Vercel breach traced to compromised Context.ai OAuth app, non-sensitive env vars harvested

Vercel disclosed that attackers reached internal systems through a third-party AI platform, Context.ai, whose compromise exposed a Vercel employee’s Google Workspace account. From there, the intruders pivoted into Vercel environments and enumerated environment variables that customers had not flagged as sensitive — a tier the platform explicitly leaves unencrypted at rest. That enumeration gave the attackers enough footholds to expand access further. Next.js, Turbopack, and other open-source projects were not affected, and core customer-designated sensitive variables remained encrypted.

A forum poster using the ShinyHunters handle is now selling what they claim is stolen data: NPM and GitHub tokens, source code, database records, access to internal deployments, and a 580-record file of Vercel employee metadata. Other actors tied to recent ShinyHunters activity have denied involvement, and BleepingComputer has not verified the samples. The seller also says they discussed a $2 million ransom with Vercel.

The failure mode here is architectural, not accidental. A two-tier secret model — encrypted “sensitive” variables alongside unencrypted “non-sensitive” ones — assumes developers correctly classify every value, and an OAuth trust relationship with a downstream AI vendor inherits that vendor’s blast radius. Vercel is now pushing customers to audit variables and enable the sensitive flag, and has shipped dashboard changes to make that classification more visible. Admins should also hunt for the disclosed Context.ai OAuth client ID across their Google Workspace tenants.