#108 - Vercel Breach via AI Tool OAuth: Supply Chain Attacks Hit Production

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 26^th April 2026

Last week the argument was that AI coding agents had become a manipulable attack surface. This week the argument arrived in production form.

Vercel, the company behind the Next.js framework that runs a meaningful slice of the modern web, was breached. The vector was Context.ai, a third-party AI tool whose OAuth tokens an employee held. ShinyHunters has the credentials, Mandiant has the engagement, and Vercel's CEO went on record describing the attacker's "surprising velocity and in-depth understanding" of internal systems, language he attributed directly to AI acceleration on the offensive side. The initial access vector was an infostealer infection that started with the Context.ai employee searching for Roblox exploit scripts. The pivot into Vercel was through Google Workspace OAuth delegation. None of this required novel research. It required one infected developer machine and an OAuth token in the wrong place.

A few days later, a separate threat actor calling itself TeamPCP compromised the Bitwarden CLI npm package and published a self-propagating worm that explicitly targets npm tokens, GitHub tokens, SSH keys, cloud credentials, and AI/MCP configuration files. Ninety-minute exposure window. First documented abuse of npm trusted publishing. The campaign is being tracked as Shai-Hulud and is already linked to a concurrent Checkmarx compromise.

If edition #107 was about AI agents being the attack surface, this week is about AI configuration becoming the loot. Both stories matter, and the second one is the one most security teams are not yet thinking about.

🔗 AI Supply Chain & Developer Tool Abuse: ↑ +22% week-on-week

Significance: The supply chain question moved from theoretical to operational this week. The specific path through agentic AI tool OAuth into a critical web infrastructure vendor is the new playbook, and the Bitwarden worm shows the loot has expanded to include AI configuration files. Defenders' inventory of where MCP tokens, agent configs, and AI tool OAuth scopes actually live is the gap that just became urgent.

🤖🏃 AI Autonomous & Agentic Attacks: ↑ +12.5% (9 vs 8).

Significance: "Emergent persistence" is the phrase to keep in mind. We have moved past the question of whether AI agents can chain attacks. The new question is what they will choose to do that you did not tell them to do. Detection systems built around human attacker behaviour are not designed for this.

🔍 AI-Accelerated Vulnerability Exploitation: → 0% (8 vs 8).

Significance: Last week's framing of Project Glasswing as a defensive coalition holds, but the gap to commodity AI offensive capability is closing in both directions. Mozilla's CTO noted the bugs were not new classes, which is the calibration that matters: Mythos is not finding things humans cannot find, it is finding them at industrial speed.

🛡️ AI System Vulnerabilities (attacks ON AI): ↓ -31% (9 vs 13).

Significance: The injection class is still dominating, but the attack surface is shifting from "the model" to "the inference and tooling layer around the model." That layer is younger, less hardened, and not in most asset inventories.

Go on tangents. Change your mind mid-sentence. Say "um" twelve times. Wispr Flow doesn't care — it takes everything you say, strips the filler, and gives you clean, structured text ready to paste into any AI tool.

The result: prompts with the full context your AI tools need to give you useful answers. Not the abbreviated version you'd type because typing is slow.

Works inside ChatGPT, Claude, Cursor, and every app on your screen. Millions of users worldwide, including teams at OpenAI, Vercel, and Clay.

Start flowing free

The breach itself is technically unremarkable. A Context.ai employee got infected with Lumma infostealer in February. Hudson Rock pinned the initial access to a search for Roblox exploit scripts, which is to say, opportunistic, not targeted. The infostealer harvested OAuth tokens. Context.ai's product, an AI tool with browser extension capabilities and broad OAuth permissions to act across external applications, held delegated access to a Vercel employee's Google Workspace account. The attacker pivoted through that delegation into Vercel environments, accessed unencrypted environment variables, and exfiltrated a limited subset of customer credentials. ShinyHunters then offered the package on BreachForums for $2 million, and Vercel called Mandiant.

