Vercel Breach

Updated: April 20, 2026

See all Executive Briefings.

Executive Summary

Why It Matters

Vercel, the developer platform behind Next.js, Turborepo, and a significant portion of modern web deployments, has disclosed unauthorized access to internal systems. Vercel confirmed the attack originated from a compromised third-party AI tool (Context.ai) with an Allow All Google Workspace OAuth grant from a Vercel employee. This allowed the attacker to take over the employee’s Workspace account and pivot into Vercel’s internal environments. The core lesson is about OAuth governance and third-party AI tool risk, not npm supply chain risk.

The most urgent action for readers is a 60-second check: every Google Workspace administrator should verify whether the compromised OAuth app ID has been granted access in their tenant and revoke it if so. That IOC is in the Indicators of Compromise section below.

Business stakes: Vercel stated that Next.js and Turbopack projects were not affected, which narrows the most extreme supply-chain scenario from the original claims. However, customer environment variables not marked as “sensitive” were readable, which means API keys, database credentials, and third-party tokens for affected customers should be treated as potentially exposed. For organizations whose products are built on Vercel and shipped to customers (including those subject to the EU Cyber Resilience Act), this is a material third-party supply chain risk worth raising at the executive level.

Separately, this is (at least) the second major supply chain incident in approximately 30 days, following the TeamPCP campaign in March. The pattern across both incidents is the same: attackers are targeting the trust relationships developer-platform companies have with third-party tools and dependencies, not the platforms’ perimeter defenses. Baseline OAuth and npm hygiene controls are relevant to any organization, not just Vercel customers.

Impact

• Vercel has confirmed: unauthorized access to certain internal systems via a compromised Context.ai OAuth token; a limited subset of customers impacted and contacted directly; incident response experts engaged (Mandiant); law enforcement notified; services operational. Vercel indicated that Next.js and Turbopack were not affected.
• Confirmed attack chain (per Vercel and Context.ai advisories): attacker compromised Context.ai’s Google Workspace OAuth app (possibly via a Lumma Stealer infection of a Context.ai employee in February 2026, per Hudson Rock). The OAuth app had been authorized with “Allow All” scope by a Vercel employee using their corporate Google account, which gave the attacker persistent access to that employee’s Workspace and, through it, some Vercel internal environments.
• Customer data impact: environment variables not marked as “sensitive” in Vercel were readable and should be treated as exposed. This includes API keys, database credentials, signing keys, and third-party tokens stored in Vercel. Values explicitly marked as “sensitive” are encrypted at rest and Vercel has no evidence they were accessed.
• ShinyHunters claimed (partially refuted): ShinyHunters posted a BreachForums listing claiming Vercel source code, employee data, and Vercel-owned NPM and GitHub publishing tokens, asking $2M USD. Vercel has publicly stated that Next.js and Turbopack packages were not affected, which contradicts the most alarming supply-chain claim in the listing. The employee directory and other elements have not been independently verified.
• Broader OAuth app impact: Vercel has stated the same Context.ai OAuth compromise “potentially affects hundreds of users across many organizations.” Any Google Workspace tenant where a user authorized the Context.ai app should treat that user’s Workspace as potentially compromised.

Key Actions

Immediate (60 seconds): if you administer a Google Workspace tenant, check for the Context.ai OAuth app and revoke if present. Specific IOC is in the Indicators of Compromise section. If you deploy on Vercel, treat environment variable review as an immediate task, not a routine one. Detailed prioritized response actions are in the Full Analysis & Recommendations section below.

Important Notes

• This is a developing story. Vercel updated their bulletin on April 19 (6:01 PM PST) with the initial access vector and published the OAuth IOC. Additional detail has since come from Context.ai’s advisory, Vercel CEO Guillermo Rauch’s public statements, and reporting from Hudson Rock, Mandiant, and TechCrunch. Attribution of the Context.ai root cause to Lumma Stealer is Hudson Rock’s reporting and is not yet independently corroborated.
• The incident appears to be part of an active ShinyHunters campaign targeting SaaS integrations and stolen tokens, not a Vercel-specific failure. The same group has claimed Rockstar Games (April 13, via Anodot then Snowflake) and McGraw-Hill (April 14, Salesforce) in the seven days preceding this incident.
• If you ship a product to others on Vercel, evaluate downstream notification obligations as Vercel’s scope clarifies. Customer contracts, data processing agreements, and regulatory regimes (including the EU Cyber Resilience Act, GDPR, and US state privacy laws) may require notification of incidents involving third-party platforms that handle customer data. Coordinate with legal counsel before Vercel widens its impact statement, not after.

