The company behind Next.js, Vercel, recently confirmed a security breach affecting its internal systems.
But here’s the real twist 👇
👉 The attack didn’t start from Vercel itself.
👉 It came through a third-party AI tool.
⚠️ What actually happened?
• A third-party AI tool (Context.ai) was compromised
• An attacker gained access via a Google Workspace OAuth token
• This led to unauthorized access to Vercel’s internal systems
• A limited number of customer credentials were exposed
Hackers even claimed they were selling access to: • API keys
• Internal deployments
• Employee accounts
💡 Why this matters (a lot)
This is not just a “company got hacked” story.
This is a supply chain + AI tool vulnerability.
Even if your system is secure…
👉 your tools might not be.
🧠 Big lessons for developers
• Don’t blindly trust third-party tools
• Be careful with OAuth permissions (“Allow All” is dangerous)
• Always rotate API keys & secrets
• Monitor environment variables
• Security ≠ just your code
⚡ Reality check
Modern development =
Your code + dependencies + cloud + AI tools
And now,
👉 AI tools are becoming a new attack surface
📌 Vercel says services are still running normally
and only a subset of users were impacted — but the investigation is ongoing
The question is no longer:
“Is my app secure?”
It’s:
👉 Is my entire ecosystem secure?
Would you trust third-party AI tools with full access to your system?
Top comments (0)