💻 AppSec

Vercel Confirms Breach via Compromised AI Tool — Developer Environment Variables and Credentials Exposed

Cloud deployment platform Vercel has confirmed a breach traced to a Lumma infostealer infection at Context.ai, a third-party AI tool used by a Vercel employee. Attackers used the stolen Google Workspace OAuth access to reach Vercel's internal environments, exposing environment variables and a limited set of customer credentials. ShinyHunters is claiming responsibility and demanding $2 million for the stolen data.

5 min read
#vercel#supply-chain#lumma-stealer#shinyhunters#infostealer#oauth#developer-credentials#ci-cd#environment-variables#third-party-risk

Vercel, the cloud platform used by hundreds of thousands of developers to deploy web applications, confirmed on 19 April 2026 that a breach of its internal systems exposed a limited subset of customer credentials and environment variable data. The root cause was not a vulnerability in Vercel itself — it was an infostealer infection at a third-party AI tool, illustrating how a single compromised employee laptop at a minor SaaS vendor can create a pathway into the infrastructure of much larger organisations.

The Attack Chain

The breach originated in February 2026, when a Context.ai employee was infected with the Lumma infostealer malware. Context.ai is a small AI analytics tool used by engineering teams; a Vercel employee had connected it to their Google Workspace account via OAuth.

Lumma stealers are designed specifically to harvest browser-saved credentials and OAuth tokens from infected machines. When the Context.ai employee’s machine was compromised, the attacker obtained the OAuth application credentials for Context.ai’s Google Workspace integration. These credentials were then used to access the Vercel employee’s Google Workspace account, which in turn provided access to Vercel’s internal environment.

Vercel’s internal systems include environment variable storage — the configuration layer where developers store secrets such as API keys, database connection strings, signing tokens, NPM access tokens, and GitHub tokens for their deployed projects. Variables marked as “sensitive” were protected and not exposed. Variables not marked as sensitive — a misconfiguration risk in many deployments — were accessible and are presumed compromised.

Scope of Exposure

Vercel characterises the breach as affecting a “limited subset of customers”, who have been notified directly and advised to rotate credentials immediately. The company has not disclosed the specific number of affected accounts.

The categories of data at risk in affected accounts include:

  • Environment variables not marked sensitive — API keys, database credentials, third-party service tokens stored in Vercel project settings
  • Vercel account credentials for the subset of affected users
  • Potentially: NPM access tokens, GitHub tokens, and deployment signing keys stored as environment variables

ShinyHunters, the cybercriminal group claiming responsibility, alleges possession of internal source code, API keys, database data, access to internal deployments, and is advertising the data for $2 million.

The Third-Party OAuth Risk

The technical pivot point in this attack — a third-party application’s Google Workspace OAuth connection — represents an under-appreciated attack surface in developer environments. OAuth integrations with productivity platforms (Google Workspace, Microsoft 365, Slack, GitHub) are ubiquitous in engineering organisations, and most employees grant them with minimal scrutiny. When a third-party application is compromised — whether by infostealer, supply chain attack, or direct breach — every organisation whose employees connected that application to their corporate identity inherits the exposure.

Google’s OAuth permission model logs which applications have been granted access, but most organisations do not actively audit or revoke OAuth grants for third-party tools that are no longer in use or have been compromised. The Context.ai OAuth application ID has been publicly shared by Vercel for identification purposes: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Any organisation whose employees connected this application should treat their Google Workspace session as potentially compromised.

For Vercel customers:

  • Rotate all environment variables immediately, regardless of whether your account is in the “limited subset” — Vercel’s investigation is ongoing, and the boundary of exposure may widen. Pay specific attention to database connection strings, API keys for third-party services, NPM tokens, and GitHub Personal Access Tokens.
  • Mark all secrets as “Sensitive” in Vercel project settings. Sensitive variables are encrypted at rest and not accessible even with administrative access.
  • Audit connected OAuth applications: Review all OAuth applications connected to your Google Workspace or GitHub accounts via Settings → Connected Apps. Revoke access for Context.ai and any other AI analytics tools you no longer actively use.

For all organisations:

  • Audit third-party OAuth grants organisation-wide: In Google Workspace Admin Console (Security → API Controls → App Access Control), review all connected third-party applications. Revoke unused or unrecognised applications — each represents a potential pivot path if that application’s infrastructure is compromised.
  • Enforce OAuth application allowlisting: Where Google Workspace Admin policies permit, restrict OAuth connections to an approved list of applications. Block connections to unvetted AI tools and productivity integrations.
  • Treat developer credentials as high-value targets: NPM tokens, GitHub PATs, and deployment platform API keys provide access to build pipelines and production deployments. Apply the same credential rotation discipline to these as to privileged infrastructure accounts.
  • Include third-party SaaS connections in threat modelling: The Vercel breach was caused not by an attack on Vercel but by an attack on a minor tool connected to a Vercel employee’s account. Supply chain risk extends to every OAuth integration in the development workflow, not just direct software dependencies.

Broader Context

This is the fourth significant ShinyHunters breach in April 2026 — following Anodot/Snowflake, Rockstar/Salesforce, and McGraw Hill/Salesforce — demonstrating that the group is running parallel campaigns across multiple attack vectors simultaneously. The Vercel attack vector (infostealer → OAuth → internal environment) is distinct from the Salesforce misconfiguration pattern, indicating broad operational capability rather than reliance on a single technique. For development organisations, the consistent lesson is that supply chain exposure now includes every SaaS tool connected to the developer’s identity — not just the packages in the code repository.

Share this article