Full Analysis & Recommendations

Incident Overview

Vercel published a security bulletin stating that unauthorized access had been obtained to certain internal Vercel systems. Vercel engaged IR experts, notified law enforcement, and indicated it was directly contacting affected customers. Services remained operational at the time of writing.

Approximately five hours earlier, at roughly 02:02 AM PT on April 19, threat actor ShinyHunters posted a listing on BreachForums offering Vercel data and access for sale at $2 million USD. The listing claimed an internal employee directory; multiple employee accounts with access to internal deployments; API keys including NPM and GitHub tokens; and sample data extracted from Vercel’s internal Linear workspace as proof of access. The threat actor explicitly framed the listing as a potential Next.js-based supply chain attack.

Update (4/20/2026)

Vercel updated its bulletin on April 19 at 6:01 PM PST with the initial access vector. The attack originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker gained control of Context.ai’s Google Workspace OAuth app, used it to take over the Vercel employee’s Google Workspace account, and from there accessed Vercel environments and environment variables that were not marked as “sensitive.” Vercel CEO Guillermo Rauch publicly stated that Next.js and Turbopack projects were not affected, contradicting the most severe supply chain claim in the BreachForums listing. Vercel is working with Mandiant, additional cybersecurity firms, industry peers, and law enforcement. Trend Micro’s analysis suggests the intrusion may have begun around June 2024, implying a long dwell time prior to detection.

Hudson Rock subsequently reported that a Context.ai employee was infected with Lumma Stealer in February 2026 via a Roblox cheat download, which harvested Google Workspace credentials plus keys for Supabase, Datadog, and Authkit, including the support@context.ai account. This is assessed as the likely root cause of the Context.ai compromise but has not been independently corroborated.

What Is Confirmed vs. What Is Claimed

Table revised per Vercel’s April 19 update and subsequent reporting. Rows in red are new or substantially changed since initial publication on April 19.

Threat Actor Context

ShinyHunters is a financially motivated extortion group active since at least 2020, responsible for a long list of breaches across industries. In April 2026, the group has been publicly active at an unusually high tempo:

• April 13, 2026, Rockstar Games: Claimed access to Rockstar’s Snowflake data via compromised Anodot (a third-party SaaS analytics platform) tokens. Extortion demand issued on the group’s leak site.
• April 14, 2026, McGraw-Hill: Public confirmation of a Salesforce-based breach following an extortion threat.
• April 19-20, 2026, Vercel: Current incident. Initial access via compromised Context.ai Google Workspace OAuth app. Rauch characterized the attacker as “highly sophisticated” and “significantly accelerated by AI.”

Prior 2026 victims attributed to the group include the European Commission, Aura, Cisco, and Telus. The pattern is consistent: targeting SaaS integrations (Snowflake, Salesforce, OAuth apps connected to Google Workspace, Linear, GitHub) rather than perimeter exploitation; stolen authentication tokens as the primary access mechanism; API-level access once inside; and extortion via BreachForums or a dedicated leak site.

Detection Signals

Vercel has published one specific indicator of compromise; additional IOCs are expected as the investigation progresses. As additional signals become available, watch for:

• Unexpected outbound traffic from build agents or developer machines following installs of Vercel-maintained packages.
• Anomalous releases or commits in the Vercel GitHub organization, particularly to Next.js, Turbo, or Turborepo.
• Unexpected Vercel deployment activity (new team members, configuration changes, or deployments outside normal hours).
• Google Workspace OAuth grants to unfamiliar third-party apps, especially apps requesting broad or “Allow All” scopes.
• Activity in the Context.ai OAuth app (see IOC below), even if your organization uses Context.ai legitimately.

Indicators of Compromise

Vercel has published the following OAuth application client ID as an IOC. Google Workspace administrators should check for any grants to this app in their tenant and revoke immediately if found.

OAuth App Client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Prioritized Response Actions

Tier 1: For Vercel Customers and Google Workspace Administrators

Roughly a half-day to one-day task for a typical engineering team. Larger organizations with many Vercel projects, multiple GitHub orgs, or many integrated tokens should budget proportionally more.