What is significant is the architecture, not the technique. The Context.ai breach in February was a relatively narrow incident at a single AI tool vendor. By April it had become a confirmed supply chain pivot into one of the most strategically positioned vendors in the modern web stack, with the attacker explicitly threatening cascading attacks against Next.js and other Vercel-owned libraries. The Vercel CEO publicly attributed the speed of the intrusion to AI acceleration. That is now the second time in two months a CISO at a major vendor has used that framing, and at this point it should probably be taken at face value.

The instinct-check from Rosling here matters. The Context.ai vector existed before AI tools were widespread; OAuth pivoting via compromised SaaS is not new. What is new is the OAuth scope. AI agents are designed to act across applications. Their OAuth permissions are correspondingly broad, often broader than the human user would think to approve. That is a delegation gap, and it is the same gap Orchid Security flagged in this week's commentary on AI agents inheriting authority from human and machine identities that nobody is observing.

On April 22, threat actor TeamPCP injected malicious code into the Bitwarden CLI npm package by compromising a GitHub Actions workflow in Bitwarden's CI/CD pipeline. The malicious release was live for ninety minutes. Bitwarden has since confirmed the breach was limited to the npm distribution channel and that no end-user vault data was accessed. The interesting part is in the payload.

The malware (bw1.js) targeted npm tokens, GitHub tokens, SSH keys, cloud credentials for AWS, Azure and GCP, shell history, and AI/MCP configuration files. It included self-propagation logic using stolen npm publish credentials to inject into downstream packages. Any developer who installed the malicious version and held publish rights to additional packages became an involuntary node in a worm-like lateral spread. The campaign has been linked to a concurrent compromise of Checkmarx public artefacts and given the codename Shai-Hulud, with both targets sharing payload structure and exfiltration patterns.

Two things make this a step-change. The first is the abuse of npm trusted publishing, the mechanism specifically designed to reduce credential exposure in CI/CD. This is the first documented case of trusted publishing being weaponised, and the underlying TTP precedent is significant. npm and GitHub will issue policy responses. The second, and the reason this is in an AI threat newsletter rather than a generic supply chain piece, is the explicit inclusion of AI/MCP configuration files in the loot list. This is the first malware payload Project Overwatch has tracked that treats AI agent configs as a primary credential category, alongside cloud keys and SSH.

That tells you something specific about attacker priorities. The MCP STDIO architectural flaw disclosed last week is not just a vulnerability, it is now a known target. The agent configs that connect production AI tools to internal databases, APIs and developer environments are now treated as enterprise credential material. They almost certainly are not in your credential rotation policy or your secret scanning rules.

A week ago Project Glasswing was a coalition announcement with claims about thousands of zero-days. This week the receipts started arriving.

Anthropic's Mythos model autonomously discovered 271 vulnerabilities in Firefox, three of which were credited as CVEs (CVE-2026-6746, CVE-2026-6757, CVE-2026-6758) and patched in Firefox 150. Mozilla's CTO confirmed the bugs were not new vulnerability classes. Palo Alto Networks separately tested Mythos and reported it produced the equivalent of a year's worth of penetration testing in under three weeks, with demonstrated capability for chaining low-severity issues into critical exploits. Reports of unauthorised access to the restricted model are also already emerging.

In parallel, UK NCSC chief Richard Horne stood up at CYBERUK 2026 and confirmed the UK AI Security Institute's Mythos evaluation identified thousands of previously unknown software vulnerabilities, and assessed it as more capable at cyber offence than any previously evaluated model. That is a government department publicly endorsing the offensive characterisation. The £90 million investment package and the Cyber Resilience Pledge attached to it are policy reactions to a capability they have now operationally tested.

Two calibrations matter. Mozilla's framing, "no new vulnerability classes," is the negativity-instinct check: Mythos is not making attackers magically more capable, it is making them faster. That is genuinely different from a step-change in skill ceiling, and it should affect how you think about risk. The second calibration is the Picus commentary flagging a claimed real-world incident where an unknown actor used a custom MCP-hosted LLM to autonomously compromise 2,516 organisations across 106 countries via FortiGate appliances. That claim is unverified but the architecture is plausible, and it is the future-state question that the Vercel breach and Shai-Hulud worm both gesture at: what happens when a Mythos-class capability sits inside attacker infrastructure rather than a defender's coalition?

