Vercel CEO: The attack scope goes beyond Context.ai, and they have notified other suspected victims

Vercel CEO Guillermo Rauch posted an update on the progress of a security investigation on X on April 22 in U.S. Pacific Time, saying the investigation team has processed nearly 1 PB of Vercel’s full network and API logs, and that the scope of the investigation far exceeds the Context.ai incident. Rauch said that the attackers stole Vercel account keys by distributing malware to computers and has notified the victims.

Attack Vectors and Behavior Patterns: Investigation Details

According to Vercel’s security investigation page and Guillermo Rauch’s public posts on X, this incident originated from a Google Workspace OAuth application associated with a third-party AI tool, Context.ai, used by a Vercel employee. The attackers used the access privileges obtained through that tool to gradually gain the employee’s individual Vercel Google Workspace account and Vercel account. After entering the Vercel environment, they systematically enumerated and decrypted non-sensitive environment variables.

In his X post, Rauch noted that the logs show that after obtaining the keys, the attackers immediately carried out fast, comprehensive API calls, focusing on enumerating non-sensitive environment variables and forming a repeatable behavioral pattern. Vercel assessed that the attackers had deep knowledge of the Vercel product API interface, indicating a very high technical level.

New Findings After the Expanded Investigation and Industry Collaboration

According to Vercel’s April 22 security update, after the expanded investigation, two new findings were confirmed:

· It was found that a small number of other accounts were compromised in this incident, and affected customers have been notified

· It was found that a small number of customer accounts have prior compromise records unrelated to this incident; it is suspected that these were caused by social engineering, malware, or other means, and the affected customers have been notified

Vercel has deepened collaboration with industry partners such as Microsoft, AWS, and Wiz, and is working with Google Mandiant and law enforcement agencies to investigate.

According to Vercel’s April 20 security update, Vercel’s security team, working with GitHub, Microsoft, npm, and Socket, confirmed that all npm packages published by Vercel were unaffected, with no evidence of tampering, and that supply-chain security assessments are proceeding normally. Vercel also disclosed indicators of compromise (IOCs) for community verification, including the associated OAuth application ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Vercel recommends that Google Workspace administrators check whether the above application was being used.

Frequently Asked Questions

What is the root attack vector of this Vercel security incident?

According to Vercel’s security investigation page, the incident originated from a compromised Google Workspace OAuth application tied to a third-party AI tool, Context.ai, used by a Vercel employee. The attacker accessed privileges through that tool to gradually obtain the employee’s Vercel account, then entered the Vercel environment to enumerate and decrypt non-sensitive environment variables.

Has the scope of the attack confirmed by Vercel gone beyond the initial Context.ai incident?

According to a public post by Guillermo Rauch on X on April 22 in U.S. Pacific Time, threat intelligence indicates that attacker activity went beyond the single compromise scope of Context.ai. By stealing access keys for multiple service providers across a broader network via malware, other suspected victims have been notified to rotate credentials.

Were the npm packages published by Vercel affected by this security incident?

According to Vercel’s April 20 security update, Vercel’s security team, working with GitHub, Microsoft, npm, and Socket, confirmed that all npm packages published by Vercel were unaffected, with no evidence of tampering, and that the supply-chain security assessment is normal.