Thought Leadership
A Vercel employee granted a third-party AI tool full OAuth access to their corporate Google Workspace account. Attackers exploited that access and worked their way deep into the infrastructure of the company behind Next.js.
Vercel, the cloud platform behind the widely used Next.js framework, has confirmed a security incident. The breach did not originate within Vercel itself but at a third-party provider. The enterprise AI platform Context.ai was compromised first, and through it attackers gained access to a Vercel employee’s Google Workspace account.
Context.ai offers an enterprise AI suite that trains agents on company-specific knowledge. Users can sign in with their Google account and grant the application broad OAuth permissions covering their entire workspace.
According to Vercel, the affected employee had connected Context.ai to their corporate account and selected the “Allow All” option when prompted for OAuth permissions. Context.ai acknowledged that Vercel’s internal OAuth configuration had permitted this broad rights grant. The attackers used the obtained tokens to take over the Google Workspace account and then moved laterally into internal Vercel systems.
Lumma Stealer suspected as the original entry point
Cybersecurity firm Hudson Rock claims to have traced the attack even further back. According to the company, a Context.ai employee was infected by the Lumma Stealer malware as early as February after downloading Roblox exploit scripts. The stolen credentials reportedly included Google Workspace logins as well as API keys for Supabase, Datadog, and Authkit. Vercel had not independently confirmed this account at the time of publication.
Context.ai itself stated that it detected and blocked unauthorized access to its AWS environment in March. Only later did the company discover that the attackers had also compromised OAuth tokens belonging to some of its consumer users.
What was accessed and what was not?
Vercel emphasized that environment variables explicitly marked as “sensitive” are encrypted at rest and were not accessed. Variables stored without that designation must be treated as potentially exposed. The company advised affected customers to audit activity logs, rotate any API keys and database credentials stored in non-sensitive environment variables, and review recent deployments for unexpected changes.
The threat actor operating under the ShinyHunters name has claimed responsibility for the breach and is reportedly seeking $2 million for the stolen data. Vercel described the attacker as highly sophisticated based on their operational speed and detailed understanding of Vercel’s internal systems.
Response: Mandiant engaged and new dashboard features rolled out
Vercel has brought in Google-owned incident response firm Mandiant, notified law enforcement, and reached out directly to a limited subset of affected customers. The company has also introduced new dashboard features including an overview page for environment variables and an improved interface for managing sensitive variable settings.
CEO Guillermo Rauch confirmed on X that Vercel had analyzed its supply chain and found that Next.js, Turbopack, and its other open source projects were not affected by the incident.
