TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables

Peter Girnus · 2026-04-20 · Read original ↗

ATT&CK techniques detected

32 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
"versions 1. 82. 7 and 1. 82. 8 were published using stolen ci / cd publishing credentials from trivy ( aqua security ' s vulnerability scanner ). the attack targeted litellm, a widely - used llm proxy with ~ 3. 4 million daily downloads. - initial access : attacker ( tracked as "…"
T1525Implant Internal Image
89%
"breach from a confidentiality event into a potential cascade across the software supply chain. why oauth trust relationships bypass perimeter defenses a fundamental reason this attack succeeded for approximately two months is that oauth - based intrusion bypasses most of the cont…"
T1199Trusted Relationship
83%
"exfiltration was not identified until vercel ’ s investigation. this is the critical initial access vector. oauth applications, once authorized, maintain persistent access tokens that : - do not require the user ' s password - survive password rotations - often have broad scopes …"
T1195.002Compromise Software Supply Chain
81%
"1, which contained a cross - platform remote access trojan ( rat ). - initial access : maintainer account hijacked ( mechanism not disclosed ; credential stuffing or phishing suspected ). - scale : 135 endpoints detected contacting attacker command - and - control infrastructure.…"
T1525Implant Internal Image
76%
"into rules native to their siem platform ( sigma, splunk spl, kql, chronicle yara - l ) after validating field names against their specific log source schemas. oauth application anomalies ( stages 1 – 2 ) monitor google workspace token and admin audit logs for three patterns. fir…"
T1525Implant Internal Image
75%
"— secrets should rotate on a defined schedule ( 30 – 90 days ) regardless of incident status. - treat oauth grants as vendor relationships — add them to your third - party risk inventory alongside contracted vendors. architectural changes ( 1 – 6 months ) - adopt a zero - trust p…"
T1525Implant Internal Image
71%
"##l : oauth application compromised → internal access enabling enumeration of a limited subset of customer deployment secrets, with at least one public report suggesting downstream credential abuse detected in the wild prior to disclosure. each attack targets a different link in …"
T1587Develop Capabilities
71%
"versions 1. 82. 7 and 1. 82. 8 were published using stolen ci / cd publishing credentials from trivy ( aqua security ' s vulnerability scanner ). the attack targeted litellm, a widely - used llm proxy with ~ 3. 4 million daily downloads. - initial access : attacker ( tracked as "…"
T1525Implant Internal Image
70%
"gcp, azure ). - database connection strings. - payment processor keys. - authentication secrets ( jwt secrets, session keys ). - third - party api keys. - monitoring and logging tokens. for security teams ( proactive ) oauth application audit — google workspace - admin console → …"
T1550.001Application Access Token
69%
"be flagged for investigation, as this may indicate token theft or application compromise. internal system access and lateral movement ( stage 3, t1078 ) once attackers control a compromised google workspace account, they pivot into internal systems that trust that identity. detec…"
T1550.001Application Access Token
68%
"exfiltration was not identified until vercel ’ s investigation. this is the critical initial access vector. oauth applications, once authorized, maintain persistent access tokens that : - do not require the user ' s password - survive password rotations - often have broad scopes …"
T1199Trusted Relationship
68%
"the vercel breach : oauth supply chain attack exposes the hidden risk in platform environment variables artificial intelligence ( ai ) the vercel breach : oauth supply chain attack exposes the hidden risk in platform environment variables an oauth supply chain compromise at verce…"
T1528Steal Application Access Token
67%
"be flagged for investigation, as this may indicate token theft or application compromise. internal system access and lateral movement ( stage 3, t1078 ) once attackers control a compromised google workspace account, they pivot into internal systems that trust that identity. detec…"
T1550.001Application Access Token
67%
"party oauth compromise ( t1199 ) context. ai, a company providing ai analytics tooling, had a google workspace oauth application authorized by vercel employees. the attacker compromised this oauth application — the compromise has since been traced to a lumma stealer malware infec…"
T1528Steal Application Access Token
62%
"party oauth compromise ( t1199 ) context. ai, a company providing ai analytics tooling, had a google workspace oauth application authorized by vercel employees. the attacker compromised this oauth application — the compromise has since been traced to a lumma stealer malware infec…"
T1195.002Compromise Software Supply Chain
61%
"versions 1. 82. 7 and 1. 82. 8 were published using stolen ci / cd publishing credentials from trivy ( aqua security ' s vulnerability scanner ). the attack targeted litellm, a widely - used llm proxy with ~ 3. 4 million daily downloads. - initial access : attacker ( tracked as "…"
T1525Implant Internal Image
60%
