A data security breach at US cloud application company Vercel has prompted urgent customer notifications and drawn attention to the risk that employees using third-AI tools could open additional attack vectors for hackers to steal customer information.
Vercel provides developer tools and cloud infrastructure, including the widely used Next.js web development framework for React that it created and maintains. The company issued a bulletin on April 19 stating that it had discovered unauthorized access to certain internal systems and indicated that some customers’ accounts were compromised.
“Initially we identified a limited subset of customers whose non-sensitive environment variables stored on Vercel (those that decrypt to plaintext) were compromised. We reached out to that subset and recommended an immediate rotation of credentials.”
The bulletin added the company is investigating “whether and what data was exfiltrated” and will contact customers if it discovers further evidence of their information being compromised.
The investigation found that the attacker gained access to Context.ai, a third-party agentic AI tool used by a Vercel employee, which allowed it to take over the employee’s Vercel-issued Google Workspace account to breach some Vercel environments and environment variables that were not marked as sensitive.
The company fully encrypts variables that are marked as sensitive to prevent them from being read, and the bulletin stated that “we currently do not have evidence that those values were accessed.”
It turns out that Context.ai’s Google Workspace OAuth app was the subject of a broader security compromise, potentially affecting “hundreds of users across many organizations,” Vercel warned. The company recommends that Google Workspace Administrators and Google Account owners check for usage of the app immediately.
Vercel’s CEO, Guillermo Rauch, provided more detail in a post on X, stating:
“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.”
Rauch added that the company analyzed its supply chain to make sure that Next.js, the Turbopack bundler built into Next.js, and its open-source projects remain secure.
A subsequent update to the bulletin on April 20, 5:32 PM PST stated: “In collaboration with GitHub, Microsoft, npm, and Socket, our security team has confirmed that no npm packages published by Vercel have been compromised. There is no evidence of tampering, and we believe the supply chain remains safe.”
Vercel is also working with Google Mandiant and other cybersecurity firms, industry peers, and law enforcement, as well as Context.ai, to understand the full scale of the security compromise.
The company recommends that customers enable multi-factor authentication and make use of the sensitive environment variables feature.
As compromised credentials can still provide access to production systems, customers need to rotate them before deleting Vercel projects or accounts. Customers should also review their account activity logs and environments for suspicious activity and investigate recent deployments for unexpected or suspicious-looking activity, deleting any that appear to be suspicious, according to the bulletin.
Vercel Breach May Indicate Wider Attack on Enterprise Credentials
AI chat app developer Theo Browne also warned on X that the breach could extend further:
“The method of compromise was likely used to hit multiple companies other than Vercel.”
Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, warned in a LinkedIn post that Vercel users should check whether their systems have been affected. “If your organization relies on their infrastructure, I strongly recommend you start looking into this immediately,” Larsen wrote.
The hacker claimed to be part of the notorious ShinyHunters group, but Larsen noted that “likely this is an imposter attempting to use an established name to inflate their notoriety.”
Israeli cybersecurity firm Hudson Rock connected the dots between an infostealer attack on Context.ai and the Vercel breach.
“In a February 2026 Lumma stealer infection, a Context.ai employee with sensitive access privileges was compromised. A deep dive into the infected machine’s browser history provides a textbook example of how these breaches originate,” the firm noted.
The user was actively searching for and downloading Roblox game exploits, which are well known for deploying Lumma stealer infections. Hudson Rock traced the single infection in Context.ai’s systems to harvested corporate data including Google Workspace credentials, as well as keys and logins for Supabase, Datadog, and Authkit. The records included the [email protected] account, which gave the attacker the leverage needed to escalate privileges, bypass initial security perimeters, and enter Vercel’s infrastructure.
The compromised user was a core member of the “context-inc” Vercel team with direct access to critical administrative endpoints, according to the security firm.
For its part, Context.ai pointed to a security incident involving unauthorized access to its AWS environment that it identified and stopped in March, stating: “At the time, we engaged CrowdStrike, a leading forensic firm, conducted an investigation, and informed a customer we identified as impacted. We also closed the AWS environment, hosting service, and associated resources to fully deprecate the consumer product.”
Following the notification from Vercel that its systems had been breached, the company found that OAuth tokens belonging to some users of its AI Office Suite were compromised during the incident. The suite allowed consumer users to enable AI agents to perform actions across external applications, facilitated by another third-party service. The statement explained:
“One of those tokens was used by the attacker to access Vercel’s Google Workspace. Vercel is not a Context customer, but it appears that at least one employee enabled ‘allow all’ on all requested Google Workspace permissions using their Vercel Google Workspace account.”
The permissions were intended to enable AI agents to carry out actions in Google Workspace on the user’s behalf, such as writing emails or creating documents. Context.ai has since taken down the environment and the AI Office Suite’s OAuth application.
“We are supporting a subset of AI Office Suite users potentially impacted by a recent security incident that we detected and stopped,” the company stated. “This incident does not affect Context’s enterprise customers, whose Bedrock deployments run in their own infrastructure.”
Shadow AI Tools Introduce Hidden CX Risks
The infiltration of a Vercel employee’s third-party tool, which enabled access to the company’s internal systems, highlights the risk to customer data from “shadow AI.” As AI tools become embedded in day-to-day workflows, employees using them outside formal procurement and security review processes can inadvertently create hidden vulnerabilities.
A compromise originating in a seemingly low-risk tool in customer support, product, and engineering functions can escalate into a security breach or accidental data exposure. That dynamic also complicates accountability and communication, as incidents tied to shadow AI tools can be harder for enterprises to detect and explain.
CX teams may be required to respond to customer concerns before there is a clear internal narrative, increasing the risk of inconsistent or incomplete messaging.
Browne emphasized the importance of clear communication and a focus on the impact on customers, posting: “Fwiw, I am impressed with how Vercel has handled this incident so far. They’re taking it seriously. Notifying affected parties within minutes of identification. Being realistic about what they do and don’t know. They’re clearly more worried about their customers than their reputation right now and I have a lot of respect for that.”
“There’s also a bunch of third parties they could throw under the bus but they are fully focused on fixing the issues instead.”
Hudson Rock, however, did not hold back in pointing the finger: “Hudson Rock obtained this compromised credential data over a month ago. Had this infostealer infection been identified and the exposed credentials revoked immediately, this entire supply-chain attack could have been completely prevented.”
The incident emphasizes “the critical importance of rapid detection and quick remediation of infostealer credentials before threat actors have the opportunity to operationalize the stolen access,” the firm added.
AI-Powered Cyber Attacks Raise Stakes for CX Resilience
With Rauch noting that the attack on Vercel appeared to have been accelerated by the hacker using AI, Browne also warned that the prevalence of such cyber attacks will continue to rise as AI models become more capable of exploiting security vulnerabilities.
“Incidents like this are never easy. We’re going to start seeing more and more of them as LLMs get more powerful. IMO, they’re doing this right.”
As this incident indicates, the growing presence of shadow AI in enterprise environments and the use of AI agents to perform actions autonomously expands the attack surface in ways that are likely to surface in the customer experience first, rather than backend systems.
Enterprises increasingly need to ensure they incorporate AI governance into their CX risk management, setting policies around tool usage, access controls, and integration boundaries to help ensure customer-facing experiences remain stable and trustworthy.
