Cloud platform Vercel says company breached through third-party AI tool

A cloud platform popular among developers announced a cyberattack this weekend that was traced back to a third-party AI tool installed on an employee’s device. 

On Sunday, a hacker claimed to have internal databases and access to multiple employee accounts at Vercel. The hacker floated ideas of cascading global supply chain attacks through several important libraries owned by Vercel, including one that was already tangentially involved in another cyber incident in December.

Vercel released a statement acknowledging a breach and warning a “limited subset of customers” that their Vercel credentials were compromised. The company has reached out to the affected customers and told them to rotate their credentials immediately. 

Vercel is still investigating to see if there are more customers impacted. 

The company said it traced the incident back to the compromise of Context.ai, a third-party AI tool used by a Vercel employee.

“The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive,’” Vercel explained. 

“Environment variables marked as ‘sensitive’ in Vercel are stored in a manner that prevents them from being read, and we currently do not have evidence that those values were accessed.”

Mandiant has been hired to assist with the investigation and law enforcement is now involved. Vercel claimed the attacker is “highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems.”

Vercel warned that deleting Vercel projects or accounts is not enough to eliminate potential customer risk. The company said compromised secrets “may still provide access to production systems, so you must rotate them before deleting your projects or account.”

March incident

Context.ai released its own response, explaining that their tool was meant to help people use AI agents to build presentations and spreadsheets. One feature was a browser extension that allowed the AI agent to “perform actions across their external applications.”

In March, Context.ai said it discovered and stopped a cyberattack involving unauthorized access to their AWS environment. The company hired CrowdStrike to investigate the attack and “informed a customer we identified as impacted.”

“Recently, based on information provided by Vercel and additional internal investigation, we learned that, during the incident last month, the unauthorized actor also likely compromised OAuth tokens for some of our consumer users,” the AI company said. 

“We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel’s Google Workspace.”

The impacted Vercel employee signed up for the Context.ai suite using their work account. Context.ai barbed that Vercel’s internal authorization configurations “appear to have allowed this action to grant these broad permissions in Vercel’s enterprise Google Workspace.”

Context.ai says it contacted other customers when informed of how Vercel was breached. 

Multiple cybersecurity research companies traced the breaches back to an infostealer infection on February 17 allegedly involving the device of a Context.ai employee. Cybersecurity firm Hudson Rock said logs show the employee was searching for Roblox game exploits, which are often laden with malware and infostealers specifically. 

Cequence Security CISO Randolph Barr said Vercel has a massive footprint in the developer community, particularly for modern web apps and workflows. 

“The bigger concern is the exposure of environment variables and tokens, which can open doors to follow-on access if teams don't move quickly to lock things down,” he said. 

The hackers allegedly behind the incident claimed to be part of ShinyHunters, a noted cybercriminal organization behind several recent attacks. The group used its communications channels to deny its involvement in the Vercel breach.

The hacker demanded a $2 million ransom. Vercel did not respond to requests for comment. 

Vercel CEO Guillermo Rauch said he believed the attackers were “significantly accelerated by AI” because they “moved with surprising velocity and in-depth understanding of Vercel.”

He urged all customers to rotate their credentials and monitor access to their Vercel environments and linked services.