The Vercel breach: OAuth attack exposes risk in platform environment variables

· security · Source ↗

Article

TL;DR

Roblox malware infected a Context.ai employee, whose OAuth token cascaded into Vercel customer env var access.

Key Takeaways

  • Breach began ~Feb 2026; attacker had access for ~22 months before detection
  • Rotating env vars without redeploying leaves old credentials live in running Vercel deployments
  • Real failure was one employee’s Google Workspace having access to all customer environments

Discussion

Top comments:

  • [saadn92]: Rotating Vercel env vars without redeploying leaves compromised credentials live in old deployments
  • [pier25]: Headline spins this as env var issue; real failure is Google Workspace access to all customers
  • [LudwigNagasena]: One employee personally granted a third-party AI app full Google Workspace access
  • [pdp]: Core failures: over-privileged accounts, no zero-trust, bad security hygiene — not OAuth itself

Discuss on HN