Full Report
A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. [...]
Analysis Summary
# Incident Report: Vercel Third-Party OAuth Supply Chain Breach
## Executive Summary
A Vercel employee’s integration of a deprecated third-party AI tool, Context.ai, created an unauthorized "shadow" bridge into Vercel’s Google Workspace. When Context.ai was compromised via an infostealer, attackers exploited stored OAuth tokens to access Vercel’s internal systems, including GitHub and NPM tokens. The incident highlights the critical risk of OAuth sprawl and the "shadow AI" supply chain.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Article dated April 29, 2026)
- **Incident Date:** Circa 2025/2026
- **Affected Organization:** Vercel (via Context.ai)
- **Sector:** Technology / Cloud Platform (SaaS/PaaS)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-incident (Undisclosed)
- **Vector:** Shadow IT / Unapproved OAuth Integration
- **Details:** A Vercel employee performed a self-service trial of a deprecated "AI Office Suite" by Context.ai, granting it OAuth permissions to their corporate Google Workspace account.
### Lateral Movement
- **Mechanism:** Token Reuse / Pivot
- **Details:** Attackers breached Context.ai (the third-party vendor) and accessed a database of stored OAuth tokens. They used the Vercel employee’s token to move from Context.ai’s environment into Vercel’s Google Workspace tenant.
### Data Exfiltration/Impact
- **Compromised Assets:** The attackers gained access to internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens.
### Detection & Response
- **Discovery:** Resulted from the downstream impact of the Context.ai breach.
- **Response Actions:** (Likely) Token revocation and credential rotation for all exposed secrets (NPM, GitHub, API keys).
## Attack Methodology
- **Initial Access:** Infostealer infection at a third-party vendor (Context.ai employee searching for "Roblox cheats").
- **Persistence:** Programmatic OAuth grants (persistent bridges that remain active even if the app is no longer used).
- **Privilege Escalation:** Exploiting a high-permissioned employee account that had administrative/developer access.
- **Defense Evasion:** Use of legitimate OAuth tokens to bypass MFA and traditional login monitoring.
- **Credential Access:** Theft of OAuth tokens from the third-party’s database; subsequent theft of NPM/GitHub/API keys from Vercel.
- **Lateral Movement:** Third-party vendor environment to customer Google Workspace tenant.
- **Impact:** Supply chain compromise leading to potential downstream risk for Vercel’s own customers.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with incident response and rotating production secrets.
- **Data Breach:** Exposure of internal dashboards, employee records, and developer secrets (NPM/GitHub).
- **Operational:** Disruption due to emergency credential rotation and security auditing.
- **Reputational:** Public disclosure of a security breach originating from unmanaged "Shadow AI" tools.
## Indicators of Compromise
- **Behavioral indicators:**
- API access from unusual IP addresses using legitimate OAuth tokens.
- Unusual activity on internal dashboards or developer platforms (GitHub/NPM) originating from third-party application service accounts.
## Response Actions
- **Containment:** Revocation of the Context.ai OAuth token.
- **Eradication:** Rotation of all NPM tokens, GitHub tokens, and API keys found in the compromised account.
- **Recovery:** Auditing logs for any unauthorized code commits or package modifications made during the window of access.
## Lessons Learned
- **OAuth Longevity:** OAuth connections are persistent and programmatic; they do not expire when an employee stops using the interface.
- **Third-Party Risk:** An organization's security is dependent on the security of every app an employee grants access to.
- **Shadow AI Risk:** High-speed adoption of AI tools often bypasses standard security reviews, creating invisible "shadow integrations."
## Recommendations
- **Inventory OAuth Apps:** Regularly audit and inventory all third-party OAuth integrations in Google Workspace, Microsoft 365, and Salesforce.
- **Least Privilege:** Implement policies to restrict the ability of non-admin employees to grant high-level OAuth permissions to unverified third-party apps.
- **Automated Revocation:** Use tools to automatically revoke OAuth tokens for apps that have been inactive for more than 30–90 days.
- **Vendor Risk Management:** Treat even "trial" AI tools as tier-one security dependencies if they require access to core corporate data.