In April, popular cloud hosting platform Vercel disclosed a security breach stemming from a compromised third-party AI tool called Context.ai. Attackers exploited a stolen OAuth token from Context.ai to take over a Vercel employee’s Google Workspace account. This granted the hacker access to Vercel’s internal systems and allowed them to enumerate “non-sensitive” environment variables (plain-text secrets) belonging to a limited set of customer projects. While Vercel’s encrypted secrets and core services (including Next.js, Turbopack, and its npm packages) were unaffected, exposed API keys and credentials forced affected customers to urgently rotate secrets and bolster security. The incident highlights the growing risk of supply-chain attacks via OAuth integrations: an attacker breached a small AI vendor, then “walked in” to hundreds of downstream targets by abusing broad permissions.
Read More