Vercel, a cloud development platform, recently confirmed that an unauthorized party gained access to some of its internal systems. This has led to an active investigation involving top cybersecurity firms, law enforcement, and other companies in the field.
The breach, disclosed through a formal Security Bulletin, originated not from a direct attack on Vercel's own infrastructure but from a compromise of a third-party AI tool used by an employee.
Vercel is a cloud platform for frontend developers, specializing in hosting websites and web apps. Valued at over one billion dollars, it serves a global customer base of developers and organizations. The incident raises questions about risks from third-party software integrations, especially AI tools in daily workflows.
How the Attack Began
The incident did not start inside Vercel. According to the investigation, it originated with a compromise of Context.ai, a third-party AI tool an employee used. The attacker leveraged that foothold to take over the employee's Vercel Google Workspace account, then gained access to some Vercel environments and environment variables not marked as 'sensitive.'
Environment variables marked as 'sensitive' in Vercel are stored so they cannot be read back in plaintext. The company said it has no evidence those protected values were accessed.
This is a classic example of connected access points being used sequentially. The attacker used compromised AI tools to access Google Workspace, then Vercel environments. Vercel described the hacker as 'highly sophisticated' due to speed and in-depth knowledge of Vercel's infrastructure.
CEO Guillermo Rauch's Statement
Rauch discussed the event publicly, providing a firsthand account. 'A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. Through a series of maneuvers that escalated from our colleague's compromised Vercel Google Workspace account, the attacker got further access to Vercel environments,' he wrote on X.
He continued: 'Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms. Unfortunately, the attacker got further access through their enumeration.'
Rauch pointed to the threat actor's nature, suggesting AI assistance. 'We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.'
He noted the number of directly affected customers is limited. 'At the moment, we believe the number of customers with a security impact to be quite limited. We've reached out with utmost priority to the ones we have concerns about.'
Rauch addressed the supply chain, confirming Vercel's open-source projects were reviewed. 'We've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe.'
He closed with a commitment to transparency: 'It's my mission to turn this attack into the most formidable security response imaginable. I commit to keeping you updated and rolling out extensive improvements.'
In a follow-up, Rauch addressed a misconception: 'Deletion does not imply Rotation. Rotating keys means invalidating the previous value with the vendor/service you're using. If you only delete the resource on the Vercel side, the associated key can live on and be mis-used.'
Impact and Customer Guidance
Vercel identified a limited subset of customers whose non-sensitive environment variables were compromised. The company contacted them directly and recommended immediate rotation of credentials. For others, Vercel said, 'If you have not been contacted, we do not have reason to believe that your Vercel credentials or personal data have been compromised at this time.'
The bulletin carries a caution: deleting a project or account is not sufficient. Compromised secrets may still provide access via third-party services, so keys must be invalidated directly with providers.
npm Supply Chain
Vercel confirmed that no npm packages published by Vercel were tampered with. 'In collaboration with GitHub, Microsoft, npm, and Socket, our security team has confirmed that no npm packages published by Vercel have been compromised. There is no evidence of tampering, and we believe the supply chain remains safe.'
Indicator of Compromise
Vercel published an OAuth app identifier used in the attack: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Google Workspace administrators should check for this app.
Brendan Falk, founder of Hercules.app, provided a walkthrough: 'To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps. 2. Filter by ID = 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. If you see an app, you have potentially been compromised.'
Recommendations for Customers
Vercel recommends reviewing and rotating non-sensitive environment variables, including API keys, tokens, database credentials, and signing keys. Customers should also use the sensitive environment variables feature going forward. Review activity logs for suspicious activity, investigate recent deployments, and delete questionable ones. Set Deployment Protection to Standard at minimum and rotate Deployment Protection tokens if configured. Enable multi-factor authentication, configure an authenticator app, and create a passkey.
Product Changes
Vercel has shipped several updates: environment variable creation now defaults to sensitive on, improved team-wide management, easier activity log with deep-linking, and clearer team-invite emails.
Investigators Involved
Vercel is working with Mandiant, additional cybersecurity firms, industry peers, and law enforcement. It has also engaged Context.ai directly. Rauch thanked the Google Mandiant team for their assistance.
The investigation is ongoing. The bulletin has been updated several times since April 19 and 20, adding new information about the attack's origin, recommendations, and product improvements.
Broader Lesson on Third-Party AI Risk
The incident highlights risks from third-party AI tools with OAuth integrations granting significant access. A compromise at the tool level can directly compromise accounts. Google Workspace administrators should audit which apps have been granted access and revoke unused or overly permissive ones.
