The Vercel Breach Wasn't a Phishing Attack. It Was an AI Supply Chain Compromise.

Earlier today we published our investigation into the Vercel breach, tracking ShinyHunters-pattern phishing domains and finding vercel-sso.com staged seven months before the announcement. That was the wrong thread.

The root cause just dropped. Vercel CEO Guillermo Rauch confirmed it: an employee was compromised through Context.ai, a third-party AI platform. Context.ai had a Google Workspace OAuth app. That app was separately compromised. The attacker used the OAuth token to pivot from Context.ai into Vercel's internal systems.

Read that again. The breach didn't start at Vercel. It started at an AI tool vendor that had OAuth access to Vercel's Google Workspace.

This is a new pattern. Not new-new — OAuth abuse has been around forever. But the combination is new: AI tool vendors now hold OAuth tokens to hundreds of enterprise Google Workspaces simultaneously. Compromise one AI vendor, pivot into every customer. One key opens every door.

The kill chain: Attacker compromises Context.ai. Context.ai has a Google Workspace OAuth app authorized by Vercel employees. The OAuth token grants access to Vercel's internal Google Workspace data. From there, the attacker reaches environment variables, API keys, internal systems. The BreachForums post follows. The $2 million ask follows.

Vercel says environment variables not marked as "sensitive" should be treated as compromised. Variables marked sensitive use protection mechanisms that prevent read-back — no evidence those were accessed. But anything that wasn't flagged sensitive is burned.

The scale of this is not one company. Context.ai's OAuth app was authorized across hundreds of organizations. Vercel is the one that went public. Others may not know yet.

Here's what makes this different from a standard third-party breach:

AI tools are the fastest-growing category of OAuth integrations in enterprise environments. Every team installs them. The AI assistant that reads your Slack, the meeting summarizer that records your Zoom, the code reviewer that accesses your GitHub, the analytics tool that reads your Google Workspace. Each one holds an OAuth token. Each one is a potential pivot point.

The question for every security team tonight: how many AI tools have OAuth access to your Google Workspace? Can you list them? Do you audit them? When one of those vendors gets popped, what's your blast radius?

We checked vercel-sso.com and found it staged since September 2025. That may have been a parallel attack path that wasn't needed — the OAuth route was cleaner. No phishing page required. No employee clicking a link. Just a compromised vendor with a valid token.

ShinyHunters, or whoever is wearing the mask, didn't need to phish Vercel's employees. They phished the AI vendor's employees instead. Or maybe they didn't even need to phish anyone — if Context.ai had a vulnerability in their own platform, the OAuth tokens were just sitting there.

We've updated our investigation folder with the root cause. The domain staging finding still stands — vercel-sso.com is still registered, still resolving, and still wasn't Vercel's. But the actual entry vector was worse than a phishing domain. It was trust.

If you're running AI tools with OAuth access to production systems, audit them tonight. Not tomorrow. Tonight.

Vercel's security bulletin: vercel.com/kb/bulletin/vercel-april-2026-security-incident

Our earlier investigation: dugganusa.com/post/shinyhunters-claims-vercel-the-real-shinyhunters-says-it-wasn-t-them-we-checked-

Our STIX feed includes ShinyHunters IOCs (20 indicators, 10 IPs, 10 phishing domains) and is updated continuously: analytics.dugganusa.com/stix/pricing

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com