Web infrastructure platform Vercel has disclosed a significant security incident in which attackers gained unauthorized access to its internal systems through a compromised third-party OAuth application belonging to AI productivity startup Context.ai. The intrusion, confirmed in a security bulletin first published on April 19, 2026, highlights how deeply interconnected SaaS ecosystems can amplify the blast radius of a single compromised token.
How the Attack Unfolded
According to Vercel, the attacker first infected a Context.ai employee’s machine with the Lumma Stealer infostealer in February 2026. By March, the threat actor had harvested OAuth tokens tied to Context.ai’s Google Workspace “Office Suite” consumer application. Because a Vercel employee had previously installed the Context.ai browser extension and signed in with their enterprise Google account using broad “Allow All” permissions, the stolen tokens gave the attacker direct access to that account.
From there, the intruder pivoted into Vercel’s internal environment, where they enumerated and decrypted non-sensitive environment variables belonging to a subset of customers. Security firm OX Security described the intrusion as a “textbook OAuth supply chain attack” — one that relied not on exploitable software flaws but on trusted integrations and overly permissive grants.
What Data Was Exposed
Vercel’s initial investigation flagged a limited set of customers whose non-sensitive environment variables were accessed. This included API keys, tokens, database credentials, and signing keys that had been stored in the dashboard without the “sensitive” flag enabled. A follow-up review identified additional compromised accounts and a separate cluster of customer accounts that showed evidence of earlier, independent compromise — most likely via social engineering or infostealer malware unrelated to this incident.
Critically, variables marked as “sensitive” in Vercel, which are encrypted and non-readable from the dashboard, showed no sign of being accessed. Vercel’s security team also confirmed in collaboration with GitHub, Microsoft, npm, and Socket that no Vercel-published npm packages have been tampered with.
ShinyHunters Claims Responsibility
A threat actor operating under the ShinyHunters moniker has publicly claimed credit for the intrusion and is reportedly attempting to sell an alleged trove of Vercel data — including internal databases, source code, and employee records — for $2 million on underground forums. Vercel says it has received no ransom demand or direct communication from the attacker.
CEO Guillermo Rauch characterized the actor as “highly sophisticated,” noting the attacker’s operational velocity and deep familiarity with Vercel’s product API surface once inside the environment.
Recommended Customer Actions
Vercel is urging all customers to take the following steps without delay:
- Rotate all non-sensitive environment variables, including API keys, tokens, database credentials, and signing keys. Deleting a project or account is not sufficient.
- Enable multi-factor authentication using an authenticator app or a passkey.
- Mark future secrets as “sensitive” so they cannot be read from the dashboard.
- Review activity logs in the Vercel dashboard or CLI for suspicious behavior.
- Audit recent deployments for unexpected activity and ensure Deployment Protection is configured to Standard or higher.
Vercel has published one indicator of compromise to help the wider community: the OAuth App Client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Google Workspace administrators are urged to check for any usage of this application in their tenants, as the Context.ai compromise likely impacted hundreds of users across many organizations.
A Reminder About OAuth Risk
The Vercel incident is another stark example of how a single over-permissioned OAuth integration can become a pivot point for attackers. With Vercel engaging Google Mandiant and other firms to complete its investigation, enterprises should take this opportunity to audit their own Google Workspace and Microsoft 365 OAuth consent grants, tighten default permissions for third-party apps, and adopt stricter policies around installation of browser extensions tied to corporate accounts.