Vercel's running security bulletin, updated after April 22, now confirms that a "small number of additional accounts" were compromised in the same incident the company first disclosed on April 19, and that a separately identified set of compromised accounts appears to be unrelated to that incident and not to have originated on Vercel systems. [1] The framing the paper retracted on Tuesday — that this was a supply-chain attack via a Google Workspace OAuth token from Context.ai — has held through the second wave.

The attribution stack is now well-sourced. A Lumma Stealer malware infection at a Context.ai employee in approximately February 2026 — reportedly traced by Hudson Rock and CyberScoop to a Roblox game-exploit script download — exfiltrated Google Workspace credentials and OAuth refresh tokens. [2] One of those tokens belonged to a Vercel employee who had signed up for Context.ai's AI Office Suite with their corporate Google Workspace account and granted "Allow All" Workspace scopes. [3] The attacker used that token to take over the employee's Google account, pivoted into Vercel's internal systems, and then sifted through environment variables.

The architectural disclosure is the part the second wave has now made unavoidable. Vercel's environment-variable sensitivity model lets developers mark variables as "sensitive" — and those are encrypted in a way the platform's dashboard and API cannot read in plaintext. [4] Variables not explicitly marked sensitive were stored encrypted at rest but readable in plaintext via dashboard and API to anyone with internal access. The attacker enumerated the non-sensitive set. Trend Micro's writeup names the design pattern bluntly: "default-insecure configuration." [5]

CEO Guillermo Rauch's April 19 thread on X described the chain in operational terms: "A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. Through a series of maneuvers that escalated from our colleague's compromised Vercel Google Workspace account, the attacker got further access to Vercel environments." [6] He also wrote that the attacker moved with "surprising velocity and in-depth understanding of Vercel," and that he "strongly suspects" the group was "significantly accelerated by AI" — phrasing that does not appear in Vercel's bulletin and that no IOC has yet supported. [7]

Two indicators of compromise are now public. Vercel disclosed the OAuth client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com tied to Context.ai's Office Suite. [4] Nudge Security's Jaime Blasco surfaced a second OAuth grant — 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com — tied to a Context.ai Chrome extension that Google removed from the Chrome Web Store on March 27 and that, per The Hacker News, granted Google Drive read access. [8] Workspace administrators are running their audit logs against both IDs.

The "second wave" language in Vercel's KB carries two distinct claims that read into one sentence. The first is that a few additional accounts inside the original incident scope were identified — meaning Vercel's investigation has continued to widen, not narrow, since April 22. [1] The second is that a separately disclosed set of compromised accounts "appears to be separate from the April 2026 incident" and not to originate on Vercel systems. That phrasing reads less like reassurance than like a marker for unfinished investigation.

The blast-radius question now has named public customers attached to it. OpenAI, Cursor, Pinterest and Bose are publicly disclosed Vercel customers, per Vercel's own customer-page roster. [9] None has yet disclosed token-storage architecture changes following the OAuth supply-chain reframe; some have notified affected end users that they rotated credentials. The architectural disclosure that travels with the second-wave update — that "non-sensitive" environment variables can hold API keys, Stripe secrets, and AWS credentials in plaintext at rest unless a developer explicitly toggles the flag — is the part most security organizations had not priced.

The remediation guidance the paper described Wednesday remains operative. Vercel's recommendation, restated in the bulletin: rotate any secrets stored in non-sensitive variables, audit Workspace OAuth grants for the two disclosed Context.ai app IDs, and review recent deployment activity. [4] The mid-term question — whether Vercel changes its default for the sensitive flag, or whether enterprise customers begin auditing every OAuth grant their employees have authorized — is the architectural follow-through the disclosure has now forced into open conversation.

Mandiant is still inside the incident. Law enforcement has been notified. Vercel is consulting industry peers, and Rauch's bulletin update language ("we will contact additional customers if we uncover further evidence") describes an investigation that is producing the second wave today and may produce a third. The April story has become a May story. The story is no longer who got hacked. It is what stays in plaintext at rest because the flag was never set.

-- THEO KAPLAN, San Francisco