The Vercel Breach Is About Every Coding Agent You've Installed This Year

The headline this week

I spent Monday morning reading Vercel’s incident bulletin and a tab full of security-vendor write-ups. The facts are small, the lesson is loud. On April 19, Vercel confirmed that an attacker reached internal systems through a third-party AI tool called Context.ai. The starting point was a Vercel employee granting Context.ai “Allow All” OAuth permissions to their corporate Google Workspace. Context.ai itself had been breached back in February, after one of its own employees ran a Roblox cheat script that carried Lumma Stealer. From there the attacker walked into Vercel environments and lifted environment variables, API keys, NPM tokens, GitHub tokens, and a file listing 580 employee records. Ransom asking price on BreachForums, per OX Security: $2 million. The chain took six weeks to surface. It took 48 hours to reach every security team’s reading list.

What it actually means

Here is why this matters for coding-agent rollouts. Every harness an engineering org has installed in the last year asks for OAuth grants. Cursor asks for GitHub. Claude Code plugins ask for repo and workspace scopes. Codex asks for GitHub Installation tokens. MCP servers chain together Slack, Jira, Notion, and sometimes the entire Workspace. Each grant is a new pane of glass between a company and a vendor’s production systems.

The Vercel employee did nothing dramatic. They signed up for an AI Office Suite and clicked through a consent screen. That is the exact gesture engineers are performing several times a week, across coding agents and MCP installs.

What the Vercel incident proves is the transitive part of OAuth risk. The breach did not start at Vercel. It started at a vendor two hops upstream. Because the OAuth token inherited an employee’s Workspace scopes, the attacker walked through a front door someone had already signed at.

From there, per BleepingComputer’s reporting this weekend, the attacker exfiltrated access keys, source code, database data, internal deployments, some NPM tokens, some GitHub tokens, and the 580-row employee file. Security researchers at OX Security pointed out this week that the pattern is not a one-off. They have mapped the same shape across Drift, Gainsight, Anodot, and Vercel. Same shape, different company logo.

Three questions the board will ask

1. Do we have an equivalent tool in production right now?

Open the Google Workspace admin console this week. Pull the list of apps granted Workspace-wide scopes. Every coding assistant, every MCP server, every note-taking AI, every “Allow All” OAuth grant is on that list. If the answer to “how many” cannot be produced inside an hour, the answer is “too many to know.”

2. How fast would we detect the same thing?

Juliet Security pegged Vercel’s attacker dwell time at roughly six weeks between the initial Context.ai compromise and public disclosure. In the same write-up, Mandiant data put the post-access lateral hand-off at 22 seconds. So the clock in play is six weeks of detection blindness against 22 seconds of lateral movement. Read the last 60 days of OAuth-app audit logs. If those logs do not exist or are shallow, the gap itself is the answer.

3. What do we do in the next six weeks?

No one needs to rip out coding agents. The board calendar needs three things.

A signed-off OAuth inventory, with a column for “who could this vendor breach their way into us through.”

A default-deny policy for Google Workspace apps, moving to explicit allowlists.

A sensitive-variable convention for every deploy target. Vercel’s remediation this week includes flipping environment variables to sensitive-by-default. That pattern is worth copying into CI, CD, and secrets-management posture before the next sprint planning.

If a CISO does not have this on the weekly status by next Friday, that is the real signal.

Replace "Context.ai" with any coding-agent vendor name. The diagram is identical.

60-second brief for the board

The slide for the next board update:

A third-party AI tool called Context.ai was breached in February. In April, attackers used its OAuth grant to pivot into Vercel, a major web infrastructure company. Vercel disclosed the incident on April 19. The company says sensitive encrypted environment variables were not accessed, but non-sensitive variables, tokens, and source code were. ShinyHunters is asking $2 million for the data. Attack pattern: the AI tool had “Allow All” Google Workspace permissions granted by an employee. Implication for us: every AI assistant and coding agent in our stack asks for similar scopes. We will complete an OAuth inventory within 30 days, move to explicit allowlisting, and audit our environment-variable sensitivity markings. Estimated cost: one security engineer for two weeks. Estimated risk reduction: material.

What to watch next

Three signals over the next two weeks. First, whether Anthropic, OpenAI, GitHub, or Microsoft publishes post-incident guidance specifically for coding-agent OAuth scopes. So far, silence. Second, whether Vercel’s incident response playbook becomes a template other security teams publish internally. It should. Third, how a vendor risk team reads this incident. If the team is still treating AI tools as procurement software instead of identity-federation software, this week is the week to correct that framing. No panic. Pencils moving.