LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 7.5

Vercel Breach: Context.ai OAuth Token Hijack Exposes Credentials

TL;DR HIGH
  • What happened: Compromised Context.ai OAuth token gave attackers access to Vercel's Google Workspace and environment credentials.
  • Who's at risk: Organizations whose employees use AI productivity tools with enterprise accounts and broad OAuth scopes are directly exposed to lateral-movement attacks via third-party AI service compromises.
  • Act now: Audit and revoke 'Allow All' OAuth grants from third-party AI tools across all enterprise accounts immediately · Rotate all non-sensitive environment variables in Vercel and mark secrets as 'sensitive' to enforce encryption · Implement strict OAuth scope policies requiring least-privilege permissions for any AI SaaS integrations
Vercel Breach: Context.ai OAuth Token Hijack Exposes Credentials

Overview

Vercel, the widely-used web infrastructure and deployment platform, has disclosed a security breach traceable to the compromise of Context.ai — a third-party AI productivity tool used by at least one Vercel employee. The attacker leveraged a stolen OAuth token from Context.ai’s March 2026 AWS environment breach to pivot into Vercel’s Google Workspace, subsequently gaining access to internal Vercel systems and unencrypted environment variables. The incident is a textbook example of AI supply chain risk materialising at enterprise scale, and is notable for the speed and precision attributed to the threat actor — described by Vercel as ‘sophisticated’ based on their operational velocity and knowledge of internal systems.

ShinyHunters, a prolific cybercriminal persona associated with high-profile data extortion, has claimed responsibility and is reportedly offering stolen data for $2 million.

Technical Analysis

The attack chain followed a clear multi-stage progression:

  1. Context.ai AWS Compromise (March 2026): Attackers gained unauthorized access to Context.ai’s AWS environment, harvesting OAuth tokens belonging to consumer users of the service.
  2. OAuth Token Abuse: A Vercel employee had signed up for Context.ai’s AI Office Suite using their Vercel enterprise Google account and granted ‘Allow All’ OAuth permissions — a broad scope that enabled the attacker to impersonate the employee’s Google identity.
  3. Google Workspace Takeover: Using the compromised OAuth token, the attacker took over the employee’s Vercel-linked Google Workspace account, bypassing standard authentication controls.
  4. Internal Environment Access: From the compromised Workspace account, the attacker accessed Vercel environments and environment variables not marked as ‘sensitive’ — these are stored unencrypted and were therefore readable.

Critically, environment variables marked ‘sensitive’ in Vercel are stored encrypted and there is no current evidence they were accessed. The blast radius was partially contained by Vercel’s tiered secret-storage model.

Vercel has flagged a specific OAuth application identifier for administrators to check: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): The initial vector was a trusted AI tool (Context.ai) whose compromise cascaded into a downstream enterprise breach — a canonical supply chain attack.
  • AML.T0012 (Valid Accounts): Stolen OAuth tokens constituted valid credentials, enabling authentication without triggering typical anomaly detection.
  • AML.T0047 (ML-Enabled Product or Service): Context.ai as an AI SaaS product was the attack surface entry point.
  • LLM05 (Supply Chain Vulnerabilities): Third-party AI tool integration introduced an uncontrolled dependency with excessive trust.
  • LLM07 (Insecure Plugin Design) / LLM08 (Excessive Agency): The ‘Allow All’ OAuth scope granted the AI tool disproportionate access to enterprise identity infrastructure.

Impact Assessment

A limited subset of Vercel customers had credentials exposed. Vercel has contacted affected customers and urged immediate credential rotation. The full scope of exfiltrated data remains under investigation with Mandiant engaged as incident responder. The $2 million asking price from ShinyHunters suggests the attacker believes the data has significant secondary market value, likely including API keys, deployment secrets, or customer PII embedded in environment variables.

Mitigation & Recommendations

  • Revoke broad OAuth grants from all third-party AI tools; enforce least-privilege scopes at the identity provider level.
  • Audit Google Workspace OAuth applications for the flagged app ID and any other unrecognised grants.
  • Rotate all Vercel environment variables not marked sensitive; migrate secrets to the sensitive tier immediately.
  • Enable Deployment Protection at Standard level or above and rotate Deployment Protection tokens.
  • Review deployment and activity logs for anomalous access patterns dating back to March 2026.
  • Establish policy prohibiting use of enterprise SSO credentials for personal or unapproved AI SaaS sign-ups.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.