AI Autopsy: Vercel Breach Shows SaaS Integrations Are the New Attack Path

The April 2026 breach at Vercel didn’t begin with a firewall bypass or a zero-day exploit. It started somewhere far more mundane: a third-party AI provider. Two months earlier, an employee at Context.ai downloaded game cheats, unwittingly infecting his machine with infostealer malware. By the following month, attackers had accessed the firm’s AWS environment and OAuth tokens.

The case highlights again why security teams must scrutinise long-lived access and supply chain trust relationships much more closely in the future.

The pattern repeats

It’s a pattern network defenders are increasingly seeing. Rather than attacking a large organisation head-on, threat actors go after a smaller provider, exploit the access it already has, and use it to move deeper in. In this case, the stolen OAuth token provided access to a Vercel employee’s Google Workspace account, according to the firm’s incident report. From there, attackers moved into internal systems and accessed sensitive data.

Once a user authorises a third-party application, that access can extend well beyond the original use case, often without clear oversight, argues Cory Michal, CISO at AppOmni.

“What’s most noteworthy about this attack is that it appears to have started as a SaaS integration supply-chain compromise and then cascaded into the takeover of a trusted Vercel user and access to internal systems,” he tells Infosecurity.

“That reflects a growing attacker playbook: abusing trusted SaaS integrations and identity connections to move from one app into a much larger enterprise environment.” In this case, the attacker did not need to find a way into Vercel’s systems – the access was already there.

OAuth is the new lateral movement

Attackers are not always looking for a technical weakness to exploit. In many cases, they are using the connections organisations have already approved.

“The default settings are rarely the safest choice on any SaaS platform” Jaime Blasco

Jaime Blasco, CTO of Nudge Security, says he’s seen this pattern several times before.

“This is the new attack surface, and we’ve seen it play out over and over again in the last year. Salesloft Drift, Gainsight, and now Context.ai and Vercel. Different vendors, same story: attackers compromise a small AI or SaaS vendor, steal the OAuth tokens that vendor holds on behalf of its customers, and walk into hundreds of downstream enterprises using credentials the platform was designed to issue.”

The common thread is not a single vulnerability, but how SaaS environments are connected.

“OAuth is the new lateral movement,” Blasco adds. “Until the industry treats OAuth tokens as high-value credentials, we’re going to keep reading the same breach writeup with the vendor names swapped out.”

That risk is growing as more AI tools are brought into day-to-day workflows, often with broad permissions.

The rise of non-human identities

Behind this sits another issue that is getting harder to manage: non-human identities. Jared Atkinson, CTO at SpecterOps and a former US Air Force Hunt Team member, says the attack surface is spiralling out of control.

“AI tool adoption is creating new identity attack paths faster than most organisations can track,” he tells Assured Intelligence. “Every AI tool granted OAuth access to a corporate identity system opens a new pathway into the enterprise, one that sits outside the organisation’s control.”

These identities include service accounts, integrations, and tokens, which often have wide access and are not reviewed as closely as user accounts.

“The scale of this problem is already significant and accelerating,” Atkinson continues. “Enterprises today manage millions of non-human identities (NHIs), many with excessive privileges. Increasingly, recent notable breaches have been traced to compromised NHIs as the primary attack vector, rather than the initial foothold.”

In other words, the risk is not just who has access – but what has access.

The visibility gap

Knowing what is connected in the first place can be a challenge. Many organisations do not have a clear, up-to-date view of which applications are linked to their core systems, or what level of access those apps have.

AppOmni’s Michal says that this lack of visibility turns a single compromise into something much larger.

“The bigger picture issue this calls attention to is the growing risk posed by OAuth tokens and the often-invisible web of third-party SaaS integrations connected to core business platforms,” he tells Assured Intelligence. “Once a user authorises one app, that trust can extend into email, identity, CRM, development, and other systems in ways many organisations do not fully inventory or monitor.”

That makes it easier for attackers to move undetected.

Designing for containment

As these incidents show, stopping every attack is not realistic. Michal says organisations need to plan for what happens after access is gained.

“AI tool adoption is creating new identity attack paths faster than most organisations can track” Jared Atkinson

“That risk is no longer theoretical,” he adds. “This kind of attack path is being exploited more often.”

The focus shifts from prevention to limiting the blast radius of attacks. That means reducing the scope of access granted to third-party tools, tightening controls around sensitive systems, and making it harder to move between services.

One of the most immediate changes organisations can make is to tighten how OAuth access is granted. Nudge Security’s Blasco says many environments still allow users to approve third-party apps without any review.

“Most Google Workspace and Microsoft 365 environments are still configured to let any employee grant third-party apps access to their enterprise account,” he adds. “Move to admin-managed consent.”

That change alone can prevent risky integrations from being introduced in the first place.

It’s also important to review what already exists, Blasco says. “OAuth grants accumulate,” he says. “People try a tool, forget about it, leave the company, and the grant keeps living in the tenant with whatever scopes it asked for.”

In practice, that means moving away from periodic audits and towards continuous tracking of integrations and permissions.

Don’t rely on default settings

Another recurring issue is how SaaS platforms are configured. Many services include controls that can reduce risk, but are not always enabled.

“That reflects a growing attacker playbook” Cory Michal

Blasco says organisations should make use of what is already available – such as settings that protect sensitive data, limit access, and control how integrations behave.

“Use the security controls your platforms give you,” he advises. “The defaults are rarely the safe choice on any SaaS platform.”

Yet even with stronger controls, visibility into activity remains critical. In SaaS environments, attackers can move between systems in ways that are not always obvious.

AppOmni’s Michal says organisations need better logging across platforms: “Companies need strong log collection and analysis across these platforms so they can detect suspicious activity quickly and understand how an attacker may be moving through interconnected SaaS environments,” he argues.

That visibility helps both with early detection and with understanding the full impact of an incident.

A broader shift

It’s still unclear how many customers were impacted by the security breach at Vercel, although a threat actor claiming to be part of ShinyHunters tried to sell a trove of access keys, source code and employee data for $2m.

However, aside from the impact, the incident reflects a broader shift in how organisations operate and how attackers respond. As more systems are connected through APIs, integrations, and AI tools, the number of indirect access paths continues to grow.

For CISOs, the issue is no longer just securing individual systems. It is understanding how those systems connect, what access exists between them, and how that access could be misused.

That is where the next set of security challenges is already taking shape.