https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
Article
-
OAuth supply chain attack exposed secrets stored in Vercel environment variables
-
Attackers leveraged platform-level access to harvest long-lived credentials
-
Defense requires treating OAuth apps as third-party vendors, eliminating long-lived secrets
-
Incident highlights systemic risk of trusting platform providers with sensitive env vars
Discussion
-
Vercel lacked a ‘sensitive’ env var option for ~2 years after launch
-
Rotating keys doesn’t help if old deployments still run with compromised values
-
Commenters debated security-by-obscurity: even hiding env output adds a meaningful friction layer
Discuss on HN
