Vercel breached via compromised Context.ai OAuth app starting June 2024, exposed customer environment variables; attackers used AI-accelerated tradecraft, credentials leaked publicly nine days before April 2026 disclosure.

The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables

Key takeaways A compromised third‑party OAuth application enabled long‑lived, password‑independent access to Vercel’s internal systems, demonstrating how OAuth trust relationships can bypass traditional perimeter defenses. The impact was amplified by Vercel’s environment variable model, where credentials not explicitly marked as sensitive were readable with internal access, exposing customer secrets at platform scale. A publicly reported leaked‑credential alert predating disclosure highlights de...