How Vercel's Supply Chain Attack Unfolded

Show Notes

Summary

This episode dissects the recent Vercel breach, a supply chain attack involving third-party AI tools, OAuth vulnerabilities, and insider risks. It highlights practical steps organizations can take to enhance cybersecurity and prevent similar incidents.

Key  topics

Supply chain attack involving third-party AI tools
OAuth vulnerabilities and permissions management
Best practices for environment variable security
Incident response and credential rotation strategies

Chapters

00:00 The Vercel Breach: An Overview
05:43 The Supply Chain Attack Unfolds
12:45 The Shift in Cybersecurity Paradigms
19:11 The Importance of Trust in Security

Keywords

cybersecurity, supply chain attack, OAuth, Vercal breach, AI security, cloud security, incident response, third-party risk, environment variables, credential rotation

Let’s Stay Connected

📧 Email: santosh@getitrightsoln.co.uk

🔗 LinkedIn: linkedin.com/in/kssantosh

Transcript

SPEAKER_00 0:18

If you work in tech, if you ship code, if you use cloud platforms, and honestly, even if you're just someone who cares about security, this story matters to you. Just a few days back, on April 20th, Vercel, one of the biggest names in web infrastructure, confirmed it has been hacked. We are talking real customer data accessed, credentials stolen, and sensitive internal systems breached. But the interesting fact is that Versal didn't get hacked because someone broke their friend door. The attacker found a side entrance. They got in through a third-party EA tool that one of Versal's employees was using. And the chain of events that led to this breach? It starts with Roblox cheat codes. No, I'm not making this up. Welcome to Secure by Design, the podcast where we explore how identity and wider cybersecurity shape the foundation of our digital world. I'm Santosh, and in each episode I'll share insights and practical perspectives on how we can build security into every layer of technology and business. From identity governance and zero trust to the latest in cloud and compliance. Let's dive into what it takes to design security that lasts. So today we are going to break this whole thing down step by step. We'll talk about who Versal is, who context AI is, exactly how this attack unfolded, and most importantly, what organizations should be doing right now to make sure they are not the next. Let's get into it. First thing first, who is Versal? If you are a developer, you almost certainly know this name. But for everyone else, let me give you a quick version. Versal is a cloud platform based in San Francisco that helps developers build, deploy and run modern web applications. Especially front-end applications. Think of it as the infrastructure layer that sits between a developer's code and the actual website you see in your browser. What made Versal a household name in the developer world is that they created and maintained Next.js, an incredibly popular open source framework built on top of React. Next.js is used by companies like TikTok, Airbnb, Nike, and Twitch. It's one of the most widely adopted frameworks in the web development today. So, when we talk about Versal, we are not talking about a small startup. We are talking about a company whose technology sits at the foundation of a significant chunk of the internet. If Versal sneezes, a lot of websites catch a cold. And that's exactly why this breach is so consequential. Versal isn't just some small company that got hacked. Its environment variables can contain API keys, database credentials, authentication secrets, and those keys belong to not just Versal, but Wersal's customers. Which is why when this bridge broke, you saw crypto teams, Web3 developers, and enterprise engineering teams scrambling to rotate their credentials almost immediately. So that's Wersal. Big, critical, widely trusted infrastructure. Now let's talk about the other company at the center of this, Context AI. Context AI in comparison is a much smaller, less well-known company. They build AI powered tools. Specifically, they focus on evaluations and analytics for AI models. But the product that's relevant here is something they launched in June 2025 and called it Context AI Office Suite. This was a consumer-facing product, a self-serve subscription style tool designed to let individual users automate tasks and workflow across their everyday apps, emails, calendars, documents, that kind of thing. The way it worked was through a feature that allowed AA agents to take actions inside your connected applications. And to do that, it needed permissions. It needed you to authorize it to access your Google account, your calendar, your files, etc. And here's where the first red flag appears. Context AI office suite used a third-party service to facilitate these cross-app connections. So the trust chain didn't just go from user to context AI. It went from user to context AI to another third party. That's a lot of links in the chain. Context AI themselves have acknowledged that their consumer product, the Office Suite, was entirely separate from their enterprise offering, which runs on customers' own infrastructure. Their enterprise customers, they say, are not affected by this incident. But the consumer product, that's where this whole story begins to unravel. This was a textbook example of a supply chain attack, very similar to light LLM attack we saw in an earlier episode. Let me walk you through this step by step. The first step is when the seed