Cloud development platform Vercel has confirmed a security incident after a threat actor claiming affiliation with the ShinyHunters group posted on a hacking forum asserting they had breached the company and were selling stolen data. The breach, which originated through a compromised third-party AI tool's Google Workspace OAuth integration, exposed environment variables and employee account data — raising serious concerns about the security of developer infrastructure and the risks posed by OAuth supply chain attacks.

What Happened: The Breach Timeline

Vercel's security advisory confirmed that unauthorized access occurred against certain internal systems. The company engaged external incident response experts, notified law enforcement, and began notifying affected customers. Initial statements were deliberately measured, but CEO Guillermo Rauch later provided a fuller account via X (formerly Twitter).

The root cause was the compromise of a Vercel employee's Google Workspace account through a breach at Context.ai, a third-party AI platform. The attacker exploited a malicious OAuth application registered under the following identifier:

OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Once inside the employee's Google Workspace account, the attacker escalated access into Vercel's internal environments. From there, they were able to enumerate and access environment variables that had not been designated as sensitive — a distinction that determines whether variables are encrypted at rest on Vercel's platform.

The Technical Weak Point: Non-Sensitive Environment Variables

Vercel's architecture stores all customer environment variables fully encrypted at rest by default. However, the platform offers a feature that allows users to designate certain variables as "non-sensitive," which disables encryption at rest for those values under the assumption they contain non-critical data.

The attacker exploited this distinction. By enumerating the non-sensitive variables, they were reportedly able to obtain credentials and tokens that enabled further lateral movement inside Vercel's infrastructure.

"Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data," Rauch acknowledged. "We do have a capability, however, to designate environment variables as 'non-sensitive.' Unfortunately, the attacker got further access through their enumeration."

This highlights a common misconfiguration risk: the assumption that a variable is non-sensitive is itself a security decision that can have downstream consequences when systems are compromised.

What the Threat Actor Claims to Be Selling

The threat actor, posting under a name associated with the ShinyHunters brand, claimed on a hacking forum to be selling a substantial trove of stolen Vercel data. The alleged stolen materials include:

  • Access keys and API keys, including NPM tokens and GitHub tokens
  • Source code repositories
  • Database data
  • Access to internal deployments and employee accounts

As proof, the attacker shared a text file containing 580 Vercel employee records, including names, Vercel email addresses, account status flags, and activity timestamps. A screenshot purportedly showing an internal Vercel Enterprise dashboard was also circulated via Telegram. BleepingComputer was unable to independently authenticate the leaked data or screenshot.

The attacker also claimed to have entered into ransom negotiations with Vercel, allegedly demanding $2 million. Vercel did not publicly confirm or deny whether any ransom communications took place.

It is worth noting that threat actors tied to recent confirmed ShinyHunters operations have denied involvement in this specific incident to BleepingComputer, suggesting the attacker may be using the ShinyHunters brand opportunistically rather than being a verified member of the group.

Scope of Impact: What Is and Is Not Affected

Vercel confirmed that its core services remained operational throughout the incident and were not impacted. Critically, the company's investigation determined that Next.js, Turbopack, and its other open-source projects were not compromised and remain safe for continued use — an important clarification given Next.js's dominance in the React ecosystem.

The breach was described as affecting a "limited subset of customers," though Vercel has not publicly disclosed the exact number of impacted accounts or the full scope of what data was accessed beyond the employee records already published by the threat actor.

Vercel's Response and Remediation Steps

In response to the incident, Vercel has taken several immediate and longer-term actions:

  • Engaged external incident response experts and notified law enforcement
  • Rolled out an updated dashboard with an environment variable overview page and improved sensitive variable management interface
  • Notified affected customers directly
  • Advised all Google Workspace administrators to audit OAuth application approvals and revoke the identified malicious app

Customers are strongly advised to take the following steps immediately:

  • Review all environment variables for sensitive information that may have been improperly designated as non-sensitive
  • Enable the sensitive variable feature for any variable that contains credentials, tokens, or other confidential data to ensure encryption at rest
  • Rotate secrets — including API keys, NPM tokens, GitHub tokens, and any other credentials stored in environment variables
  • Audit Google Workspace OAuth app approvals and revoke any unrecognized or untrusted applications

The Broader Threat: OAuth and Third-Party AI Tool Risks

This incident is a textbook example of a supply chain attack vector that is growing increasingly common: an attacker compromises a trusted third-party service with broad OAuth access to enterprise Google Workspace accounts, then pivots into the primary target's environment using the delegated credentials.

OAuth tokens granted to third-party applications often carry extensive permissions, and organizations rarely audit or rotate them. As AI tools proliferate and request Google Workspace integrations for features like calendar access, email parsing, and document management, each integration creates a potential pivot point for attackers who compromise the AI vendor first.

Security teams should treat third-party OAuth grants as a first-class attack surface, applying the same scrutiny given to direct system access. Periodic reviews of authorized OAuth applications, principle of least privilege for granted scopes, and alerting on new OAuth app authorizations are all baseline controls that can limit blast radius in scenarios like this one.

Conclusion

The Vercel breach underscores how a single compromised third-party integration can cascade into a serious incident affecting developer secrets, infrastructure access, and customer trust. While Vercel's core platform and open-source projects appear to have remained intact, the exposure of API keys, GitHub tokens, and NPM tokens through enumerated environment variables represents a significant supply chain risk for any downstream projects or pipelines relying on those credentials.

For the developer community, the key takeaway is clear: treat every environment variable as potentially sensitive, audit your OAuth application grants regularly, and never assume that a "non-sensitive" designation in a platform feature equals a security guarantee. Rotating secrets proactively — before a breach, not after — remains one of the highest-value, lowest-cost defenses available.