Vercel's April 23 update on its security incident did two things its April 19 disclosure had not. It confirmed a "small number" of additional customer accounts compromised inside the Context.ai chain, and it named — separately — a second set of customer compromises that "appear to be separate from the April 2026 incident" and that "do not appear to have originated on Vercel systems." [1] The company added that the second compromise predates the April incident, which makes the OAuth-token-theft window measurable rather than speculative: at least two months. [2]

The paper's Tuesday account of Vercel's OAuth breach as procurement's warning label read the original disclosure as a third-party-risk event for any company running AI-builder customer OAuth tokens. The Wednesday update tightens the read: the warning label now covers a longer window, more accounts, and a second incident the company is willing to characterize publicly as separate. CEO Guillermo Rauch's earlier note that Vercel had processed "nearly a petabyte of logs" across the network and API was, in retrospect, the methodology by which the second compromise was found. [3]

The original chain is by now well-documented. A Vercel employee signed up for Context.ai's AI Office Suite using a corporate Google Workspace account, granting "Allow All" permissions; an attacker compromised Context.ai's AWS environment in March and harvested OAuth tokens for "some of our consumer users," including the Vercel employee's; the attacker then replayed the token to access Vercel's Workspace, pivot into a Vercel environment and enumerate environment variables not flagged as "sensitive." [4] Hudson Rock and CyberScoop traced the original Lumma Stealer infection at Context.ai to a single employee on February 17, 2026 — meaning live OAuth credentials for Context.ai's tenant existed in the wild for at least eight weeks before the first downstream victim, Vercel, found them. [5]

The threat actor, operating publicly on a BreachForums clone under the ShinyHunters name, is asking $2 million for what it claims is access keys, source code excerpts, npm and GitHub tokens, internal database content and 580 employee records. Vercel says it has received no direct ransom communication and is working with Mandiant and law enforcement. [4] The real ShinyHunters group has separately denied involvement, calling the BreachForums advertiser an impostor. [6] The denial does not change the attribution of the underlying compromise — it changes the criminal-economy label on the resale market.

What changed Wednesday is that the second compromise — distinct from the Context.ai chain — exists. Vercel says the second set of accounts does not appear to be a continuation or expansion of the April incident, and that the activity does not appear to be evidence of an earlier Vercel-systems breach. [1] The company is willing to describe what the second compromise is not, but not yet what it is. For procurement officers reading the bulletin, the operative phrase is "do not appear to have originated on Vercel systems" — meaning the second compromise also began somewhere upstream of Vercel, in another vendor's environment, and reached Vercel customers through some path Vercel has not yet named.

That phrasing is a procurement instruction more than a security advisory. Any company running Vercel-issued OAuth tokens, as the paper noted Tuesday, was already a third-party-risk question for its own customers. [3] Any company whose vendor stack includes Context.ai, or any vendor with similar Workspace-OAuth integration patterns, was asked to rotate tokens and audit OAuth grants. The Wednesday update extends that audit: there is a second compromise, on a second timeline, that the company believes is unrelated. The procurement spreadsheet reading this becomes longer.

Specter Ops, an identity-attack-path firm whose blog post on the breach drew CISO traffic, framed the incident as "why identity attack path management can't wait." [7] The argument is that the same Workspace OAuth grant that allowed Context.ai to operate as an automation tool inside Vercel's tenant is the same grant pattern many enterprises now extend to AI agents broadly. The April incident demonstrated, the firm argued, that "highly sophisticated" attackers — Rauch's phrase — can move through the OAuth surface faster than internal SOCs detect them. The eight-week dwell time is the data point that supports the argument.

Vercel said in collaboration with GitHub, Microsoft, npm and Socket that no Vercel-published npm package has been compromised, and that the open-source supply chain remains safe — directly rebutting the BreachForums seller's pitch that the data could enable a Next.js or Turbopack-wide supply-chain attack. [1] That rebuttal is structural, not cosmetic: a packaged supply-chain attack would have a different blast radius than the customer-credential leakage the company has confirmed. For now, the disclosed harm is OAuth tokens and environment variables. The undisclosed scope is the second compromise, and the still-open Indicators of Compromise published with the bulletin (the OAuth client ID is the IOC). [1]

The Wednesday read for the paper is procedural. Vercel rejected the narrow-scope narrative it could have stuck to. It named additional victims inside the Context.ai chain and named a second, predating compromise the company is still investigating. Procurement teams will not be done with the warning label by Friday. The audit window is open for any vendor whose stack includes Workspace OAuth grants from "small, third-party AI tools." [1] The paper's earlier framing held: this is less a security story than a procurement instruction. The instruction is now bigger, and it has a date stamp.

-- DAVID CHEN, Beijing