LIVE THREATS
HIGH Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials // MEDIUM Changes in the system prompt between Claude Opus 4.6 and 4.7 // HIGH Old Vulnerabilities get a new life, all thanks to AI! // CRITICAL Cursor AI Vulnerability Exposed Developer Devices // HIGH Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments // MEDIUM OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal // MEDIUM Human Trust of AI Agents // MEDIUM Frontier AI for Defenders: CrowdStrike and OpenAI TAC // MEDIUM Deterministic + Agentic AI: The Architecture Exposure Validation Requires // CRITICAL ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain Industry News LLM Security RELEVANCE ▲ 7.2

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Vercel has disclosed a supply chain breach originating from the compromise of Context.ai, a third-party AI tool used by an employee, which allowed attackers to pivot into Vercel's internal systems and Google Workspace environment. A limited subset of customer credentials were exposed, with the ShinyHunters threat actor claiming responsibility and offering stolen data for $2 million. The incident highlights the systemic risk of integrating third-party AI tooling into enterprise workflows without adequate access controls.

SOURCE The Hacker News ↗
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Overview

Vercel, the web infrastructure and deployment platform, has disclosed a security breach traced back to the compromise of Context.ai — a third-party AI analytics tool used internally by a Vercel employee. The attacker leveraged their foothold in Context.ai to hijack the employee’s Google Workspace account via OAuth, subsequently gaining access to non-sensitive Vercel environment variables and internal systems. The ShinyHunters cybercriminal group has claimed responsibility, advertising the stolen dataset on underground forums for $2 million. Mandiant has been engaged to assist with the investigation.

The incident is significant for the AI security community because it demonstrates how AI-integrated tooling can serve as a trusted but weakly-secured pivot point into high-value enterprise infrastructure.

Technical Analysis

The attack chain follows a classic supply chain compromise pattern with an AI-specific entry point:

  1. Initial Access via Context.ai: The attacker compromised Context.ai, an AI observability and analytics tool integrated into Vercel’s internal workflow.
  2. OAuth Account Takeover: Using Context.ai’s access, the attacker hijacked the employee’s Google Workspace identity, likely exploiting an OAuth application with overly broad permissions. The malicious OAuth application has been identified by its client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.
  3. Lateral Movement: The compromised Workspace account enabled access to Vercel environments and environment variables not flagged as “sensitive” — meaning they were stored in plaintext and readable by authenticated sessions.
  4. Data Exfiltration: A subset of customer credentials were exfiltrated. Vercel’s “sensitive” variable designation (encrypted at rest) appears to have contained the blast radius.

Vercel described the actor as “sophisticated” based on operational velocity and demonstrated familiarity with internal system architecture.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): The root compromise occurred through a trusted AI third-party vendor, Context.ai, which had privileged access to employee workflows.
  • AML.T0012 (Valid Accounts): The attacker used a legitimate employee’s Google Workspace identity to traverse internal systems without triggering anomaly detection.
  • AML.T0047 (ML-Enabled Product or Service): Context.ai’s position as an AI tool with deep integration into Vercel’s environment made it an attractive and effective attack vector.
  • LLM05 (Supply Chain Vulnerabilities): The breach exemplifies how AI tooling vendors in the supply chain can introduce systemic trust risks.
  • LLM06 (Sensitive Information Disclosure): Environment variables containing secrets were exposed due to insufficient sensitivity classification.

Impact Assessment

A “limited subset” of Vercel customers had credentials compromised, though the exact number has not been disclosed. The breach affects organisations relying on Vercel for CI/CD pipelines, serverless deployments, and Next.js hosting. While sensitive variables appear protected, non-sensitive environment variables may have contained API keys, tokens, or configuration secrets depending on individual customer practices. The $2 million asking price from ShinyHunters suggests the dataset is considered commercially valuable.

Mitigation & Recommendations

  • Audit OAuth applications connected to Google Workspace and revoke unrecognised grants, particularly the identified malicious client ID.
  • Rotate all non-sensitive environment variables immediately, and reclassify secrets under Vercel’s sensitive variable designation.
  • Review deployment logs for anomalous activity post-breach window.
  • Enforce least-privilege access for third-party AI tools — AI observability and analytics platforms should not require broad workspace permissions.
  • Set Deployment Protection to Standard at minimum and rotate all deployment protection tokens.
  • Vet AI tooling vendors as rigorously as any other third-party software in the supply chain, including SOC 2 compliance and access scope reviews.

References