Context.ai hacked triggers a Vercel security crisis; the CEO publicly shares the full investigation progress

Vercel CEO Guillermo Rauch publicly disclosed investigation progress on the X platform, confirming that the third-party AI platform Context.ai used by Vercel employees was compromised. The attacker obtained employees’ account credentials through the platform’s Google Workspace OAuth integration, and then gained further access to part of Vercel’s internal environment and environment variables that were not labeled as “sensitive.”

Attack chain: from OAuth intrusion of an AI tool to step-by-step infiltration of the Vercel environment

According to Vercel’s investigation, the attack path consists of three gradually escalating stages. First, Context.ai’s Google Workspace OAuth application was compromised in a prior, larger-scale supply chain attack, which may have affected hundreds of users across multiple organizations. Second, after compromising Context.ai, the attacker took control of Vercel employees’ Google Workspace accounts and used their credentials to access Vercel’s internal systems. Third, through enumeration, the attacker used environment variables that were not labeled as “sensitive” to obtain additional access privileges.

In the announcement, Rauch said the attacker’s actions were “astonishingly fast,” their understanding of Vercel systems was “very thorough,” and that it was highly likely they significantly improved attack efficiency with the help of AI tools.

The security boundary between “sensitive” and “non-sensitive” environment variables

This incident reveals key details of Vercel environment variable security mechanisms: environment variables labeled as “sensitive” are stored in a way that prevents reading, and the investigation has not found evidence that these values were accessed. What the attacker leveraged were environment variables not labeled as “sensitive.” Through enumeration, the attacker successfully obtained additional access privileges from them.

Vercel has added an environment variable overview page and improved the management interface for sensitive environment variables to help customers more clearly identify and protect high-risk configuration values.

Vercel’s emergency response and the official recommended action checklist

Vercel has hired Google Mandiant, other cybersecurity companies, and notified law enforcement agencies to get involved. Next.js, Turbopack, and Vercel’s open-source projects have all been confirmed as secure through supply-chain analysis, and the platform services are currently operating normally.

Official recommended customer security actions

Review activity logs: Review the activity logs for accounts and environments to identify suspicious activity

Rotate environment variables: Any environment variables that contain confidential information (API keys, tokens, database credentials, signing keys) but are not labeled as sensitive should be treated as potentially leaked and rotated first

Enable sensitive environment variable functionality: Ensure that all confidential configuration values are correctly labeled as “sensitive”

Review recent deployments: Investigate abnormal deployments and delete suspicious versions

Set deployment protection: Ensure it is set to at least the “standard” level, and rotate the deployment protection token

Frequently asked questions

What is Context.ai, and how did it become the entry point for this attack?

Context.ai is a small third-party AI tool that uses a Google Workspace OAuth integration and is used by Vercel employees for day-to-day work. The investigation shows that the OAuth application for this tool was compromised in a more widely scoped supply chain attack, which may have affected hundreds of users across multiple organizations, and that Vercel employees’ account credentials were obtained by the attacker during this process.

Are environment variables labeled as “sensitive” affected?

At this time, the investigation has found no evidence that environment variables labeled as “sensitive” were accessed. These variables are stored in a special manner to prevent reading. The attacker used environment variables that were not labeled as “sensitive,” and through enumeration, the attacker successfully obtained additional access privileges from them.

How can Vercel customers confirm whether they are affected?

If you have not received direct contact from Vercel, Vercel says there is currently no reason to believe that the credentials or personal data of affected customers have been exposed. Vercel recommends that all customers proactively review activity logs, rotate environment variables that are not labeled as sensitive, and properly enable the sensitive environment variable feature. If you need technical support, contact Vercel via vercel.com/help.