Vercel has announced a significant security breach involving unauthorized access to its internal systems. The breach was discovered after the company broadened its investigation scope to include additional indicators of compromise. This effort revealed a previously undetected set of customer accounts that had been compromised. Some of these accounts showed signs of prior, unrelated compromises, potentially resulting from social engineering or malware attacks. Affected parties have been notified, although the total number of impacted customers remains undisclosed.
The breach originated from the compromise of Context.ai, a third-party tool used by a Vercel employee. This allowed the attacker to gain control of the employee’s Google Workspace account, subsequently accessing the Vercel account. The attacker then exploited this access to navigate Vercel's environment and decrypt certain non-sensitive environment variables.
The situation was further complicated by revelations from Hudson Rock, which identified that a Context.ai employee had been infected with the Lumma Stealer malware after searching for game exploits. This infection may have served as the initial point of compromise, leading to the broader incident. Vercel's CEO, Guillermo Rauch, indicated that the threat actor was active beyond the initial compromise, distributing malware to collect valuable tokens and credentials.
The incident raises concerns about the use of third-party applications without proper oversight, as it remains unclear whether Vercel employees’ use of the Context AI Office Suite was officially approved. Context.ai has since deprecated the AI Office Suite. The breach highlights the inherent risks in OAuth integrations, which can inherit user and organizational trust, potentially bypassing direct account security measures. The focus for defenders now shifts towards rapid response and minimizing the impact of such breaches, given the attackers’ ability to quickly assess and exploit internal systems.


