SarangThe breach that hit Vercel, the cloud platform that powers much of the modern web, did not begin with a brute-force attack or a known software vulnerability. It began when a Vercel employee used a third-party AI tool at work.
On April 19, 2026, Vercel confirmed that someone got into its internal systems. There was no zero-day. No brute force. The attacker first hit Context AI, a consumer “AI Office Suite” that one Vercel employee had signed up for using their work Google account. With “Allow All” permissions granted at signup, that one OAuth token became the key to everything.
How it played out
Back in February 2026, a Context AI employee downloaded malicious Roblox scripts. The scripts carried Lumma Stealer malware, which quietly grabbed credentials and OAuth tokens from the machine. Hudson Rock, the firm that traced this, says the haul included Google Workspace logins and keys for Supabase, Datadog, and Authkit.
Context AI spotted unauthorised access to its AWS environment in March and shut it down. What they missed: OAuth tokens for some users had already been stolen. One of those tokens belonged to the Vercel employee. The attacker used it to take over their Workspace account, then walked into Vercel’s internal systems.
What got out
Vercel encrypts customer environment variables at rest. But it also lets you mark some as “non-sensitive,” and those are stored differently. Once inside, the attacker read those non-sensitive variables for a limited group of customer projects. Variables marked sensitive stayed locked. Next.js, Turbopack, and Vercel’s open-source projects were all confirmed safe.
CEO Guillermo Rauch said the attacker “moved with surprising velocity” and believes they were “significantly accelerated by AI.” A threat actor on BreachForums later listed the stolen data for $2 million under the ShinyHunters name. The real ShinyHunters group denied any involvement.
What you should do today
If you use Vercel, treat any non-sensitive environment variable as compromised and rotate it now. Turn on multi-factor authentication. Audit every OAuth app connected to your Google Workspace and revoke anything you do not recognise. Review your access logs from April 1 onwards.
Deleting a project will not save you. If your credentials are already out there, closing the door behind them does nothing.
Your perimeter is not your perimeter anymore. It includes every AI tool, browser extension, and SaaS app your employees sign into with their work accounts. One careless “Allow All” click can hand over the keys. And OAuth tokens do not expire on their own. They sit there, working silently, until someone revokes them.
This is exactly the gap most companies cannot see.
How Mitigata helps
At Mitigata, our Third-Party Risk Management service finds the shadow AI tools, OAuth grants, and vendor connections quietly putting your business at risk. We map your real exposure, flag the dangerous permissions, and help you fix them before someone else finds them first.
Talk to our team. One conversation could save you from a breach.
deepthi s
areena g
akshit k