Vercel, the company behind Next.js, got breached last week. The attacker did not find a zero-day in their platform. They did not exploit a misconfigured S3 bucket. They walked through a door that a Vercel employee opened by signing up for a third-party AI tool and clicking "Allow All."

The story is not about Vercel. It is about what happens when the AI tool supply chain meets OAuth.

One weekend in late April gave us three separate incidents that, taken together, draw a sharp picture of where AI security is right now and where it is weakest. The Vercel breach. The Lovable source-code leak. And a protocol-level MCP design flaw exposing over 200,000 servers to remote command execution. Each incident is different on the surface. Underneath, they share the same root cause: AI integration points that nobody treated as attack surface until it was too late.

The Vercel breach: OAuth as the pivot

On April 19, Vercel published a security bulletin confirming unauthorized access to internal systems. The entry point was Context.ai, a third-party AI tool used by a Vercel employee. Context.ai had itself been compromised weeks earlier when an employee downloaded infected game cheats carrying a Lumma Stealer payload. That stealer gave the attacker access to Context.ai's OAuth tokens.

From there, the attacker pivoted into Vercel's Google Workspace. The employee had signed up for Context.ai's AI Office Suite using their Vercel corporate Google account. They granted "Allow All" permissions. Vercel's internal OAuth configurations did not restrict what those permissions opened.

The result: 580 employee records exfiltrated. A limited subset of customer credentials compromised. A ShinyHunters-affiliated actor listing the data for $2 million on BreachForums, though Google Threat Intelligence assessed that claim as likely an imposter.

Vercel says the environment variables accessed were not marked "sensitive." Context.ai says Vercel's OAuth configurations "appear to have allowed this action to grant these broad permissions." Both sides are pointing fingers. The real lesson is that neither OAuth setup was adequate.

Same pattern, new layer

This is not a new attack. Midnight Blizzard used OAuth app abuse against Microsoft. CircleCI's 2023 breach exfiltrated customer environment variables through similar pivoting. The Heroku/Travis CI OAuth token compromise gave attackers access to private GitHub repositories.

The difference this time is the layer it happened at. The employee did not install a compromised npm package. They signed up for an AI productivity tool. That tool was nobody's definition of critical infrastructure. But it held OAuth tokens. And those tokens had more access than anyone realized.

Lovable and MCP: the same weekend

While Vercel was dealing with their breach, Lovable accidentally exposed user source code, database credentials, and AI chat histories to any free-tier account. The incident was a configuration mistake rather than a malicious intrusion, which somehow makes it worse. The data that leaked was exactly what you would not want to expose: the raw material developers trust these platforms with.

At the same time, security researchers were publishing findings about the Model Context Protocol, Anthropic's open standard for connecting AI agents to external tools. Ox Security described what they found as a design-level vulnerability: any MCP server that accepts remote connections could be tricked into executing arbitrary commands. The Cloud Security Alliance published a research note saying roughly the same thing. Over 200,000 internet-facing MCP servers were found to be vulnerable as of late April.

Anthropic responded by saying the behavior was intentional and documented, a feature rather than a bug. Fair enough at the protocol spec level. But in practice, over 200,000 servers deployed with the feature enabled. That gap between "intended behavior" and "how people deploy it" is where security failures live.

The shape of the problem

AI tooling is expanding faster than the security model that surrounds it. The Vercel incident shows that employees are signing up for AI tools without security review. The Lovable leak shows that the data flowing through these platforms is more sensitive than anyone's access controls reflect. The MCP findings show that even the protocols meant to glue this ecosystem together are being deployed faster than their security implications are understood.

Each of these individually is a manageable problem. Together they form a pattern that is hard to dismiss.

The immediate fix for the OAuth pivot is straightforward: every organization that uses AI tools should audit which of those tools hold OAuth tokens and what those tokens can access. The Vercel KB provides a concrete starting point: check your Google Workspace OAuth app permissions, restrict what "Allow All" means, and make sensitive environment variables the default.

The harder question is structural. Security teams are already stretched thin monitoring traditional supply-chain risks: npm packages, CI/CD pipelines, dependency updates. The AI tool supply chain adds a new dimension to that problem, and most teams do not have the processes or tooling in place to monitor it.

What happens next

This will happen again. The same playbook applied to the AI tool supply chain is not a prediction. It happened. The question is whether security teams treat the Vercel incident as a one-off anomaly or as the first public example of a problem that has been building for months.

The Substack piece by Dan Tinsley that surfaced on r/cybersecurity this week frames it well: the key was not a zero-day. The key was someone downloading Roblox cheats. That is the uncomfortable truth about supply-chain security in the AI era. The sophistication of the attack does not matter. What matters is what the attacker can reach once they are in, and whether anyone noticed the door was open.

---

Sources