Vercel April 2026 Security Incident: How to Check If Your Organization Is Affected

Updated April 19, 2026: This post has been updated to include details from a public statement by Vercel CEO Guillermo Rauch.

What Happened

On April 2026, Vercel disclosed that an attacker compromised a Vercel employee's Google Workspace account through Context.ai, a third-party AI tool whose OAuth app was breached. The attacker escalated access into Vercel's internal environments and was able to enumerate customer environment variables not marked as "sensitive." Vercel describes the attacker as "highly sophisticated" and likely AI-accelerated. Customer impact is believed limited — Next.js, Turbopack, and Vercel's open source projects are confirmed safe. Vercel is working with Google Mandiant and law enforcement.

IOC (Indicator of Compromise):

110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Source: Vercel Security Bulletin

Who Is Affected?

Organizations that authorized the compromised OAuth application in their Google Workspace are potentially at risk:

• If anyone in your organization clicked "Allow" when this app requested Google account access, your org may be affected
• If your website or application integrates this OAuth app for authentication (e.g., Google Sign-In), your users may be affected
• If you use Vercel and had environment variables that weren't marked as "sensitive," those values should be treated as potentially exposed

Checking Manually vs. RampartScan

The Manual Way

To check if your organization authorized the compromised OAuth app without RampartScan:

1. Log into admin.google.com
2. Navigate to Security → Access and data control → API controls → App access control → Manage Third-Party App Access
3. Search for the compromised client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj
4. If found, block and revoke the app immediately
5. Then check Reports → Audit and investigation → OAuth log events to see which users authorized it and when
6. Repeat this process every time a new IOC is published

For personal Google accounts, visit myaccount.google.com/permissions and look through your authorized apps.

With RampartScan (One Line)

npx @rampartscan/cli ioc-check --gcloud-admin

RampartScan automates the entire process — queries every OAuth grant across your organization, cross-references against our continuously updated IOC database, and reports exactly who authorized what and when. New IOCs are added as incidents are disclosed, so you don't have to manually track bulletins.

How to Check with RampartScan

RampartScan now detects this compromised OAuth app through two methods:

Google Workspace Admin Check (CLI)

For Google Workspace administrators, our CLI can query the Admin SDK Reports API to check if anyone in your organization authorized the compromised OAuth app:

npx @rampartscan/cli ioc-check --gcloud-admin

This will:

1. Authenticate using your local gcloud credentials
2. Query all OAuth token grants across your organization
3. Check each grant against our IOC database
4. Report which users authorized the compromised app and when

If you don't have Google Workspace admin access, run without the flag to check your personal account:

npx @rampartscan/cli ioc-check

Automated Website Scan (JS Bundle Analysis)

Our scanner checks every JavaScript bundle your site serves for embedded Google OAuth client IDs and cross-references them against our IOC database. If your site uses the compromised app for Google Sign-In, we'll flag it as CRITICAL.

Run a scan at rampartscan.com or via the CLI:

npx @rampartscan/cli scan yourdomain.com

What to Do If You're Affected

Immediate Actions

1. Revoke the OAuth app — Google Workspace Admin Console → Security → API Controls → Third-party app access
2. Review audit logs — Check for unauthorized data access or exfiltration during the period the app had access
3. Rotate credentials — Any API keys, tokens, database credentials, or signing keys that may have been accessible
4. Review Vercel environment variables — If you use Vercel, rotate any environment variables that weren't marked as "sensitive"
5. Check for lateral movement — Review whether the compromised access could have been used to reach other systems

Vercel-Specific Actions

• Review your Vercel activity log for suspicious activity
• Review and rotate environment variables
• Enable sensitive environment variables going forward
• Vercel has rolled out new dashboard capabilities including an environment variable overview page and improved sensitive env var management UI

Why This Matters

This incident highlights a growing attack vector: supply chain attacks through OAuth applications. Rather than attacking your infrastructure directly, attackers compromise a trusted third-party tool that your team has already authorized. The compromised app then has whatever permissions your team granted it — often access to email, drive, and other sensitive data.

This is why RampartScan now includes IOC detection as part of every scan. As new compromised OAuth apps are disclosed, they're added to our IOC database automatically.

Updates

April 19, 2026 — Vercel CEO issues public statement confirming Context.ai as the compromised third-party AI platform. Attack described as "highly sophisticated" and likely AI-accelerated. Customer impact believed limited. Vercel working with Google Mandiant and law enforcement. New dashboard security features (env var overview, sensitive var management UI) rolled out in response.

Stay Protected

• Run regular scans at rampartscan.com to catch exposed secrets and compromised integrations
• Audit your OAuth apps periodically using rampartscan ioc-check --gcloud-admin
• Follow us for real-time threat intelligence on our Threats page

See what attackers see

Run a free Rampart scan on your domain and get a full security report in minutes.