Day 18 since Vercel's April 19 disclosure of the OAuth supply-chain breach, Day 8 since Class Action U. began publicly soliciting affected Vercel customers under the "limited subset" disclosure language. The OAuth-scope review and vendor-policy update Vercel committed to publish remain unpublished. [1] The paper's May 6 brief on the procurement architecture named the silence as the procurement event.

The mechanics, unchanged: the attacker compromised Context.ai's Google Workspace OAuth application — Client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com — via Lumma Stealer malware on a Context.ai employee's machine in February 2026, exfiltrated OAuth tokens in March, and used them in April to take over a Vercel employee's Google Workspace account. From there: enumeration and decryption of plaintext non-sensitive environment variables. [2]

ShinyHunters posted alleged Vercel internal data on BreachForums for $2 million on April 19. The post was later removed; ShinyHunters denied involvement. [3] The IOC remains the only thing the company has published since CEO Guillermo Rauch's April 19 X thread. Vercel's terms of service require individual arbitration and waive class-action rights — standard cloud-vendor language whose enforceability tends to depend on facts of disclosure timing. The clock keeps the litigation surface open. [4]

-- THEO KAPLAN, San Francisco