Inside the Vercel Security Breach: How a Malicious OAuth App Triggered an Incident
A single 'Allow All' OAuth grant to a Context.ai AI tool escalated into a breach of Vercel's internal systems. Here's the full attack chain — and how to stop it.

On April 19, 2026, Vercel — the cloud platform behind Next.js and the deployment layer for a huge share of the web — confirmed that attackers had gained unauthorized access to internal systems. The intrusion didn't start with a Vercel vulnerability. It started two months earlier, with a Context.ai employee searching for Roblox cheats, an infostealer infection, and a single OAuth grant with "Allow All" permissions. This is the full attack chain, what it means for anyone connecting AI tools to Google Workspace or Microsoft Entra ID, and how continuous OAuth monitoring would have caught it before it reached production systems.
- The Vercel breach began in February 2026, when a Context.ai employee's device was infected with Lumma Stealer malware after searching for Roblox game exploits — a common infostealer delivery vector.
- Lumma Stealer harvested the employee's stored credentials, exposing Context.ai's support inbox and, critically, the OAuth tokens of Context.ai users — including a Vercel employee who had connected their enterprise Google Workspace account to Context.ai's AI Office Suite and granted it "Allow All" permissions.
- That long-lived, over-scoped OAuth token gave the attacker a direct path from a third-party AI SaaS vendor into Vercel's internal systems, even though Vercel itself was never a Context.ai customer.
- Vercel confirmed non-sensitive environment variables for a limited set of customer projects were exposed, along with roughly 580 employee records — while sensitive-flagged environment variables and the Next.js/npm software supply chain remained uncompromised.
- This is a shadow AI and OAuth problem, not an infrastructure flaw: the fix is catching risky third-party grants the moment they happen, which is exactly what identity-first OAuth monitoring like Synk.to is built to do.
What Happened to Vercel

Vercel disclosed the incident publicly on April 19, 2026, after detecting unauthorized activity in internal systems. In a statement, CEO Guillermo Rauch described the attacker's speed as unusual: "We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity" (CyberScoop).
Vercel's own security bulletin is unambiguous about the root cause: "The incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee." No Vercel infrastructure was breached directly — the attacker walked in through a trusted identity.
The Attack Chain: From a Roblox Cheat Search to a Supply Chain Breach
The timeline is a textbook case of how a single unmanaged AI tool becomes an enterprise breach:
- February 2026 — A Context.ai employee searched for Roblox game exploits and was infected with Lumma Stealer, an infostealer that harvests browser-saved credentials, session tokens, and crypto wallets from infected machines.
- Credential harvest — Lumma Stealer extracted Google Workspace credentials, AWS access, Supabase keys, and Datadog logins from the infected device, and exposed access to Context.ai's own support inbox.
- OAuth token theft — Among the exposed tokens was one belonging to a Vercel employee who, using their enterprise Google Workspace account, had personally signed up for Context.ai's AI Office Suite and granted it "Allow All" access — full read/write permissions across the connected Google account, with no expiration.
- Lateral movement — The attacker used that stolen OAuth token to pivot from the compromised Google Workspace identity into the employee's Vercel account, then enumerated Vercel's internal systems: environment variables, GitHub integrations, npm tokens, and Linear workspace data.
- April 19, 2026 — Vercel confirmed the breach publicly and began incident response, working with Google Mandiant, GitHub, Microsoft, npm, and Socket.
Notably, Vercel was never a Context.ai customer. One employee's individual decision to connect a personal AI productivity account to their enterprise Google Workspace identity — and grant it broad, standing access — was enough to open the door.
What Was Exposed

Vercel's disclosures and independent reporting converge on a consistent picture:
- Exposed: environment variables not explicitly marked "sensitive" (those Vercel can decrypt to plaintext) for a limited subset of customer projects, and approximately 580 employee records containing names, emails, account statuses, and activity timestamps.
- Protected: environment variables marked "sensitive" remained encrypted at rest with no evidence of access, and Vercel confirmed "no npm packages published by Vercel have been compromised. There is no evidence of tampering" — meaning Next.js, Turbopack, and the broader open-source supply chain were unaffected.
- Unconfirmed but plausible: community reports suggested the attacker may also have touched GitHub integrations, npm tokens, and Linear workspace data during enumeration, though Vercel has not fully confirmed the extent.
The ShinyHunters Claim and Attribution

