Web infrastructure company Vercel had data stolen via a third party AI application that an employee signed up for with a work Google account.

A threat actor claiming to be "shinyhunters" is claiming that they grabbed access keys, Github and npm tokens, and more from Vercel's systems.

Vercel, known for developing the popular React framework Next.js, was compromised through an employee using Context.ai, an AI platform whose Google Workspace OAuth app had been separately compromised.

Attackers gained access to the employee's Google Workspace account and some Vercel environments via the compromised app.

Users that shipped any applications with the likes of Claude Code or Cursor in recent months and didn't click the "sensitive" flag when pasting variables into their Vercel dashboards should be the first to rotate credentials.

Vercel said in a blog post on Sunday "the incident originated from a small, third-party AI tool whose Google Workspace OAuth app was the subject of a broader compromise, potentially affecting its hundreds of users across many organizations."

After taking over the employee's Google account via a compromised OAuth token, attackers could "gain access to some Vercel environments and environment variables that were not marked as 'sensitive'".

Vercel has also published the compromised Google Workspace OAuth app ID as an indicator of compromise: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.

The company is urging all Google Workspace administrators to audit their tenants for usage of the app immediately.

Vercel CEO Guillermo Rauch said in an update on X that customer data in Vercel systems is stored "fully encrypted at rest" and the company has multiple defense-in-depth mechanisms in place for core systems. However, customers can designate environment variables as "non-sensitive".

Rauch said through rapid, methodical probing the attackers were able to enumerate non-sensitive environment variables to escalate further access.

"We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel."

Rauch also said Vercel has audited its open-source supply chain, writing on X: "We've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community."

Vercel said it is working closely with Mandiant and other cybersecurity researchers to analyse the attack.

Context is key

Infostealer intelligence firm Hudson Rock said on Monday it had discovered what the researchers believe to be the origins of the attack.

According to the firm, a Context.ai employee who had sensitive access privileges was compromised via the malware-as-a-service Lumma Stealer in February 2026.

Hudson Rock, which says it had access to the compromised machine, reported corporate credentials were stolen, including "Google Workspace credentials, as well as keys and logins for Supabase, Datadog, and Authkit."

Logs from the infected machine's browser history showed the user was downloading Roblox gaming exploits like "auto-farm" scripts, a notorious vector for info-stealer attacks.

The firm said the February 2026 infection is the only record it has of a Context.ai compromise in the window preceding the Vercel breach, leading them to believe these credentials were the ones leveraged to execute the attack.

A threat actor using the alias "ShinyHunters" listed the stolen data for sale on the cybercrime forum BreachForums for $2 million, according to BleepingComputer and other outlets that viewed the post before it was removed.

However, threat actors linked to recent ShinyHunters-attributed attacks have denied to BleepingComputer that they are involved in this incident.

Security researcher Florian Roth commented: "If one compromised path was enough to expose access to Google Workspace, Supabase, Datadog, Authkit and Vercel-related admin resources, then the problem was not just the infostealer. The problem was too much access, weak separation, missing limits and security monitoring that failed to highlight highly suspicious activity on that account. The mantra should be: 'assume compromise'."

Even more context

Context.ai released a statement on Sunday outlining the breach was via a consumer account that a Vercel employee had signed up for using their work email.

The company has separately disclosed a March 2026 incident involving unauthorised access to its AWS environment, which it investigated with CrowdStrike, but it has not publicly detailed the initial intrusion vector.

The statement said, "During the incident last month, the unauthorized actor also likely compromised OAuth tokens for some of our consumer users. We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace."

They added, "Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions."

Context.ai went further, pointing at Vercel's own Workspace configuration as part of the problem: "Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace."

The company said its enterprise customers, which run on customer-owned environments, were unaffected, and that it has since shut down the consumer AI Office Suite product. Context.ai said it was aware its consumer application was breached and worked with CrowdStrike to harden its environment.

Vercel CEO's statement said "a Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated."

Rauch added that Vercel's response is a top priority and that the company is working directly with the limited subset of customers it has identified as affected.

Context.ai, Vercel and Hudson Rock have not responded to The Stack's request for comment at the time of publication.

The link has been copied!