LIVE THREATS
MEDIUM Microsoft Scout Autonomous Agent Expands Attack Surface Across Microsoft 365 // HIGH High-Autonomy AI Agents With Broad Permissions Pose Enterprise Security Crisis // HIGH Indirect Prompt Injection via Notifications Hijacks Google Gemini on Android // HIGH Only 11 of 100 AI Agents Pass Security and Capability Benchmarks // HIGH Prompt Injection Flaw in Gemini Voice Assistant Enables Notification-Based Attacks // HIGH 2,000 AI-Built Apps Expose Corporate Data via Misconfigured Vibe-Coding Platforms // MEDIUM Anthropic Documents Sandbox Escape Risks and Credential Exfiltration Vectors in Claude … // HIGH ChatGPhish Exploit Turns ChatGPT Summarisation Into a Live Phishing Surface // HIGH LLMShare Campaign Weaponises ChatGPT Sharing Feature to Distribute Malware // MEDIUM Process-Level CAPTCHA Analysis Exposes Behavioural Fingerprints of AI Agents //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain LLM Security Industry News RELEVANCE ▲ 7.5

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

SOURCE The Hacker News ↗
TL;DR HIGH
  • What happened: Compromised Context.ai OAuth token gave attackers access to Vercel's Google Workspace and environment credentials.
  • Who's at risk: Organizations whose employees use AI productivity tools with enterprise accounts and broad OAuth scopes are directly exposed to lateral-movement attacks via third-party AI service compromises.
  • Act now: Audit and revoke 'Allow All' OAuth grants from third-party AI tools across all enterprise accounts immediately · Rotate all non-sensitive environment variables in Vercel and mark secrets as 'sensitive' to enforce encryption · Implement strict OAuth scope policies requiring least-privilege permissions for any AI SaaS integrations
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Overview

Vercel, the widely-used web infrastructure and deployment platform, has disclosed a security breach traceable to the compromise of Context.ai — a third-party AI productivity tool used by at least one Vercel employee. The attacker leveraged a stolen OAuth token from Context.ai’s March 2026 AWS environment breach to pivot into Vercel’s Google Workspace, subsequently gaining access to internal Vercel systems and unencrypted environment variables. The incident is a textbook example of AI supply chain risk materialising at enterprise scale, and is notable for the speed and precision attributed to the threat actor — described by Vercel as ‘sophisticated’ based on their operational velocity and knowledge of internal systems.

ShinyHunters, a prolific cybercriminal persona associated with high-profile data extortion, has claimed responsibility and is reportedly offering stolen data for $2 million.

Technical Analysis

The attack chain followed a clear multi-stage progression:

  1. Context.ai AWS Compromise (March 2026): Attackers gained unauthorized access to Context.ai’s AWS environment, harvesting OAuth tokens belonging to consumer users of the service.
  2. OAuth Token Abuse: A Vercel employee had signed up for Context.ai’s AI Office Suite using their Vercel enterprise Google account and granted ‘Allow All’ OAuth permissions — a broad scope that enabled the attacker to impersonate the employee’s Google identity.
  3. Google Workspace Takeover: Using the compromised OAuth token, the attacker took over the employee’s Vercel-linked Google Workspace account, bypassing standard authentication controls.
  4. Internal Environment Access: From the compromised Workspace account, the attacker accessed Vercel environments and environment variables not marked as ‘sensitive’ — these are stored unencrypted and were therefore readable.

Critically, environment variables marked ‘sensitive’ in Vercel are stored encrypted and there is no current evidence they were accessed. The blast radius was partially contained by Vercel’s tiered secret-storage model.

Vercel has flagged a specific OAuth application identifier for administrators to check: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): The initial vector was a trusted AI tool (Context.ai) whose compromise cascaded into a downstream enterprise breach — a canonical supply chain attack.
  • AML.T0012 (Valid Accounts): Stolen OAuth tokens constituted valid credentials, enabling authentication without triggering typical anomaly detection.
  • AML.T0047 (ML-Enabled Product or Service): Context.ai as an AI SaaS product was the attack surface entry point.
  • LLM05 (Supply Chain Vulnerabilities): Third-party AI tool integration introduced an uncontrolled dependency with excessive trust.
  • LLM07 (Insecure Plugin Design) / LLM08 (Excessive Agency): The ‘Allow All’ OAuth scope granted the AI tool disproportionate access to enterprise identity infrastructure.

Impact Assessment

A limited subset of Vercel customers had credentials exposed. Vercel has contacted affected customers and urged immediate credential rotation. The full scope of exfiltrated data remains under investigation with Mandiant engaged as incident responder. The $2 million asking price from ShinyHunters suggests the attacker believes the data has significant secondary market value, likely including API keys, deployment secrets, or customer PII embedded in environment variables.

Mitigation & Recommendations

  • Revoke broad OAuth grants from all third-party AI tools; enforce least-privilege scopes at the identity provider level.
  • Audit Google Workspace OAuth applications for the flagged app ID and any other unrecognised grants.
  • Rotate all Vercel environment variables not marked sensitive; migrate secrets to the sensitive tier immediately.
  • Enable Deployment Protection at Standard level or above and rotate Deployment Protection tokens.
  • Review deployment and activity logs for anomalous access patterns dating back to March 2026.
  • Establish policy prohibiting use of enterprise SSO credentials for personal or unapproved AI SaaS sign-ups.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.