Shortly after disclosure, a threat actor claiming ties to the ShinyHunters group posted samples of the stolen data on BreachForums, demanding roughly $2 million (UpGuard). ShinyHunters is a known extortion group with a history of large-scale data leaks targeting technology companies and service providers. Attribution remains unconfirmed — the listing was later taken down, and reports indicate members of the group publicly denied involvement. Vercel has not independently verified the attacker's full claimed access.
Why This Is a Shadow AI Problem, Not a Vercel Flaw
The lesson security teams are drawing from this incident isn't about Vercel's engineering — it's about the identity layer around every organization's AI adoption. Three structural gaps made this breach possible:
- OAuth grants outlive the moment they're created. The Vercel employee's "Allow All" grant to Context.ai had no expiration and no periodic review. It sat as standing access for months, waiting for the vendor's own security posture to fail.
- Individual employees can create enterprise-wide exposure. Vercel had no commercial relationship with Context.ai at all — one employee's personal decision to connect a work Google account to an AI tool was the entire attack surface.
- Third-party AI SaaS vendors are now part of every customer's blast radius. Context.ai's own infostealer infection became Vercel's breach the moment a token crossed the trust boundary. The interconnected, OAuth-linked nature of modern AI tooling means a vendor's weakest employee can become your incident.
Immediate Response Steps If You Use Vercel or Similar AI-Connected Tools
Whether or not you were directly affected, this incident is a forcing function to check your own exposure:
- Audit environment variables and rotate anything not marked sensitive, especially in projects connected to third-party integrations.
- Revoke any OAuth grants to Context.ai in Google Workspace's App access control. Navigate to Admin Console → Security → API Controls → Manage Third-Party App Access and search for "Context" or the OAuth Client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
- Rotate GitHub and npm tokens for any account connected to the affected identity.
- Review audit logs — in Linear, GitHub, and your deployment platform — for secret-shaped strings (patterns like
AKIA,sk_live_,ghp_,ghs_,npm_) that may have been exposed. - Enable MFA and Deployment Protection on production environments, per Vercel's own guidance.
How Synk.to Would Have Caught This
Strip away the malware and the extortion demand, and the root cause is a single event that continuous OAuth monitoring is designed to flag the moment it happens: an employee connected an enterprise identity to an unreviewed AI tool and granted it broad, standing access.
Synk.to connects to Google Workspace and Microsoft Entra ID via OAuth and builds a live inventory of every third-party system connected to your identity provider — the moment it's connected, not at the next audit. A new AI/ML tool like Context.ai would show up in the system catalog immediately, with its risk level, owner, and the scopes it was granted:

More importantly, Synk's alert rules are built for exactly this scenario. A "New risky system discovered" alert fires the moment an employee connects an unsanctioned AI tool, and a "New user provided risky scope" alert fires the moment someone grants a connected app a broad or previously-unseen OAuth scope — precisely the "Allow All" grant that started the Vercel breach:

With that alert in place, security teams get a chance to review and revoke the grant before a vendor-side infostealer infection can turn it into a stolen token — instead of finding out from a BreachForums listing two months later. Synk.to requires no endpoint agent: it reads grants and scopes directly from the identity provider, produces a full inventory in under five minutes, and supports one-click revocation the moment a risky grant is confirmed. Start free.
FAQs
What caused the Vercel security breach?
The breach originated with a Lumma Stealer malware infection at Context.ai, a third-party AI tool, in February 2026. The malware harvested a Context.ai user's credentials and OAuth tokens, including one belonging to a Vercel employee who had connected their enterprise Google Workspace account to Context.ai and granted it "Allow All" permissions. The attacker used that token to pivot into Vercel's internal systems.
Was Vercel hacked directly?
No. Vercel's own infrastructure was not breached through a vulnerability. The attacker entered through a compromised third-party OAuth grant tied to an employee's identity — a supply chain attack through an AI SaaS vendor, not a direct exploit of Vercel's systems.
What data was exposed in the Vercel breach?
Vercel confirmed exposure of environment variables not marked "sensitive" for a limited subset of customer projects, plus approximately 580 employee records (names, emails, account statuses, and timestamps). Environment variables marked sensitive remained encrypted with no evidence of access.
Was Vercel's software supply chain, including Next.js and npm packages, compromised?
No. Vercel stated that no npm packages it publishes were compromised and found no evidence of tampering. Next.js, Turbopack, and other open-source projects were unaffected.
Is ShinyHunters responsible for the Vercel breach?
Attribution is unconfirmed. A threat actor claiming ties to ShinyHunters posted samples of stolen data on BreachForums demanding roughly $2 million, but the listing was later removed and reports indicate ShinyHunters members denied involvement. Vercel has not independently verified the claim.
How could this have been prevented?
The root cause was a single unreviewed OAuth grant: an employee connecting an enterprise identity to an AI tool and approving broad, standing access with no expiration or review. Continuous OAuth monitoring that alerts on new third-party systems and risky scope grants — rather than periodic manual audits — would have surfaced this the day it happened.
How does Synk.to help prevent incidents like the Vercel breach?
Synk.to connects to Google Workspace or Microsoft Entra ID via OAuth and produces a complete, continuously updated inventory of every third-party app, the users who connected it, and the scopes granted — with alerts the moment a new AI tool appears or a user grants a risky scope like "Allow All." That gives security teams the chance to review and revoke a risky grant before it becomes an attacker's foothold. Start free.