• Check Google Workspace for the Vercel-published IOC (60 seconds). In Google Admin Console: Security > Access and data control > API controls > App access control > Manage Third-Party App Access. Search for 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. If found, revoke and block immediately, and treat any user who granted it as potentially compromised. This check is relevant to every Google Workspace tenant, not just Vercel customers: Vercel has stated the same OAuth app may have been granted access in hundreds of other organizations.
• Restrict third-party app OAuth scopes at the Workspace level. In Google Admin Console, configure “unconfigured third-party apps” to basic-info-only scopes (name, email, profile) by default. Require administrator review for any app requesting broader scopes such as Drive, Gmail, or Calendar access. This is the durable governance lesson from this incident.
• Rotate non-sensitive environment variables. Any secret, token, API key, database credential, signing key, or third-party credential stored in Vercel as a regular (non-“sensitive”) environment variable should be treated as potentially exposed. Rotate and redeploy. Vercel has confirmed that variables marked “sensitive” are encrypted at rest and not known to have been accessed, but most teams have not proactively adopted the sensitive flag, so rotation of non-sensitive values is expected.
• Move high-value secrets into Vercel’s sensitive environment variable feature if not already done.
• Audit and rotate Vercel-associated tokens, including Deployment Protection tokens. In the Vercel dashboard under Account Settings > Tokens: rotate deployment tokens, team access tokens, and personal access tokens tied to Vercel integrations. Per Vercel’s updated guidance, also rotate Deployment Protection bypass tokens if configured.
• Disconnect and reconnect your GitHub integration. This invalidates stale OAuth tokens between GitHub and Vercel. While Vercel has not confirmed GitHub integration token compromise, this is a low-cost defensive step.
• Review Vercel activity for the past 60 days in the Vercel activity log (or via the CLI). Check deployment logs, team member changes, unexpected deployments, token grants, and project configuration changes for anything unusual. Vercel specifically recommends deleting any deployments that look suspicious.
• Set Deployment Protection to Standard at minimum, per Vercel’s updated bulletin recommendation.
• Monitor Vercel’s bulletin for updates, and watch for direct communication from Vercel if you are a potentially affected customer.

Tier 2: For Organizations Consuming npm Packages (Any Source)

Vercel has stated Next.js and Turbopack were not affected by this breach, which reduces the urgency of pinning Vercel-maintained packages specifically. However, the controls below remain valid general npm-supply-chain hygiene, elevated in priority by the broader threat landscape (the TeamPCP campaign in March demonstrated the structural risk). They apply whether or not you consume Vercel-maintained packages. Each control is primarily a configuration change plus a build-validation cycle, but items 1 and 2 carry operational tradeoffs that should be reviewed before broad rollout.

• Enforce a minimum package age before installation. Run npm config set min-release-age 3 (npm CLI 11.10.0 or later, released February 2026) to require packages to have been published for 3 days before they can be installed. pnpm, Yarn, and Bun have equivalent settings (with different names and units). This control would have blocked most downstream installs of the malicious Trivy releases in the TeamPCP campaign (which were live for approximately 48 hours before takedown). Operational tradeoff: this delays installation of legitimate emergency security patches by the same window. For genuine emergencies, override per-install with —min-release-age 0. If you use Dependabot or Renovate, also configure their cooldown settings (cooldown.default-days in dependabot.yml, or minimumReleaseAge in Renovate) to match, or those tools will create PRs for versions npm cannot yet install.
• Use —ignore-scripts in CI/CD pipelines where possible. This prevents preinstall, install, and postinstall hooks from executing, removing one of the most common delivery mechanisms for npm-based malware (the CanisterWorm component of the TeamPCP campaign used a postinstall hook that ran automatically on every npm install). Operational tradeoff: many legitimate packages rely on install scripts (native modules such as sharp, node-gyp, bcrypt; tooling such as husky for git hooks). Enabling this globally without preparation will break builds. Mitigations: prefer prebuilt native binaries where the package offers them, run a two-phase install (install with —ignore-scripts then npm rebuild only for an explicit allowlist of trusted packages), or move git-hook setup out of postinstall into an explicit setup step.
• Monitor for anomalous releases from publishers you depend on (including, but not limited to, Vercel-maintained packages). Any release that deviates from a project’s normal cadence, contributor pattern, or build output warrants scrutiny.
• Inventory direct and transitive dependencies on any single vendor. Tools such as npm ls, npm-why, or your SBOM tooling can surface single-vendor concentration risk in your dependency graph.

Sources

• Vercel April 2026 security incident (Vercel Knowledge Base, last updated April 20, 2026)
• The Hacker News: Vercel breach tied to Context AI hack exposes limited customer credentials (April 20, 2026)
• TechCrunch: Vercel confirms customer data stolen via breach at Context AI (April 20, 2026)
• Trend Micro: The Vercel breach — OAuth supply chain attack exposes hidden risk in platform environment variables
• Help Net Security: Vercel breached via compromised third-party AI tool (April 20, 2026)
• Exposure Security Executive Briefing: TeamPCP Supply Chain Attack
• Theo Browne (t3.gg) thread on X regarding the Vercel incident
• Help Net Security: Rockstar Games breach attributed to ShinyHunters (April 13, 2026)
• Rescana: McGraw-Hill Salesforce data breach analysis (April 2026)
• Vercel sensitive environment variables documentation

This briefing is part of Exposure Security's ongoing executive intelligence series. For questions about how this applies to your organization specifically, contact us.