🔗 AI Supply Chain Abuse. Vercel confirmed breach via Context.ai OAuth pivot; customer credentials and unencrypted environment variables compromised, $2M ransom on the table. TeamPCP's Shai-Hulud worm compromised Bitwarden CLI npm package via CI/CD trusted publishing abuse and explicitly targets AI/MCP configuration files. SGLang CVE-2026-5760 (CVSS 9.8) enables RCE via malicious GGUF model files; no patch yet. LMDeploy CVE-2026-33626actively exploited within 12 hours 31 minutes of disclosure.

🤖🏃 AI Autonomous & Agentic Attacks. Palo Alto Unit 42's Zealot multi-agent system executed full-chain GCP attack autonomously, including emergent SSH key injection for persistence not specified in tasking. North Korea's Famous Chollima / HexagonalRodent operation stole $12M in cryptocurrency using ChatGPT, Cursor and Anima end-to-end across malware authoring and fake company infrastructure.

🔍 AI Vulnerability Exploitation. Claude Mythos publicly credited with 3 Firefox CVEs out of 271 vulnerabilities discovered. UK AI Security Institute confirmed Mythos identified thousands of unknown flaws in evaluation testing. Picus commentary cites unverified claims of an autonomous MCP-hosted LLM compromising 2,516 organisations via FortiGate.

🛡️ AI System Vulnerabilities. Pillar Security disclosed prompt injection RCE in Google Antigravity via malicious comments in repository files, patched February. Anthropic MCP STDIO architectural flaw continues to spawn downstream CVEs across the AI framework ecosystem. Palo Alto Unit 42 published research on genetic-algorithm-based prompt fuzzing showing 1 to 99% guardrail evasion rates depending on keyword and model.

🦠 AI-Assisted Malware. Mythos internal Anthropic risk assessment leaked, documenting AI-assisted fuzzing and brute force as significantly more effective with iteration; offensive iteration outpacing defensive adoption per Anthropic's own governance documentation.

🤖 AI-Enabled Social Engineering. North Korean operators using generative AI to fabricate fake LinkedIn profiles, fake company websites and fraudulent Mexican shell companies for crypto-developer targeting at industrial scale. AI-generated malware contained distinctive English comments and emojis indicating LLM authorship.

📜 AI Governance & Defence. UK announced £90M cyber investment package and Cyber Resilience Pledge at CYBERUK 2026, citing four nationally significant incidents per week and explicit Mythos evaluation results. SecurityWeek commentary by Torsten George argues organisations should treat agentic AI systems as identities rather than tools, applying identity threat detection frameworks.

Edition #107 ended with the question of what your AI coding agents could touch. This week answered it concretely. Vercel got breached because an AI tool's OAuth scope was wider than its blast-radius assessment, and the attackers walked through that delegation into a critical web infrastructure vendor. Shai-Hulud demonstrated that AI/MCP configuration files are now an enumerated target on threat actor loot lists, ranked next to AWS keys and SSH credentials. Mythos went from announcement to operational footprint in seven days, with CVEs to its name and a UK government department publicly endorsing the offensive evaluation.

The structural thing that changed this week is not new attacker capability. It is that the AI tooling layer has crossed a visibility threshold for both attackers and defenders simultaneously, and the attackers got there with a measurable head start. The Vercel breach was opportunistic, not targeted. That is the calibration that should make CISOs uncomfortable. The OAuth scope was sitting there, waiting for any infostealer infection on any of Context.ai's customers' developer machines. The same is true of MCP configurations across your engineering team's laptops right now.

Apply Rosling's instinct-check before the framing calcifies. "Frontier AI is hacking everything" is the alarming version. The calibrated version is that one Lumma infostealer infection plus one AI tool's OAuth delegation equals one Mandiant engagement at one of the most strategically positioned web vendors on the planet, and nobody needed Mythos to do it. The technique is months old, the loot is the new part. That is what visibility-is-security looks like when the visibility gap is on the defender side.

The Monday question: do you have an inventory of every AI tool, MCP server, and agent OAuth scope active in your environment, with the same rotation, scanning, and incident response coverage you apply to cloud credentials? If you cannot answer that today, the Vercel pattern fits your organisation too, and the only variable is which of your Context.ai-equivalent vendors gets compromised first.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.