How an AI Tool Got Vercel Breached
On April 19, Vercel confirmed a breach traced to Context.ai, a third-party AI tool with broad OAuth scopes. The supply chain blind spot is universal.
On April 19, 2026, Vercel confirmed what threat actors had already started selling on BreachForums: an attacker reached the inside of Vercel’s infrastructure, walked off with environment variables, employee records, and access tokens, and is now trying to fence the proceeds for two million dollars.
Vercel did not get popped through a Vercel vulnerability. There was no zero-day in their platform. Their public surface held. The attacker came in through an AI tool an employee had connected to their Google Workspace account.
That tool was Context.ai, a third-party platform that builds AI agents trained on a company’s institutional knowledge. To do its job, Context.ai requested and received broad OAuth scopes into the employee’s Google Workspace, including deployment-level access. When attackers compromised Context.ai, those scopes worked exactly as designed. From there, getting into Vercel was a series of authenticated requests, not a hack of Vercel itself.
This is the supply chain attack pattern Swiss SMBs are least equipped to see, because the entry point is not infrastructure. It is a Tuesday afternoon Slack message that says “I signed us up for this AI tool, it’s pretty good.”
What Actually Happened
The chain looks roughly like this. Context.ai, a small AI agent platform, was breached through means not yet public. Attackers obtained tokens or credentials that let them act as legitimate Context.ai integrations against any customer environment that had granted Context.ai OAuth access.
One of those customer environments belonged to a Vercel employee. The Context.ai integration on that employee’s Google Workspace had Vercel deployment scopes, which means access to internal environments, build pipelines, and the secrets they referenced.
Using that access, the attacker reached Vercel. According to Vercel’s own bulletin and reporting from BleepingComputer, the data exposed includes:
- Environment variables that were not marked as “sensitive,” meaning they were stored unencrypted at rest. Attackers could read API keys, NPM tokens, GitHub tokens, and any other secret an engineer had pasted in without checking the sensitive box.
- 580 employee records containing names, emails, status, and timestamps.
- Internal deployment access through the compromised employee’s account.
ShinyHunters (or someone using that name, denied by some members of the actual group) listed access keys, source code, and database data for sale on BreachForums for two million USD. The BreachForums post dropped on April 19. Vercel confirmed the breach the same day.
Vercel told customers to review their environment variables, mark anything sensitive as encrypted, and rotate any exposed secrets. They engaged Mandiant. The investigation is ongoing.
Why The CVSS Mental Model Fails Here
Most SMB security thinking is organized around CVEs. A vendor publishes a CVE, you check whether you are affected, you patch, you move on. It is a tidy mental model. It is also wrong about how breaches like this happen.
There is no CVE for Context.ai’s OAuth integration. There is no patch for “your engineer connected an AI tool to their Google Workspace.” There will not be a Patch Tuesday for the next AI tool that does the same thing in May.
The vulnerability here is structural. Modern SaaS makes it trivial to grant deep, persistent access to third-party tools. Click “Sign in with Google.” Approve the OAuth scopes the dialog asks for. The tool now has access to your mail, your drive, your deployment pipeline. The dialog is intentionally short because asking users to read fifteen scope descriptions kills the conversion rate of the SaaS tool’s sign-up funnel.
Security teams at large enterprises have tooling to inventory and approve OAuth grants per-application. Most SMBs do not. Most SMBs do not even know how many third-party apps their employees have connected to their company Google or Microsoft tenant.
The attacker who reached Vercel did not need to defeat Vercel’s security controls. They needed to find one of Vercel’s vendors, compromise that vendor, and ride the OAuth grants the rest of the way in.
The Same Pattern at SMB Scale
Vercel is a public company with a security team and a Mandiant retainer. The same compromise pattern at a Swiss SMB looks worse, not better.
A Treuhand office uses an AI summarization tool to take notes during client calls. The tool requested access to Google Calendar and Drive during onboarding because “we need to know which meetings to attend and which documents to reference.” The partner clicked Approve without reading the scope list. A year later, the AI tool gets compromised. Attackers can now read every Drive document the partner has access to, which at a Treuhand is every client’s tax return, every payroll file, every annual report, and every confidential memo.
A 30-person engineering firm uses a contract review SaaS that ingests Word documents. The OAuth grant gives it read access to the SharePoint document libraries. Compromise the SaaS, get the contracts. Including the NDAs that reference the things in the other contracts.
A law firm uses a transcription service for interview recordings. The grant covers their case management Drive folders. Compromise the transcription service, get sealed case files.
None of these examples are theoretical. They are the same pattern as the Vercel breach, applied to less sophisticated targets with more sensitive data.
The Swiss NCSC reported 64,733 cyber incident reports in 2025. They do not break out how many of those started with a compromised SaaS integration, but the percentage will trend up sharply. The attack works. The cleanup is brutal. The blast radius scales with how many SaaS tools the victim has connected.
What To Actually Do
Three things, in order of impact for the time you spend.
Audit your OAuth grants this week. In Google Workspace, the admin console under Security shows every third-party app connected by your users and the scopes each one has. In Microsoft 365, the equivalent is Enterprise Applications and Consent Permissions in Entra. Print the list. Look at every app you do not recognize. Look at the scopes on every app you do recognize. If something has Drive read access and you cannot remember why, revoke it.
Most SMBs have between five and fifty connected apps in tenants where they think they have three. The discovery itself is the first deliverable.
Reduce scope on the apps you keep. Many SaaS tools request more scopes than they strictly need because they want headroom for future features. If a tool only needs to read your calendar, do not let it write to your Drive. If a tool only needs to read your Drive, do not let it write to your mail. The OAuth dialog is the only chokepoint where you control what a future compromised tool can do.
Mark every secret as sensitive. This is the specific lesson from the Vercel breach. If your platform supports a “sensitive” or “encrypted at rest” flag for environment variables, configuration, or stored credentials, use it on everything that looks remotely sensitive. The Vercel attackers did not have to crack encryption. They read variables that had been stored as plain text because nobody flipped the switch.
For Vercel specifically, that switch is the per-variable Sensitive flag. For every other platform you use, the switch has a different name. Find it. Use it on everything.
Where Sentinel and Hacked Fit
A note on honesty. Sentinel scans the public IP attack surface. It will tell you what services are exposed, what versions are running, what known vulnerabilities those versions carry. It does not audit your OAuth grants. It cannot tell you whether Context.ai has Drive read on your tenant. The Vercel breach is not a Sentinel-shaped problem.
What Sentinel does cover is the related question: while you are auditing OAuth, are you also leaking data through misconfigured services on your perimeter? Most environments have both problems. The OAuth audit is one workstream. The exposed-services scan is another. Sentinel handles the second one in 30 minutes for free.
Hacked is the post-breach question. After a compromise like Vercel’s, the worst part is not knowing what was actually accessed. The attacker had read access to a long list of resources for an unknown window of time. Some they took, some they ignored. Logs may or may not show the difference.
Endolum Hacked plants tracked Word and Excel files in sensitive locations. If an attacker who has reached your file shares opens one, you get an alert with their location and device fingerprint. It does not prevent the breach. It tells you when one is happening, in the window where you can still cut access. For organizations whose worst-case scenario is “we don’t know what was taken,” tracked documents are the nearest thing to a tripwire that exists for unstructured data.
The Pattern Going Forward
The Vercel incident will not be the last AI-tool supply chain breach this year. The economics favor the attackers: AI tooling is being adopted faster than security review can keep up, every new tool requests broad OAuth scopes by default, and attackers only need to compromise the weakest link in the SaaS chain to reach the strongest.
Other recent supply chain stories have followed similar shapes. The Notepad++ chrysalis attack involved compromised plugin distribution. The MoltBook leak showed what happens when AI-assisted development creates security gaps the team does not understand. Apache ActiveMQ’s 13-year-old bug is a different shape but the same lesson: software you depend on is software you have implicitly trusted, and that trust is the asset attackers steal.
The takeaway is unglamorous and not especially marketable. Inventory what you have given access to. Reduce what you can. Watch the rest. The companies that will get burned next are the ones still treating supply chain as somebody else’s problem.
Vercel was unlucky in the specifics. Plenty of others will be unlucky next.
Sentinel shows you what your public infrastructure looks like to an attacker scanning the internet. Hacked plants tracked documents that alert you when opened, so you find out about unauthorized access while there is still time to respond. Free tiers on both. No account required for a Sentinel scan.