"active. any credential showing usage that cannot be attributed to your own infrastructure should be treated as compromised, rotated immediately, and investigated for what actions the attacker performed with it. third - party credential leak notifications configure monitoring for …"
T1199Trusted Relationship
58%
"1, which contained a cross - platform remote access trojan ( rat ). - initial access : maintainer account hijacked ( mechanism not disclosed ; credential stuffing or phishing suspected ). - scale : 135 endpoints detected contacting attacker command - and - control infrastructure.…"
T1199Trusted Relationship
56%
"party oauth compromise ( t1199 ) context. ai, a company providing ai analytics tooling, had a google workspace oauth application authorized by vercel employees. the attacker compromised this oauth application — the compromise has since been traced to a lumma stealer malware infec…"
T1078.004Cloud Accounts
52%
"exfiltration was not identified until vercel ’ s investigation. this is the critical initial access vector. oauth applications, once authorized, maintain persistent access tokens that : - do not require the user ' s password - survive password rotations - often have broad scopes …"
T1671Cloud Application Integration
51%
"party oauth compromise ( t1199 ) context. ai, a company providing ai analytics tooling, had a google workspace oauth application authorized by vercel employees. the attacker compromised this oauth application — the compromise has since been traced to a lumma stealer malware infec…"
T1550.001Application Access Token
49%
"the attack demonstrates how oauth - based intrusions leverage legitimate application permissions that rarely trigger standard detection controls. table 1. summary of key events and their confirmation status a key observation from the timeline is that even with a relatively short …"
T1552.004Private Keys
43%
"went undetected for approximately two months. 29, 000 + customers potentially affected, including twitch, hashicorp, and confluent. parallel to vercel : both incidents expose customer credentials stored as environment variables through a platform compromise. circleci security inc…"
T1671Cloud Application Integration
41%
"the attack demonstrates how oauth - based intrusions leverage legitimate application permissions that rarely trigger standard detection controls. table 1. summary of key events and their confirmation status a key observation from the timeline is that even with a relatively short …"
T1078.004Cloud Accounts
41%
"be flagged for investigation, as this may indicate token theft or application compromise. internal system access and lateral movement ( stage 3, t1078 ) once attackers control a compromised google workspace account, they pivot into internal systems that trust that identity. detec…"
T1199Trusted Relationship
40%
"scopes, but this required per - team access, not a single point of platform - wide credential exposure. the original language overstated the blast radius ; we regret the error. this analysis reflects what is publicly known about the vercel oauth supply chain compromise as of the …"
T1525Implant Internal Image
39%
"the attack demonstrates how oauth - based intrusions leverage legitimate application permissions that rarely trigger standard detection controls. table 1. summary of key events and their confirmation status a key observation from the timeline is that even with a relatively short …"
T1078Valid Accounts
39%
"versions 1. 82. 7 and 1. 82. 8 were published using stolen ci / cd publishing credentials from trivy ( aqua security ' s vulnerability scanner ). the attack targeted litellm, a widely - used llm proxy with ~ 3. 4 million daily downloads. - initial access : attacker ( tracked as "…"
T1528Steal Application Access Token
37%
"the attack demonstrates how oauth - based intrusions leverage legitimate application permissions that rarely trigger standard detection controls. table 1. summary of key events and their confirmation status a key observation from the timeline is that even with a relatively short …"
T1199Trusted Relationship
36%
"went undetected for approximately two months. 29, 000 + customers potentially affected, including twitch, hashicorp, and confluent. parallel to vercel : both incidents expose customer credentials stored as environment variables through a platform compromise. circleci security inc…"
T1199Trusted Relationship
32%
"##hold into vercel ’ s internal systems, exposing environment variables for an undisclosed but reportedly limited subset of customer projects. vercel is a cloud deployment and hosting platform widely used for front ‑ end and serverless applications. on april 19, 2026, vercel publ…"
T1199Trusted Relationship
32%
"in vercel ’ s disclosure and aligns with well ‑ understood oauth abuse patterns rather than novel exploitation. table 6. mitre att & ck technique mapping for the vercel incident. based on this mapping, the pivot from oauth application access to internal system access ( t1199 to t…"

Summary

An OAuth supply chain compromise at Vercel exposed how trusted third party apps and platform environment variables can bypass traditional defenses and amplify blast radius. This article examines the attack chain, underlying design tradeoffs, and what it reveals about modern PaaS and software supply chain risk.