Skip to main content
Application Security Standards
How a Compromised AI Tool Gave Attackers Full Access to Vercel's InfrastructureIncident
5 min readFor Compliance Teams

How a Compromised AI Tool Gave Attackers Full Access to Vercel's Infrastructure

What Happened

On December 20, 2024, Vercel discovered unauthorized access to their internal systems through a compromised OAuth token belonging to Context.ai, a third-party AI coding assistant integrated into their development environment. The attackers—allegedly the ShinyHunters group—used this single token to access Vercel's internal repositories and exfiltrate customer credentials for a subset of users. Vercel's security team detected the breach, revoked the compromised token, and began notifying affected customers within hours.

This breach highlights a critical vulnerability in cloud architectures: third-party integrations with overly permissive access scopes can create single points of failure. One compromised vendor token bypassed Vercel's perimeter entirely.

Timeline

December 20, 2024 (exact time not disclosed): Vercel's security monitoring detects anomalous access patterns associated with the Context.ai OAuth token.

Same day: Security team confirms unauthorized access, immediately revokes the compromised OAuth token, and begins internal investigation to determine scope of access.

Within 24 hours: Vercel notifies affected customers and advises immediate rotation of credentials and environment variables.

Following days: Vercel conducts forensic analysis to map exactly which repositories and systems the attackers accessed through the compromised token.

Which Controls Failed or Were Missing

Insufficient OAuth Scope Restriction

The Context.ai integration held an OAuth token with access broad enough to reach internal repositories and customer data. Your OAuth grants should follow least-privilege: if a tool needs to read code for analysis, it shouldn't have write access or the ability to access secrets management systems.

Absent Third-Party Security Assessment

No evidence suggests Vercel had conducted recent security assessments of Context.ai's infrastructure before the compromise. When you integrate a third-party tool into your environment, you're extending your trust boundary to include their security posture.

Missing Token Activity Monitoring

While Vercel detected the breach, the timeline suggests the compromised token had already accessed sensitive systems before triggering alerts. Token activity monitoring should flag unusual access patterns—geographic anomalies, access to repositories outside normal scope, or bulk data operations—within minutes, not hours.

No Automated Token Rotation

OAuth tokens for third-party integrations often remain valid indefinitely until manually revoked. Vercel's Context.ai token had no expiration policy that would have automatically limited the window of opportunity for attackers.

What the Relevant Standards Require

ISO/IEC 27001:2022 — Control 5.19 (Information Security in Supplier Relationships)

This control requires you to "define and agree information security requirements with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization's information."

For your OAuth integrations, this means:

  • Document what data each third-party token can access
  • Require security attestations (SOC 2 Type II reports, penetration test results) from vendors before granting access
  • Establish contractual requirements for incident notification timelines

ISO/IEC 27001:2022 — Control 5.20 (Addressing Information Security within Supplier Agreements)

You must establish and agree upon security requirements with suppliers, including "the right to audit the information security practices of suppliers." Your vendor agreements should include the right to review their access logs, revoke access immediately upon security concerns, and receive breach notifications within defined timeframes.

NIST CSF v2.0 — ID.SC-2 (Suppliers and Third-Party Partners)

"Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk management process."

This means maintaining an inventory of every OAuth integration, the scope of access granted, and the risk tier of each vendor. Context.ai would have been high-risk: it accessed source code repositories containing customer data and secrets.

NIST 800-53 Rev 5 — AC-2 (Account Management)

This control requires "review of accounts for compliance with account management requirements" and "conditions for group and role membership." Your OAuth tokens are accounts. You need:

  • Quarterly reviews of which third-party tokens exist and what they can access
  • Automated alerts when tokens access resources outside their documented scope
  • 90-day maximum lifetime for third-party integration tokens, with mandatory rotation

PCI DSS v4.0.1 — Requirement 8.3.10

If you process payment data, "user accounts and authentication credentials are managed for non-consumer users and administrators on all system components." OAuth tokens authenticating third-party services fall under this requirement. You must:

  • Implement multi-factor authentication for OAuth authorization flows
  • Log all token usage for audit purposes
  • Revoke tokens immediately when vendor relationships end

Lessons and Action Items for Your Team

Audit Your OAuth Grants This Week

Pull a list of every third-party integration with OAuth access to your systems. For each one, document:

  • What repositories, APIs, or data sources can it access?
  • What's the business justification for this scope?
  • When was the vendor's security posture last assessed?
  • When was this token last rotated?

