The Vercel breach this month is the textbook OAuth sprawl chain that did not start at Vercel. It started at Context.ai, a deprecated consumer-grade AI Office Suite product, where an employee allegedly contracted an infostealer while searching for Roblox cheats. The infostealer harvested stored OAuth tokens; one of those tokens belonged to a Vercel employee who had trialed Context.ai months earlier and forgotten about it, having granted the app durable access to their Google Workspace. That single OAuth grant carried internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens into the attacker’s reach. Vercel was never a Context.ai customer, according to the Push Security analysis of the incident.
- The OAuth grant from a forgotten AI app trial survived as a persistent third-party pivot months after the Vercel employee stopped using Context.ai.
- Scattered Lapsus$ Hunters used the same OAuth pivot pattern in 2025 against Salesloft Drift and Gainsight, hitting over 1,000 organizations and exfiltrating more than 1.5 billion records from victims including Google, Cloudflare, Rubrik, Palo Alto Networks, and CyberArk.
- Push Security has observed a 37x year-over-year increase in device-code phishing attacks designed to register attacker-controlled apps into Salesforce tenants for mass data exfiltration.
- The Google Workspace admin panel carried a single toggle that would have blocked the Vercel grant; the broader OAuth sprawl across non-primary SaaS does not have an equivalent single switch.
How a Roblox infostealer reached an NPM token: the Vercel breach chain
The Vercel breach is the worked example for a shadow AI category most CISOs are still framing as a data-leakage problem. The classic shadow AI question – what sensitive data did the employee upload to ChatGPT – addresses the right risk but the wrong attack surface. The Vercel chain was different. The employee uploaded nothing. They clicked through an OAuth consent screen for a free AI Office Suite trial; Google Workspace honored the grant; the employee abandoned the trial within weeks; and the grant persisted as an invisible bridge into their tenant. When Context.ai itself was breached, the attacker did not need to phish anyone at Vercel. They pulled the OAuth tokens out of Context.ai’s storage and replayed them against the downstream tenants whose grants the company held.
This is the structural failure mode that distinguishes shadow AI from prior shadow IT. A typical SaaS app a user signs up for sits inside the app’s tenant and stays there. An AI app oriented around workflow automation – aggregating from one app, analyzing in another, distributing through a third – is configured to reach into the user’s other apps via OAuth. Push categorizes the shadow exposure into four classes: shadow apps (signed up without approval), shadow tenants (approved app, personal account, outside org control), shadow extensions (browser-extension companions), and the load-bearing category in the Vercel chain – shadow integrations, the OAuth connections that survive even when the originating app is forgotten.
OAuth sprawl is the supply-chain pattern attackers have been refining since 2025
The contrarian observation in the Vercel breach is that OAuth sprawl is not an AI-app problem; it is the dominant SaaS supply-chain pattern attackers have spent the past 18 months operationalizing. The 2025 Scattered Lapsus$ Hunters campaign breached Salesloft (specifically the Salesloft Drift platform) and Gainsight, then leveraged OAuth tokens stored at those vendors to pivot into more than 1,000 downstream Salesforce and Google Workspace tenants. The victim list reads as the enterprise security-vendor roster: Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, and Qualys. Over 1.5 billion records were taken across the campaign. Push notes a parallel pattern at Snowflake, where attackers leveraged stolen tokens from data-anomaly-detection vendor Anodot to access Salesforce data; Rockstar Games was a named victim.
The same pattern shows up on the inbound side of the OAuth flow. The 2025 Salesforce device-code phishing campaign tricked targets into registering an attacker-controlled app into their tenant – which under the OAuth device-code grant yields full API access. Push reports a 37x year-over-year jump in device-code phishing attacks, with more than a dozen Phishing-as-a-Service (PhaaS) kits now circulating that automate the OAuth grant capture. Combined with the supply-side pivots, OAuth integrations have become one of the most reliably abused enterprise attack surfaces – and every new AI tool an employee connects extends the addressable surface.
Lock down OAuth before the next AI tool trial creates the next Vercel
The recommendations sequence from the primary enterprise apps outward to the rest of the SaaS estate. Each step addresses a specific gap the Vercel chain exposed.
Switch the Google Workspace and Microsoft 365 OAuth consent screen to default-deny. Both platforms expose a single admin toggle that requires admin approval before a user can grant a new app access to their tenant. The Vercel breach was preventable at this layer: had default-deny been in force, the Context.ai trial grant would never have happened. The shadow AI conversation in most organizations is still framed around chatbot policy; the OAuth consent toggle is the lower-effort, higher-impact lever.
Audit existing OAuth grants on a recurring cadence and revoke the unused ones. The Vercel grant survived because no audit removed it. Quarterly review of every active OAuth integration against current business need is the minimum; the apps to focus on first are those the user has not opened in 30 days. The audit is in scope for both Google Workspace and Microsoft 365 admin panels and applies to every approved app in the tenant.
Extend OAuth visibility beyond the two primary platforms. The harder gap is the SaaS-to-SaaS OAuth grants happening outside Google and Microsoft. The Salesloft Drift and Gainsight chains in the 2025 campaign cleared the primary-app consent screen because the OAuth grant was between SaaS vendors, not between an employee and a primary app. Browser-mediated controls, OAuth-grant-monitoring tooling, and contractual demands on SaaS suppliers all address pieces of this; no single control covers it.
Treat new AI app adoption as a third-party-risk decision, not a productivity decision. The Context.ai trial that produced the Vercel chain was a free self-service signup with no procurement review. Every new AI tool an employee adopts inherits the security posture of that tool’s vendor; the Roblox-cheats infostealer at a deprecated AI Office Suite vendor is the kind of supplier-side risk a procurement review would have caught. The Vercel employee who clicked through that consent screen still has their Workspace access intact today; the next employee with the next forgotten OAuth grant is the next link in the OAuth sprawl chain.
Join our LinkedIn group Information Security Community!
