The Vercel Breach: How an AI Tool OAuth Token Became a $2M Supply Chain Nightmare

---

The Incident

In April 2026, cloud platform Vercel (the company behind Next.js) suffered a major breach that began with something simple: an employee connected a third-party AI analytics tool called Context.ai to their corporate Google Workspace account using OAuth [citation:3].

The attack chain unfolded in stages:

1. Initial compromise — An infostealer (Lumma Stealer) compromised a Context.ai employee's endpoint through a seemingly innocent Roblox cheat download in February 2026 [citation:3].

2. Token theft — Attackers exfiltrated OAuth tokens from Context.ai's systems, including one belonging to a Vercel employee who had granted "Allow All" permissions when signing up for Context.ai's AI Office Suite [citation:3].

3. Lateral movement — Using that valid OAuth token, attackers accessed the Vercel employee's Google Workspace account, then moved into other Vercel internal environments with what the Vercel CEO described as "surprising velocity and in-depth understanding" of their systems [citation:3].

4. Data exfiltration — Environment variables, API keys, tokens, and database credentials were all potentially exposed. The group claiming responsibility (operating under the ShinyHunters name) is reportedly asking $2 million for the stolen data, describing it as the foundation for "the largest supply chain attack ever" [citation:3].

Why Traditional IAM Failed

The breach wasn't caused by a missing patch or a zero-day exploit. It was a structural identity governance failure.

The Clean Source Principle at work: The moment the Vercel employee granted Context.ai "Allow All" OAuth access, Context.ai's infrastructure became a clean source dependency for Vercel's identity environment. The security of Vercel's Google Workspace became partly dependent on Context.ai's AWS security and the endpoint security of Context.ai's employees — none of which Vercel controlled or monitored [citation:3].

Non-human identity blind spot: Context.ai wasn't just a software tool in this scenario. It was a non-human identity (NHI) with delegated rights to act inside Vercel's enterprise identity infrastructure. Every AI tool employees connect to corporate accounts is, structurally, an NHI with a token and permissions — operating entirely outside traditional IAM governance [citation:3].

The gap between intended access and attack paths: IAM answers "who has intended access." Identity Attack Path Management answers a different question: "What happens when that access is abused, and what can an adversary reach from it?" Most organizations cannot answer the second question [citation:3].

The Bigger Picture: 2026 IAM Crisis

The Vercel breach is not an isolated incident. It reflects three converging trends:

1. Invisible Identities Now Outnumber Managed Ones

According to Orchid Security's May 2026 Identity Gap report, "invisible identity" (identity dark matter) now outweighs visible identity across enterprise environments — 57% to 43%. Further, 67% of non-human accounts are created directly within applications, unseen and unmanaged by IAM programs [citation:10].

2. AI Agents Are Exploiting Identity Gaps at Machine Speed

Cisco President Jeetu Patel recently noted at RSAC 2026 that 85% of enterprises are running AI agent pilots, while only 5% have reached production. The 80-point gap is a trust problem, not a capability problem [citation:5].

As Roy Katmor, CEO of Orchid Security, put it: "AI agents discover and exploit identity control gaps and exposures in a way and at a speed we've never seen before. If there's a shortcut in your environment, an autonomous system will find it" [citation:10].

3. Non-Human Identities Are the Largest Attack Surface

Research shows organizations now manage roughly 144 non-human identities for every single human employee — a 56% increase in just twelve months. Yet IBM's 2025 breach report found that 97% of organizations compromised via AI lacked formal access controls for their agents [citation:2].

What This Means for Identity Governance

Traditional IAM was built for people. Humans log in occasionally, operate within one domain at a time, and follow predictable patterns. AI agents do none of these things. They operate 24/7, move data across systems automatically, spawn sub-agents, and act with wide-ranging delegated privileges [citation:2].

The OAuth delegation problem: When an OAuth token is compromised in one domain, there is no shared revocation mechanism, no cross-domain signaling, and no portable policy that travels with an agent as it moves between systems. Drift (the AI tool compromised in a similar incident) rotated its credentials on August 20, but some customers didn't learn of the breach until August 23 — three days of complete visibility loss [citation:2].

Identity governance must evolve to address:

• Agentic IAM — Each AI agent needs a registered identity with defined permitted actions and a human accountable for its behavior [citation:5]
• Identity attack path management — Organizations must map what an adversary can reach from any given compromised identity [citation:3]
• Continuous verification — Static tokens aren't enough; behavior, context, and real-time risk signals must inform trust decisions [citation:2]

The Bottom Line for Security Leaders

If your identity program cannot answer these three questions today, you are not ready for AI-scale risk:

1. Which AI agents and third-party tools have OAuth access to your corporate identity systems?
2. What attack paths exist from any compromised token to your critical assets?
3. Can you revoke access surgically without shutting down the entire business?

The organizations that will win with AI won't just be the ones that move fastest. They'll be the ones that know exactly how fast they can move without losing control over who — or what — is allowed to touch what [citation:4].

---

Sources: SpecterOps breach analysis (April 2026), Orchid Security Identity Gap Report (May 2026), ValidSoft/Drift incident analysis (December 2025), Cisco RSAC 2026 coverage