Skip to content
.ca
sign in
5 mincritical

The Vercel Breach: The Steps To Take Now to Protect Your Organization

On April 19, 2026, Vercel disclosed a critical security breach originating from a compromised third-party AI tool, Context.ai. The threat actor, ShinyHunters, utilized an infostealer to harvest OAuth tokens, bypassed MFA to access Vercel's Google Workspace, and pivoted via SSO to bulk-extract customer environment variables containing highly sensitive cloud, database, and source code credentials.

Sens:ImmediateConf:highAnalyzed:2026-04-20reports
ActorsShinyHunters
ShinyHuntersSupply ChainVercelInfostealerOAuth Abuse

Source:Varonis

Key Takeaways

  • Vercel was breached via a compromised third-party AI productivity tool (Context.ai) used by an employee.
  • The threat actor, ShinyHunters, used stolen OAuth tokens to bypass MFA and access Vercel's Google Workspace.
  • Attackers pivoted via federated SSO to Vercel's internal systems and bulk-extracted customer environment variables.
  • Stolen data includes highly sensitive cloud access keys (AWS, Azure, GCP), database credentials, and GitHub tokens, currently being sold for $2 million.
  • Organizations must immediately revoke Context.ai access, rotate all Vercel-stored secrets, and audit cloud/GitHub logs for anomalous activity.

Affected Systems

  • Vercel
  • Context.ai
  • Google Workspace
  • AWS
  • Azure
  • GCP
  • GitHub

Attack Chain

The attack began when a Vercel employee's device was infected with an infostealer, compromising the Context.ai productivity tool and stealing its OAuth tokens. The attacker used these refresh tokens to regenerate access and completely bypass MFA, silently accessing the employee's Google Workspace account with full admin privileges. From there, the attacker leveraged federated SSO trust to pivot laterally into Vercel's internal platform. Finally, the attacker performed a bulk extraction of customer environment variables, exfiltrating sensitive API keys, OAuth tokens, and database credentials.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but recommends monitoring cloud provider logs, Google Workspace API controls, and GitHub audit logs for anomalous activity.

Detection Engineering Assessment

EDR Visibility: Low — The core of the attack occurred in cloud environments via OAuth token abuse and SSO pivoting, which bypasses traditional endpoint controls after the initial infostealer infection. Network Visibility: Low — Cloud-to-cloud API interactions and federated SSO pivots are generally opaque to traditional on-premise network monitoring. Detection Difficulty: Hard — Detecting this requires identifying anomalous usage of legitimate OAuth tokens and federated SSO pivots, which often blend in with normal administrative or automated CI/CD activity.

Required Log Sources

  • Google Workspace Audit Logs
  • AWS CloudTrail
  • Azure Activity Logs
  • GCP Audit Logs
  • GitHub Audit Logs
  • Vercel Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Anomalous access to Google Workspace using the Context.ai OAuth application originating from unexpected IP addresses or geolocations.Google Workspace Audit LogsCredential AccessLow
Unusual bulk export or access of environment variables within Vercel or similar CI/CD platforms by an internal administrative account.Vercel Audit LogsCollectionLow
Sudden usage of long-dormant cloud credentials (AWS, GCP, Azure) or GitHub tokens that were previously stored as environment variables in Vercel.AWS CloudTrail, GitHub Audit LogsLateral MovementMedium

Control Gaps

  • MFA Bypass via OAuth refresh tokens
  • Lack of strict least-privilege scoping for third-party AI tools
  • Inadequate monitoring of federated SSO pivots

Key Behavioral Indicators

  • Usage of Context.ai OAuth Client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
  • Refresh token regeneration events without corresponding interactive logins
  • Bulk extraction API calls in Vercel

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Revoke access for Context.ai Client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com in Google Workspace API Controls.
  • Rotate every secret stored in Vercel environment variables, prioritizing cloud credentials, database passwords, and GitHub tokens.
  • Check cloud provider logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for unusual activity in the past 30 days.
  • Check GitHub for unexpected webhooks, new deploy keys, or unfamiliar OAuth applications.
  • Review recent Vercel deployments to confirm they were triggered by authorized personnel.

Infrastructure Hardening

  • Mark all secrets in Vercel as 'Sensitive' to prevent credentials from being readable through the admin interface.
  • Ensure cloud service accounts used by Vercel enforce strict least-privilege permissions.

User Protection

  • Audit which AI tools and third-party applications have broad access to team Google or Microsoft accounts and revoke non-business-critical access.

Security Awareness

  • Educate employees on the risks of integrating third-party AI productivity tools with corporate identity suites.
  • Establish governance programs to track and control OAuth permissions granted by employees.

MITRE ATT&CK Mapping

  • T1528 - Steal Application Access Token
  • T1550.001 - Use Alternate Authentication Material: Application Access Token
  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1530 - Data from Cloud Storage

Additional IOCs

  • Other:
    • 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com - Context.ai Google OAuth Client ID

Related