stale grants (no use in 30 days) | Mark as blocked, force re-auth under new policy |
| Export token activity for last 90 days | Security Investigation Tool → User Log Events → token |
| Alert on new OAuth grants by enterprise users | Rule: event_name = "authorize" and app_type = "WEB" |
Vercel-Specific Actions
- Rotate every environment variable in projects touched between Feb 2026 and Apr 19, 2026 - sensitive or not
- Re-flag all non-sensitive variables that contain anything other than pure public config as Sensitive
- Enable Deployment Protection at Standard or higher, and rotate Deployment Protection tokens
- Review deployment logs for unexpected preview deployments, new team members, or modified build commands
- Rotate any integration tokens (GitHub App installation tokens, Slack webhooks, Sentry DSNs) visible in the Vercel UI
The Broader Pattern: OAuth Abuse Incidents in the Last 18 Months
The Vercel–Context.ai chain is not a one-off. It fits a clear 2024–2026 pattern:
| Incident | Initial Vector | Pivot Target | Scope of Impact |
|---|---|---|---|
| Midnight Blizzard → Microsoft (2024) | Legacy OAuth test app with excessive privilege | Microsoft corporate M365 | Source-code repos, exec mailboxes |
| Snowflake customer breaches (2024) | Infostealer-harvested credentials, no MFA enforced | Downstream tenants (Ticketmaster, AT&T, etc.) | Hundreds of millions of customer records |
| Salesloft / Drift (Aug 2025) | Compromised Drift chatbot OAuth → Salesforce | Downstream SaaS tenants | Multiple enterprise Salesforce orgs |
| Context.ai → Vercel (Apr 2026) | Lumma Stealer → OAuth refresh tokens | Vercel Google Workspace → internal dashboard | Subset of customer env vars, possible npm/GitHub token exposure |
The common thread: the identity layer is the attack surface. Network controls, EDR, and code-level scanning don't see these intrusions because nothing malicious ever touches the target's own infrastructure.
How Nebula Detects This Attack Class
Breachline's Nebula platform is built specifically to find the identity, token, and supply-chain weaknesses that lead to incidents like this - before an attacker does.
OAuth & Identity Surface Mapping
Nebula continuously enumerates third-party OAuth grants across your Google Workspace / Microsoft 365 tenant, flags over-privileged consent scopes, and simulates token-replay attacks from untrusted network locations.
Environment Variable Intelligence
For Vercel, Netlify, AWS Amplify, and Cloudflare Pages deployments, Nebula classifies every environment variable by content signature - catching "non-sensitive" variables that actually contain API keys, JWTs, or URLs to internal services.
Supply-Chain Analysis
Nebula's supply_chain_scan capability checks both your package dependencies and your SaaS dependency graph - the vendors, OAuth apps, and integrations that have standing access to your data. When one of those vendors discloses a breach (as Context.ai did on April 19), you get a prioritised list of affected tokens to rotate.
Continuous Authorization Testing
For each application, Nebula systematically tests:
- Token replay from new IPs / ASNs / devices
- Scope creep across connected integrations
- Session-fixation and refresh-token longevity
- Horizontal and vertical privilege escalation via parameter tampering
Protecting Your Organisation: The 10-Point Post-Vercel Checklist
| # | Action | Why It Matters |
|---|---|---|
| 1 | Enforce OAuth app allowlisting in Google Workspace / Microsoft 365 | Stops employees from granting enterprise scopes to unknown vendors |
| 2 | Block high-risk scopes by default (drive.readonly, gmail.readonly, admin.*) | Most productivity tools do not need them |
| 3 | Rotate refresh tokens on a fixed schedule (30 to 60 days max) | Caps the window in which a stolen token is useful |
| 4 | Mandate phishing-resistant MFA (FIDO2 / passkeys) for all SSO accounts | Removes infostealer session cookies as a viable path |
| 5 | Deploy EDR with infostealer-specific detections (Lumma / Redline / Remus) | Cuts off the initial credential-harvest stage |
| 6 | Classify every env var correctly - assume "non-sensitive" means public | Non-sensitive vars are readable to anyone with dashboard access |
| 7 | Inventory every SaaS-to-SaaS integration including OAuth, API keys, webhooks | You cannot rotate what you have not catalogued |
| 8 | Subscribe to vendor security bulletins and third-party breach feeds | Gives you hours, not weeks, to respond to supply-chain incidents |
| 9 | Run continuous authorization testing - don't rely on annual pentests | Token and OAuth posture drifts every time someone installs a new tool |
| 10 | Practice credential-rotation drills | The Vercel incident required full env-var rotation across every affected project within hours |
The Bigger Picture
The Vercel breach is not primarily a Vercel story. It is a story about what happens when AI productivity tools become load-bearing infrastructure. In the rush to adopt agentic AI products during 2025 and 2026, thousands of organisations handed Workspace-level OAuth grants to young startups with minimal security programs. Those grants are still live. Those refresh tokens are still valid. And infostealers are still harvesting them.
Guillermo Rauch's observation that the attackers were "significantly accelerated by AI" cuts both ways. Attackers use AI to parse stolen tokens, map victim environments, and pivot faster than human defenders can respond. Defenders have to use AI too - not just for detection, but for continuous adversarial testing of the identity and authorization layer that now carries more risk than the network ever did.
The question isn't whether one of your SaaS vendors will be breached in 2026. It's whether you'll know within hours which OAuth grants, tokens, and env vars need to be rotated - or whether you'll find out from a BreachForums listing.
Breachline Nebula provides continuous, autonomous security testing for web applications, identity surfaces, and AI infrastructure. Learn more at breachline.io.
Sources: Vercel Security Bulletin - April 2026, Context.ai Security Update, The Hacker News, BleepingComputer, Security Affairs, CoinDesk, CCLeaks.
