Vercel breached via AI tool

Vercel said on April 19 that attackers got into internal systems through a third-party artificial intelligence tool connected to an employee’s Google Workspace account. (vercel.com, bleepingcomputer.com) The company said the intruder accessed a limited subset of customer data, including some environment variables not marked “sensitive,” and contacted affected customers directly. Vercel also said projects tied to Next.js and Turbopack open-source code were not affected. (vercel.com, thehackernews.com) Environment variables are the hidden settings apps use for things like database passwords, application programming interface keys, and service credentials. Vercel stores variables flagged as “sensitive” in a non-readable form, but variables without that flag can still expose useful internal details if stolen. (siliconangle.com, thehackernews.com) The access path ran through OAuth, the sign-in system that lets one service act inside another after a user clicks approve. Security researchers told Dark Reading that stolen OAuth tokens now function like reusable badges that can let attackers move across cloud tools without stealing a password each time. (darkreading.com, healthcareinfosecurity.com) Multiple reports tied the breach to Context.ai, an “agentic” artificial intelligence tool a Vercel employee had authorized with broad Google Workspace permissions. The Hacker News reported that attackers then used that access to reach Vercel’s internal environment and a limited set of customer credentials. (thehackernews.com, infoworld.com) BleepingComputer reported that a threat actor claiming ties to ShinyHunters is trying to sell the stolen data for $2 million. Vercel told the outlet it had engaged incident responders, notified law enforcement, and continued its investigation after the sale post appeared. (bleepingcomputer.com, theoutpost.ai) Hudson Rock said the intrusion may have started even earlier with an infostealer infection on a Context.ai employee device in February 2026. That part of the timeline comes from cybercrime telemetry, not from Vercel’s own bulletin, and Vercel has publicly described the root cause as a compromise involving the third-party tool. (infostealers.com, vercel.com) The incident lands as companies give more software agents permission to read email, calendars, documents, and admin panels with a single consent screen. In this case, the breach did not begin with a software flaw in Vercel’s code; it began with delegated access inside a workplace identity system. (darkreading.com, healthcareinfosecurity.com) Vercel’s immediate advice was narrow but concrete: if the company contacted you, rotate exposed credentials and review environment variables that were not marked sensitive. The larger cleanup now sits with Vercel, its affected customers, and any company still letting outside tools keep broad workspace access after the first login prompt. (vercel.com, thehackernews.com)