How a single OAuth oversight led to the Vercel data breach

When a single compromised third-party extension cascades into a major cloud platform breach, the security gaps become impossible to ignore. This week, Vercel disclosed that attackers gained unauthorized access to its production environments through an overlooked OAuth grant tied to a developer’s use of a browser extension. The incident underscores a persistent challenge in modern security: detecting and containing OAuth-based attacks that exploit the blind spots between cloud services, SaaS applications, and developer tools.

The cascade of breaches: from infostealer to OAuth abuse

The breach chain began with a targeted infection on an employee’s device at Context.ai, a SaaS vendor whose AI-powered analytics platform integrates with major cloud platforms, including Vercel. According to cybersecurity firm Hudson Rock, the employee’s machine was compromised by the Lumma Stealer malware in early 2025. The malware harvested a range of credentials, including Google Workspace logins, Supabase API keys, Datadog monitoring tokens, and Authkit authentication credentials. Browser history on the infected device revealed downloads of Roblox cheat scripts, a common vector for stealer malware distribution.

Once the credentials were harvested, attackers pivoted into Context.ai’s AWS environment, gaining access to internal systems. While Context.ai detected and contained the initial intrusion in March 2025, the scope of the compromise was underestimated until later disclosures. Investigators later discovered that the attackers also exfiltrated OAuth tokens tied to Context.ai’s Google Workspace integration. One of these tokens—granted via a Chrome extension used by a Vercel developer—provided a direct pathway into Vercel’s internal systems.

The overlooked OAuth vulnerability

The critical misstep occurred when a Vercel engineer installed the Context.ai browser extension and authenticated using their corporate Google Workspace account. This action granted the extension broad OAuth permissions, effectively handing over control of the developer’s Workspace account to any actor with access to the stolen token. According to OX Security’s analysis, the extension’s OAuth grant was not flagged or reviewed by Vercel’s security team, leaving a gaping hole in its defenses.

When Context.ai’s systems were later breached, attackers inherited the compromised OAuth token, enabling them to access Vercel’s internal environments. The attackers then enumerated environment variables that were not marked as sensitive, extracting plaintext credentials and escalating their privileges. Vercel’s subsequent investigation, conducted alongside partners like GitHub, Microsoft, and npm, confirmed that no Vercel-published npm packages were affected. However, the breach exposed the risks of unmonitored OAuth grants and the improper handling of non-sensitive environment variables.

Vercel has since implemented measures to mitigate future risks, including defaulting new environment variable creation to “sensitive” status. The company also collaborated with security vendors to audit its systems for signs of compromise. "The attacker was highly sophisticated and, I strongly suspect, significantly accelerated by AI," said Vercel CEO Guillermo Rauch in a public statement.

Why most security teams miss this attack vector

The Vercel breach highlights a blind spot that persists across many organizations: the lack of visibility into third-party OAuth grants. Security directors often prioritize endpoint detection and cloud infrastructure monitoring, but few tools are designed to track the lifecycle of OAuth tokens granted to SaaS applications and browser extensions.

According to Nudge Security’s CTO Jaime Blasco, the Context.ai extension embedded a second OAuth grant that enabled read access to users’ Google Drive files. While Google removed the extension from the Chrome Web Store on March 27, 2025, the damage had already been done for affected users. Security teams typically fail to monitor for these types of grants because:

• OAuth tokens are not consistently logged or audited in most organizations.
• There is no standardized approval workflow for third-party extensions.
• Anomaly detection for OAuth token usage is rare, even though compromised tokens are a common attack vector.

Trend Micro research suggests the intrusion may have begun as early as June 2024, though this timeline remains unverified. If confirmed, the dwell time would extend to nearly 22 months, illustrating how long such threats can evade detection. This extended timeline underscores the need for continuous monitoring of OAuth grants and third-party integrations.

Lessons for security leaders: closing the OAuth security gap

The Vercel breach serves as a wake-up call for organizations relying on cloud platforms and third-party tools. Security teams must adopt a more proactive approach to OAuth governance, including:

• Implementing automated OAuth token lifecycle management to detect and revoke unused or suspicious grants.
• Enforcing strict review processes for third-party extensions and SaaS integrations before granting OAuth access.
• Deploying behavioral analytics to monitor for unusual OAuth token usage patterns.
• Marking all environment variables as sensitive by default to prevent plaintext credential exposure.

The attack chain—infostealer to OAuth abuse to lateral movement—demonstrates how attackers exploit the seams between tools, platforms, and user behaviors. As AI-powered tools become more integrated into developer workflows, the risks of overlooked OAuth grants will only grow. Organizations that fail to address these gaps risk facing breaches that are not just undetected, but fundamentally uncontainable from the start.

The Vercel incident is not an isolated case; it is a symptom of a broader security challenge. The question now is whether security teams will take the necessary steps to close the OAuth gap before it’s too late.