Vercel suffered a major security breach when an attacker compromised the AI tool Context.ai, gaining access to employee credentials and internal systems through overly permissive OAuth settings.
Vercel, the cloud platform behind the widely used Next.js web framework, has acknowledged a security breach after an attacker compromised a third-party AI tool called Context.ai and used it to gain access to a Vercel employee's enterprise Google Workspace account. The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility, reportedly seeking $2 million for the stolen data.
According to Vercel's bulletin, the breach didn't start with them but instead with Context.ai, an enterprise AI platform that builds agents trained on company-specific knowledge. At least one Vercel employee had signed up for Context.ai's AI Office Suite using their corporate account and granted it "Allow All" OAuth permissions, Context.ai explained in its own security notice, which says that "Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace."
The attacker exploited that broad access to take over the employee's Vercel Google Workspace account and move laterally into internal systems.
The Attack Chain: From Malware to Multi-Million Dollar Ransom
Cybersecurity firm Hudson Rock claims to have traced Context.ai's own compromise back further to an employee infected by Lumma Stealer malware after downloading Roblox game exploit scripts in February. The stolen credentials reportedly included Google Workspace logins along with keys for Supabase, Datadog, and Authkit, Hudson Rock reported, but Vercel hadn't independently confirmed this at the time of writing.
Context.ai also acknowledged that it detected and blocked unauthorized access to its AWS environment in March, but said it later learned the attacker had also compromised OAuth tokens for some consumer users.
Vercel described the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems." The company said environment variables marked as "sensitive" are encrypted at rest and were not accessed, but that variables stored without that designation should be treated as potentially exposed.
Supply Chain Security Implications
The breach highlights critical vulnerabilities in modern software supply chains, particularly around third-party AI tool integration. When employees grant broad OAuth permissions to AI tools that require deep access to corporate systems, they create potential attack vectors that can be exploited through supply chain compromises.
This incident demonstrates how a compromise at one vendor (Context.ai) can cascade through the supply chain to impact major platforms like Vercel. The attacker's ability to move laterally from the compromised AI tool into Vercel's internal systems shows how interconnected modern cloud infrastructure has become.
Response and Mitigation
Vercel has engaged Google-owned incident response firm Mandiant, notified law enforcement, and contacted a limited subset of affected customers directly. The company instructed customers to audit activity logs, rotate any API keys, tokens, or database credentials stored in non-sensitive environment variables, and review recent deployments for anything unexpected.
Vercel has since rolled out new dashboard features, including an overview page for environment variables and an improved interface for managing sensitive variable settings. CEO Guillermo Rauch said on X that the company had analyzed its supply chain and confirmed that Next.js, Turbopack, and its other open source projects weren't affected.
The breach serves as a stark reminder of the security risks inherent in granting broad permissions to third-party tools, especially AI platforms that require extensive access to corporate data. Organizations must carefully evaluate the security posture of AI tool providers and implement strict access controls to prevent similar incidents.
The incident also raises questions about the security practices of AI tool providers and the potential for malware infections through seemingly unrelated activities like downloading game scripts. As AI tools become increasingly integrated into corporate workflows, the attack surface expands, requiring more robust security measures and vendor vetting processes.
Comments
Please log in or register to join the discussion