is planted. The story begins in February 2026, two full months before this incident. A context AA employee, not a versatile employee, a context AA employee, is on their personal or work computer and they search for Roblox game cheats. Roblox exploits and cheat codes are one of the most common delivery vectors for InfoSTEALA category malware. They apparently downloaded something that looks like a game hack. What it actually was was a Luma Steeler, a sophisticated malware that immediately gets to work harvesting credentials, cookies, session tokens, and other sensitive data from the infected machine. That infected machine belongs to a Context.ai's own internal systems. Now comes the next step where the attacker gets inside Context. With the credentials harvested from that infected machine, the attackers move into Context.ai hosted its consumer product infrastructure. Now, inside an AWS environment, the attackers find something incredibly valuable, OAT tokens. If you're not familiar with OAuth, it is an authorization protocol. It's the mechanism behind those sign with Google or connect your account buttons you see all over the web. When you authorize an app to access your Google account, an OAT token is generated. That token essentially says this app has permissions to act on behalf of this user. The Context AI office suite had connected OAT tokens from all the users who had signed up and connected their accounts. And the attackers, now inside Context. So now they've got hold of the tokens. Then comes the third step. Here's where Wursel gets pulled into the story. Wersell is not a business customer of Context. But at least one Versal employee had personally signed up for the Context AI office suite using their Versal corporate Google Workspace account. And when they signed up, they clicked the worst button you can click in a permission dialog. Allow all. They granted the app broad sweeping permissions across their enterprise Google account. Context AI's own security statement confirmed this explicitly. They found that the attacker used a compromised OAuth token to access Versailles' Google Workspace. And Wersell's internal OAuth configuration allowed those broad permissions to propagate, meaning the attacker didn't just get access to one email inbox. They potentially had significant reach across the employee's Google environment. Now comes a step four. With control of the Versailles employee's Google Workspace account, the attacker now has a legitimate looking foothold inside Versailles ecosystem. From there, they move into Versal's internal environments. Versal says the attacker accessed environment variables. Here's the crucial distinction Versal has been quick to make. Environment variables that are marked as sensitive are stored in an encrypted format that simply can't be read. And Versal says there is currently no evidence that those encrypted values were accessed. But the environment variables that were not marked as sensitive, those were accessible, and those can still contain API keys, connection strings, and other credentials that developers may not have thought to classify as sensitive. Essentially systematically listing and inventorying what was available moving through systems with methodical precision. And he said something in a post on X that I think is worth quoting. He described the attacking group as, in his words, highly sophisticated and said he strongly suspects the attack was significantly accelerated by AI. In his words, they moved with surprising velocity and in-depth understanding of Wursell. And in the next step, now that they have access to Wursel's environment, the attacker or someone claiming to be affiliated with the notorious hacking group Shiny Hunters surfaced on various forums and Telegram offering to sell what they described as Wursel customer data. Things like access keys, source code, and database data for a reported asking price of $2 million. Now, it's worth noting that the actual Shiny Hunters group has reportedly denied involvement, which makes this all the more interesting. Security analysts from Google Threat Intelligence have suggested the actor using that name is likely an imposter, trying to leverage an established name for credibility. But regardless of who's behind it, the stolen data appears to be real. So, to recap the chain, a context AI employee searched for Roblox cheats, got infected with Loma Steeler, attacker gained access to Context AI's AWS, stole OAuth tokens including one belonging to a Versal employee, used the token to take over the employee's Google Workspace account, pivoted into Versailles internal systems, accessed non-sensitive environment variables, and customer data was stolen. Six steps. One search for a game cheat, millions of dollars of potential damage. That's a supply chain attack in its purest form. Now you might be thinking, okay, this is a tech story. Why should I really care? Here's why it matters beyond Wersal. What you're seeing is a fundamental shift in how attacks happen. The perimeter-based security model with the idea that if you just protect your own walls, you're dead safe. But attackers don't need to break into your friend door if they can walk through a window that someone else left open. And AI tools are now widening that attack surface dramatically. As companies race to integrate AI productivity tools, they're granting those tools broad permissions, often without thinking carefully about what that means. As one security expert put it in the aftermath of this