Vercel is the company behind Next.js, Turbopack, and v0. It hosts a large share of modern web apps, and much of the consumer-facing AI ecosystem - OpenAI, Anthropic, xAI - runs on Vercel infrastructure. Hundreds of thousands of applications deploy through it because the deal is simple: push a branch, Vercel builds and serves it, and your secrets live in its environment variables.
Yesterday Vercel confirmed that a portion of those secrets had been read by an attacker who never exploited a flaw in Vercel's own systems. The pivot in was an AI office assistant that one Vercel employee had wired into their Google Workspace. That tool had been compromised two months earlier, when one of its own employees ran a Roblox cheat that carried Lumma Stealer.
A Context.ai admin's laptop was infected with Lumma Stealer in February. Lumma is a commodity infostealer that reads browser sessions, autofill fields, and saved passwords. Among the credentials it exfiltrated were the support@context.ai account and the OAuth tokens Context.ai uses to reach into its customers' Google Workspaces.
In March, Context.ai detected the attacker probing its AWS environment and blocked it. The OAuth surface was not investigated, so the attacker's grip on customer Workspaces remained live. Vercel was not notified at the time.
In April, the attacker used a Context.ai OAuth app with "Allow All" permissions to read mail, drive, and session tokens from a Vercel employee's account. From there they reached Vercel's internal environments and pulled every environment variable not flagged as "sensitive." Sensitive variables are stored unreadably by design. Everything else was retrievable: API keys, database URLs, signing secrets, NPM and GitHub tokens. Vercel describes the attacker as showing "detailed understanding of Vercel's systems."
The IOC Vercel published is an OAuth client ID beginning 110671459871. If it appears in your Google Workspace audit logs, you're in the same boat.
On April 19, a threat actor using the ShinyHunters brand listed the data on BreachForums for $2 million and opened a parallel ransom channel on Telegram. The listing itemized access keys, source code, database exports, internal deployment artifacts, NPM and GitHub tokens, a text file of 580 Vercel employee records, and screenshots of Vercel's internal enterprise dashboards. Actual ShinyHunters members told BleepingComputer they had no involvement, pointing to a copycat or lone actor borrowing the name.
Vercel's guidance to affected customers is narrow. Rotate anything stored in a non-sensitive environment variable. Run vercel env pull and treat the output as if it is already on a forum somewhere. Flip the sensitive flag on any secrets going forward. Mandiant and law enforcement are engaged.
AI assistants reason well only when they have context, and the way modern AI productivity tools deliver context is by asking you to connect everything - Gmail, Drive, Slack, Salesforce, Jira, GitHub - and then holding the OAuth tokens for all of them server-side, so their agents can call your tools on your behalf while you sleep. Context.ai markets 300+ such integrations. A customer that connects ten of them has handed Context.ai persistent credentials to ten pieces of their stack. The "Allow All" grant that the Vercel employee approved was not a misconfiguration; it was the product working as designed.
That aggregation is the failure mode. When Lumma Stealer took the support@context.ai account in February, the attacker did not gain access to one user's mail. They gained access to the OAuth grants Context.ai was holding on behalf of the customers whose tools it was integrated into. The Vercel employee who authorized Context.ai had effectively extended Workspace access to whoever could reach Context.ai's infrastructure. Two months later, someone did. Security has spent two decades building least-privilege access and zero-trust architectures to prevent exactly this pattern. AI productivity tools are the first mainstream category that cannot function under those constraints, because they are only useful when they can see across tools at once.
Vercel illustrates the downstream. Its platform serves 6 million developers; v0 alone counts more than 4 million users and generated 9.6 million projects in 2025; Google's 2025 DORA report finds 90% of developers now use AI tools at work. A breach at Vercel touches a disproportionate share of infrastructure that no human reviewed line by line. But the path in was not Vercel's weak point. It was an AI tool designed to hold keys to everything. The next breach of this shape will not be Vercel; it will be whichever AI productivity tool a large company has wired into its CRM, its codebase, or its CI system. Broad context is what makes AI useful. Pooling the credentials that provide that context inside a single vendor is what makes it the new central point of failure in the software supply chain.