If you can't answer these questions, your risk is similar to Vercel's before the breach.

Implement Token Scoping Rules

Create an OAuth policy that maps integration types to maximum permitted scopes:

  • Code analysis tools: read-only access to specified repositories, no access to secrets or environment variables
  • CI/CD tools: write access only to deployment targets, not to source repositories
  • Monitoring tools: read-only access to logs and metrics, no access to customer data

Reject any integration request that exceeds these scopes unless approved by your security team with documented risk acceptance.

Require Vendor Security Evidence

Before approving any third-party integration, require:

  • SOC 2 Type II report dated within the last 12 months
  • Evidence of vulnerability management program (patch SLAs, penetration test cadence)
  • Incident response plan including notification timelines
  • Proof of MFA enforcement for vendor employee access

If a vendor can't provide these, they shouldn't access your production environment.

Deploy Token Activity Monitoring

Configure alerts for:

  • OAuth tokens accessing repositories they haven't touched in the last 90 days
  • Bulk data operations (cloning multiple repositories, downloading environment variables)
  • Access from IP addresses outside your vendor's documented infrastructure
  • Token usage outside the vendor's normal business hours

These alerts should trigger automatic token suspension pending investigation, not just notify your security team.

Enforce Token Rotation

Set a maximum 90-day lifetime for all third-party OAuth tokens. Implement automated rotation:

  • Generate new token
  • Provide to vendor through secure channel
  • Verify vendor has updated their integration
  • Revoke old token

Yes, this creates operational overhead. That overhead is cheaper than a breach.

Segregate Customer Credentials

Vercel's breach exposed customer credentials because they were accessible through the same systems the compromised token could reach. Implement architectural separation:

  • Store customer secrets in a dedicated secrets management system (HashiCorp Vault, AWS Secrets Manager)
  • Require separate authentication for secrets access—no OAuth tokens from third-party tools
  • Encrypt secrets at rest with keys that third-party integrations cannot access

The Context.ai token should never have been able to reach customer credentials, regardless of what repositories it could access.

Test Your Detection

Run a tabletop exercise: assume a third-party OAuth token is compromised today. Can your team:

  • Identify which token within 15 minutes?
  • Determine what data it accessed within 1 hour?
  • Revoke the token and verify revocation within 30 minutes?
  • Notify affected customers within 24 hours?

If any answer is no, your incident response plan needs work before the next breach, not after.

Topics:Incident

You Might Also Like

When Identity Verification Failed Against AI Agents: A Post-Mortem
4 min readFor Security Engineers

When Identity Verification Failed Against AI Agents: A Post-Mortem

What Happened In the past 18 months, organizations using AI systems have faced security failures that traditional identity-based controls couldn t stop. While no single breach stands out, the overall

Read
Ruby Gems and Go Modules Turned Weapons: BufferZoneCorp Attack Breakdown
4 min readFor Security Engineers

Ruby Gems and Go Modules Turned Weapons: BufferZoneCorp Attack Breakdown

A coordinated supply chain attack using poisoned Ruby gems and Go modules has exposed how attackers now target the seams between your package managers and CI/CD pipelines. The campaign, attributed to

Read
36 Hours: A SQL Injection Flaw Goes From Disclosure to Active Exploitation
4 min readFor Security Engineers

36 Hours: A SQL Injection Flaw Goes From Disclosure to Active Exploitation

What Happened In early 2026, security researchers disclosed CVE-2026-42208 , a critical SQL injection vulnerability in LiteLLM, a widely-used open-source AI Gateway. This flaw has a CVSS score of 9.3,

Read