Vercel disclosed a security incident in which an attacker compromised a third-party AI tool (Context.ai) used by a Vercel employee, then leveraged stolen OAuth tokens to access Vercel's Google Workspace and internal environments. This exposed environment variables and credentials for a limited subset of customers. Context.ai had suffered an AWS breach in March, which CrowdStrike investigated but apparently missed the OAuth token compromise. The incident highlights risks of agentic AI tools with broad OAuth permissions connecting to enterprise accounts.
Sort: