In April 2026, Vercel disclosed a supply chain breach after threat actor ShinyHunters posted a $2,000,000 ransom on BreachForums for stolen internal data and customer environment variables. Confirmed by Vercel CEO Guillermo Rauch on April 19, 2026, the intrusion began with Lumma Stealer malware on an employee's personal device, which harvested a live Google OAuth session token and allowed attackers to bypass MFA and walk straight into Vercel's internal Google Workspace. Roughly 580 employee records were exposed, and the broader campaign tracked by Mandiant has touched more than 1,000 SaaS environments and an estimated 500,000 compromised machines.

What Happened

The Vercel intrusion was not a zero-day against Vercel infrastructure. Attackers infected a Vercel employee's personal device with Lumma Stealer, an infostealer sold on underground markets that targets browser session cookies, saved credentials, and authentication tokens. Among the harvested artifacts was a valid Google OAuth session token tied to the employee's corporate identity.

By replaying that token, the attackers authenticated to Vercel's internal Google Workspace as the employee with no password prompt and no MFA challenge, since the session was already considered authenticated. From inside Workspace, they pivoted to internal systems, accessed customer environment variable stores, and exfiltrated an internal employee database before posting their ransom demand on BreachForums.

Vercel's incident is part of a wider campaign Mandiant has labeled TeamPCP, which leverages stolen OAuth tokens and connected third-party AI integrations to fan out across SaaS tenants.

What Was Taken

The exposed data falls into two distinct buckets, with the second carrying far greater downstream risk.

• Approximately 580 Vercel employee records, including names, email addresses, and employment status fields, dumped from an internal database.
• Customer-supplied environment variables stored in Vercel projects, including database connection strings, third-party API keys, and internal service tokens used by Vercel customers in production deployments.
• Session and OAuth artifacts tied to the initial victim's Google identity, which provided the foothold into Workspace.

The environment variable corpus is the high-value asset. Each leaked secret is a potential pivot into a separate downstream customer environment, multiplying the blast radius far beyond Vercel itself.

Why It Matters

This incident is a textbook demonstration that MFA does not protect against stolen session tokens. Once an OAuth or session cookie is exfiltrated by an infostealer, the attacker inherits an already-authenticated state and never has to face a second factor. Personal-device compromise becomes corporate compromise the moment a work identity is signed into that device.

It also exposes the systemic weakness of platform-as-a-service trust models. Vercel, like many modern build and deploy platforms, holds plaintext or reversibly encrypted secrets on behalf of thousands of customers. A single employee's browser session is therefore a master key to a sprawling, federated attack surface. With device code phishing up 3,750% year over year and 61% of organizations reporting a third-party breach in the past year, OAuth abuse is now the dominant supply chain vector, not malicious npm packages alone.

The Attack Technique

The kill chain is short, mechanical, and reproducible.

1. Initial access: Lumma Stealer is delivered to a Vercel employee's personal device, likely via a cracked software lure, malicious ad, or fake installer.
2. Credential harvesting: the stealer scrapes browser cookie jars and local token stores, exfiltrating Google session cookies and OAuth refresh tokens to attacker infrastructure.
3. Token replay: the attacker imports the cookies into a controlled browser profile and loads Google Workspace, inheriting the employee's authenticated session and bypassing MFA entirely.
4. Lateral movement: from Workspace, the attacker enumerates internal docs, Drive, and connected services, then pivots into Vercel's internal admin tooling and project metadata.
5. Exfiltration and extortion: customer environment variables and an employee database are pulled, and ShinyHunters posts a $2,000,000 ransom on BreachForums.

The technique requires no exploit, no persistence implant, and no privilege escalation against Vercel's own systems. It is pure identity abuse.

What Organizations Should Do

Defenders should treat OAuth tokens and session cookies as the new crown jewels and design controls accordingly.

1. Enforce device trust on identity provider sessions: bind Google, Okta, and Microsoft sessions to managed devices using device-bound session credentials or token binding, so a stolen cookie is unusable off the original device.
2. Shorten OAuth and refresh token lifetimes for high-privilege scopes, and require step-up reauthentication for sensitive Workspace, Drive, and admin actions.
3. Ban work identity sign-ins on unmanaged personal devices, and deploy an EDR-backed managed browser or VDI for any contractor or BYOD access to corporate SaaS.
4. Hunt for infostealer indicators: monitor for Lumma, RedLine, and Vidar artifacts in endpoint telemetry, and subscribe to stealer log feeds to detect employee credentials appearing in criminal markets.
5. Encrypt customer secrets at rest with customer-managed keys and offer just-in-time secret injection so platform operators cannot read plaintext environment variables, even with insider access.
6. Audit and revoke third-party OAuth grants quarterly, especially AI assistants and build integrations with broad Workspace or repository scopes, and alert on new high-scope grants in real time.

Sources: How a Stolen OAuth Token Sparked a $2M Vercel Supply Chain Attack