Back to Intelligence

Vercel Breach: Detecting and Mitigating OAuth Sprawl & Shadow AI Supply Chain Attacks

SA
Security Arsenal Team
April 30, 2026
5 min read

The recent breach involving Vercel serves as a stark warning about the dangers of transitive trust in cloud environments. Attackers leveraged a compromised third-party OAuth integration—specifically targeting the mechanisms used to connect external tools like AI features to core development platforms. This incident highlights how Shadow AI (unsanctioned AI tool adoption) and OAuth Sprawl (the uncontrolled accumulation of connected app permissions) create a massive attack surface. When a single OAuth app is compromised, it doesn't just threaten one account; it provides a conduit to exploit the trust granted by downstream customers, potentially leading to code exfiltration, supply chain poisoning, and environment takeover.

Technical Analysis

  • Affected Products & Platforms: Vercel platform, GitHub repositories, and third-party OAuth integrations (specifically those utilizing "Push" or similar AI-driven integration tools).
  • CVE Identifiers: N/A (Identity Security / Supply Chain Vector).
  • Attack Mechanism: The attack chain begins with the compromise of a third-party OAuth application. This application had already been authorized by users (via OAuth grants) to access specific repositories and projects within Vercel and GitHub. The attackers, having gained control of the OAuth app, utilized the existing valid tokens to authenticate as the user or the integration itself. They leveraged this access to enumerate assets, read source code, and potentially inject malicious artifacts into the CI/CD pipeline. This bypasses traditional authentication controls (MFA) because the OAuth token is already valid and trusted.
  • Exploitation Status: Confirmed active exploitation. The breach was disclosed following specific incident response engagements where unauthorized access was traced back to the compromised integration.

Detection & Response

The following detection mechanisms focus on identifying the creation of OAuth grants and the suspicious usage of integration tools. Defenders should monitor their identity providers (IdP) and cloud audit logs for unauthorized consent.

YAML
---
title: Vercel CLI OAuth Linking Activity
id: 8a4f2c1e-9d5b-4a6e-8b3c-1d2e3f4a5b6c
status: experimental
description: Detects the execution of the Vercel CLI performing link or login operations, which establishes OAuth tokens that could be abused in a supply chain attack.
references:
  - https://vercel.com/docs/security/oauth
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vercel.exe'
    CommandLine|contains:
      - 'login'
      - 'link'
falsepositives:
  - Legitimate developer onboarding or project linking
level: low
---
title: GitHub OAuth App Authorization with High Scope
id: 9b5g3d2f-0e6c-5b7f-9c4d-2e3f4a5b6c7d
status: experimental
description: Detects when a new OAuth application is authorized with high-privilege scopes (repo, admin:org, write:packages) which could indicate Shadow AI sprawl or a compromised integration.
references:
  - https://docs.github.com/en/enterprise-server@3.9/admin/identity-and-access-management/managing-iam-for-your-enterprise-using-okta/configuring-the-okta-saml-single-sign-on-application-for-github
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.persistence
  - attack.t1136.003
logsource:
  category: application
  product: github
detection:
  selection:
    action: 'oauth_authorization.create'
    scope|contains:
      - 'repo'
      - 'admin:org'
      - 'workflow'
  condition: selection
falsepositives:
  - Legitimate installation of known CI/CD tools
level: high

KQL (Microsoft Sentinel / Defender)

This query targets AuditLogs to identify when third-party applications are granted permissions to read or write code repositories, a common requirement for AI integrations.

KQL — Microsoft Sentinel / Defender
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName has "Add OAuth2PermissionGrant" or OperationName has "Consent to application"
| extend AppName = tostring(InitiatedBy.app.displayName), UPN = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties[0].newValue)
| where Permissions contains "Repository.Read" or Permissions contains "Repository.Write" or Permissions contains "Code"
| project TimeGenerated, AppName, UPN, Permissions, Result
| order by TimeGenerated desc

Velociraptor VQL

This artifact hunts for local configuration files on developer endpoints that contain active Vercel or GitHub authentication tokens. In the event of a breached integration, these local caches may need to be invalidated.

VQL — Velociraptor
-- Hunt for Vercel and GitHub config files storing auth tokens
SELECT FullPath, Size, Mtime
FROM glob(globs=[
  '/Users/*/.config/vercel/config.',
  '/Users/*/.config/vercel/auth.',
  '/Users/*/.gitconfig',
  'C:\Users\*\AppData\Roaming\vercel\config.',
  'C:\Users\*\.gitconfig'
])
WHERE Size > 0

Remediation Script (PowerShell)

Use this script on potentially compromised developer workstations to identify and remove Vercel credentials, forcing a re-authentication that can be blocked if the OAuth app is revoked.

PowerShell
# Audit and remove Vercel credentials to force re-authentication
$VercelConfigPath = "$env:APPDATA\vercel"
$VercelAuthFile = Join-Path -Path $VercelConfigPath -ChildPath "auth."
$VercelConfigFile = Join-Path -Path $VercelConfigPath -ChildPath "config."

if (Test-Path $VercelAuthFile) {
    Write-Host "[+] Found Vercel auth file at: $VercelAuthFile"
    Write-Host "[!] Removing auth file to revoke local session..."
    Remove-Item -Path $VercelAuthFile -Force
    Write-Host "[*] Vercel session cleared. User must re-login."
} else {
    Write-Host "[-] No Vercel auth file found."
}

# Check for linked projects in config
if (Test-Path $VercelConfigFile) {
    Write-Host "[+] Found Vercel config file. Reviewing linked projects..."
    Get-Content -Path $VercelConfigFile | Select-String -Pattern "orgId|teamId" | Write-Host
}

Remediation

  1. Identify and Revoke: Immediately audit your Vercel and GitHub "Authorized Apps" or "OAuth Apps" settings. Revoke access for any third-party integration that is not explicitly business-critical or that matches the IOCs associated with the Vercel breach.
  2. Scope Reduction: Implement a policy of Least Privilege for OAuth apps. Grant read-only access to repositories unless write access is absolutely required for the integration's function.
  3. Token Rotation: If you utilized the compromised integration, assume your source code and secrets have been exposed. Rotate all API keys, database credentials, and deployment secrets found in the code.
  4. Audit Logs: Review audit logs for the specific timeframes of the breach to identify any data exfiltration or unauthorized repository modifications performed by the integration's service account.
  5. Supply Chain Vetting: Update the security review process to require explicit approval for any AI tool or integration that requests repository access.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiroauth-sprawlshadow-aisupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action