Vercel Breached via OAuth Supply Chain Attack — Attacker Bypassed MFA Without Stealing a Single Credential

A threat actor has breached Vercel's developer infrastructure through an identity supply chain attack that bypassed multi-factor authentication entirely — without stealing a single credential. The compromise, disclosed in April 2026, exploited a breached third-party OAuth integration to inherit valid Google Workspace sessions belonging to Vercel developers, representing a fundamental shift in how supply chain attacks can target identity rather than code.

The attack began with the compromise of Context.ai's Google Cloud Platform project. The attacker extracted the OAuth Client Secret and all associated refresh tokens issued to users who had previously authorized the Context.ai integration. Because OAuth consent grants are persistent, the attacker immediately inherited every active session — including those of Vercel developers who had granted Context.ai access to their Google Workspace accounts. No victim interaction was required.

With the stolen client secret and refresh tokens, the attacker exchanged them for fresh access tokens against Google's OAuth2 token endpoint. This exploited a critical design characteristic: token refresh operations do not trigger MFA re-evaluation. Once a user has completed initial authentication and granted consent, subsequent token refreshes are treated as trusted continuations of the original session regardless of the source IP, device posture, or geographic location. Google Workspace Conditional Access policies do not re-evaluate trust signals during these operations.

Using the freshly minted access tokens, the attacker conducted systematic enumeration of Google Workspace resources from the 194.26.135.0/24 IP range. Searches targeted high-value keywords across Gmail, Drive, and internal documentation — including PROD_SECRET, API_KEY, god-mode, env, and KMS. The search patterns suggest automated, likely AI-augmented tooling designed to rapidly identify and prioritize documents containing production credentials and key management references.

The attacker located a privileged internal administration dashboard used by Vercel engineers for production debugging. While individual metadata fields within the dashboard were classified as non-sensitive, the attacker reconstructed sensitive production values by combining multiple fields — a classic aggregation attack. Exfiltrated data was transmitted to a command-and-control endpoint at api-update-verification[.]com/collect, designed to mimic a legitimate API update service.

Detection came approximately 72 hours after initial access, when Vercel security identified anomalous OAuth token refresh patterns. The Context.ai OAuth integration was immediately revoked and incident response was initiated.

What Defenders Should Do:

Audit all third-party OAuth integrations authorized against your identity provider and revoke any that are no longer actively used or maintained. The attack surface is not your credentials — it is every consent grant your users have ever approved. Implement monitoring for anomalous OAuth token refresh volumes and geographic shifts in token usage. Push identity providers to enforce MFA re-evaluation on token refresh operations, not just initial authentication. Review Google Workspace Conditional Access policies and understand that current configurations do not re-challenge on refresh. Search for connections to the 194.26.135.0/24 IP range and the domain api-update-verification[.]com in your network logs. Any organization whose employees authorized the Context.ai OAuth integration should treat those accounts as compromised and rotate all associated credentials and secrets.