incident, OAuth is a new lateral movement. Lateral movement is a security term for an attacker moving from one compromised system to others within an organization. OA tokens are now enabling that same movement across organizational boundaries, not just within them. And here's the uncomfortable truth. This is going to happen again. The question is whether your organization will be the next victim or whether you will have the controls in place to stop it. Let's end with something practical. Here are the concrete steps every organization should be taking right now. 1. Audit your OAuth integrations immediately. Go right now and look at every OAuth application connected to your corporate Google Workspace, Microsoft 365, or any other identity platform. You will likely find apps you've forgotten about, apps employees connected without IT approval, and apps with far more permissions than they need. Revoke anything you don't recognize. Revoke anything that has been used recently. This is basic hygiene that most organizations neglect entirely. Apply the principle of least privilege to every app connection. When any third party application asks for permissions, the default answer should be give it the minimum it needs, nothing more. In this breach, the versatile employee clicked allow all. That single click gave a third-party app broad access to a corporate account. Your employees should never be in a position to make that decision unilaterally. And if they are, they should be trained to know that allow all is almost never the right choice. Build approval workflows, require IT or security sign-offs before employees can connect third-party apps to corporate accounts, especially those with broad work scopes. Number three, treat all environment variables as sensitive by default. Versus architecture distinguishes between sensitive and non-sensitive environment variables. The sensitive ones were encrypted and not accessed. The non-sensitive ones, fag in. The lesson here is simple. If it's a secret, if it's a key, a credential, a token, a connection string, mark it as sensitive. Full stop. Don't leave that to interpretation. Audit your environments and elevate the classification of anything that could be leveraged against you. Number 4. Deploy endpoint reduction and response on every device. This attack started with an employee downloading Luma Stila malware from a Roblox cheat site. A proper endpoint deduction and response tool, an EDR solution, would likely have caught that malware before it could have harvested credentials. If your employees are working on devices without EDR, you have a gap. Close it and consider whether your acceptable use policies need updating to reduce the risk of personal browsing behavior leading to corporate compromise. Number 5. Wet your third-party vendors, including the shiny new AI tools. Before any new SaaS tools or AI product gets connected to your corporate system, there should be a security review. What data does it store? Where is it stored? What's their incident response history? What permission does it actually need versus what it asks? The difficult reality is that AI tools, particularly newer consumer-facing ones, are often built by younger companies without mature security programs. They're moving fast, shipping features and security is sometimes an afterthought. You need to be asking hard questions before you hand them the keys to your Google Workspace. And number six, monitor for suspicious OAuth activity continuously. You need visibility. Most organizations have almost none when it comes to OAuth token usage. Implement monitoring that alerts you when new OAuth applications are authorized. When tokens are used from unexpected IP addresses or location, and when access patterns change dramatically. Document or rotation procedures now. Test them. Make sure every team knows exactly what to do if a credential compromise is suspected. Speed matters enormously in limiting the blast areas of any breach. Alright, let's land the plane. The versatile hack is a story about trust. The versat is a story about trust. An employee trusted a productivity app. That app's employee trusted a game cheat site. And somewhere in that chain of trust, an attacker found their opening. This is the reality of modern security. The threat doesn't always come from the front. It comes from the third-party tool you didn't think twice about. It comes from the OAuth permission dialogue your employee clicked through in 30 seconds. It comes from the environment variables nobody bothered to mark as sensitive. The organizations that will be resilient are the ones that treat security not as a compliance checkbox, but as an ongoing discipline. One that extends to every tool, every integration, and every connection that employees make. So take today as a reminder, audit those OAuth connections, type in those permissions, and train your people to think twice before clicking allow all. Thanks for listening to Secure by Design. If today's episode gave you something to think about, subscribe and follow on your favorite streaming platform for more discussions on identity and cybersecurity. Please do consider taking your time to rate the show. I would really appreciate that. That is one of the best ways for you to support this podcast and help grow this by providing feedback. Please feel free to share it with your team. You can also connect with me on LinkedIn for updates and new episode releases. Until next time, stay secure, stay resilient, and stay secured by design.