LEARNING FROM THE VERCEL BREACH: SHADOW AI & OAUTH SPRAWL
Sponsored by Push Security[https://pushsecurity.com/demo?utmsource=bleeping-computer&utmmedium=sponsored-content&utm_term=article]
Shadow AI and OAuth sprawl have moved beyond a niche concern for security teams. When an employee connects an AI app to core tools like Google Workspace, Microsoft 365, or Salesforce, a persistent bridge is created between the organization and a third party. That bridge can outlive the individual, and if the third party is ever compromised, the organization inherits a direct route into its systems. The case study that brought this into sharp relief is the Vercel incident, where an employee trialed Context.ai and granted it access to Google Workspace via OAuth. When Context.ai was breached, the consequences extended into Vercel’s environment, illustrating how a seemingly small self-service integration can introduce a broad attack surface.
INTRODUCTION: SHADOW AI AS A CONTINUOUS RISK
- Shadow AI refers to the use of AI tools within an enterprise without formal approval or governance.
- The most consequential risk isn’t merely data leakage from AI prompts; it’s the establishment of persistent, programmatic connections between a company’s environment and third-party services.
- Once an OAuth connection is granted, it can endure beyond the life of the employee or the app, creating a lasting security dependency.
SHADOW IT IN THE AI AGE: TYPES TO WATCH
Shadow IT has long challenged security teams, but AI tools amplify the problem through deeper interoperability. The main forms of shadow presence in AI-enabled environments include:
- Shadow apps: Business use of AI apps that employees sign up for and use without formal approval, whether the sign-up occurs through corporate or personal accounts.
- Shadow tenants: Access to apps via personal accounts that effectively create uncontrolled external tenants tied to the organization’s data and workflows.
- Shadow extensions: Browser extensions and app add-ons that accompany AI tools, often adding visibility into browser activity or introducing unvetted capabilities.
- Shadow integrations: OAuth connections that bridge apps not known or approved by the organization, enabling cross-tool data flows and control of sensitive assets.
In practice, the categories overlap. The Vercel scenario centered on shadow integrations, but every form compounds risk by widening the surface area attackers can exploit.
THE VERCEL BREACH: A CASE STUDY IN OAUTH RISKS
The Vercel incident is a textbook example of how OAuth grants can become a risk multiplier when shadow AI tools are involved. A Vercel employee connected an AI Office Suite product from Context.ai to Google Workspace. Vercel was not a Context.ai customer, and the integration appears to have been a light, self-serve trial that slipped under the radar.
- What happened: By adopting the Context.ai app, the employee granted a third party access through OAuth, thereby adding an external security dependency to the organization’s control plane.
- The breach chain: Context.ai’s compromise allowed an attacker to leverage OAuth tokens stored within Context.ai’s environment to pivot into downstream customer accounts.
- The impact: The attacker gained access to high-value assets tied to the employee’s Google Workspace—internal dashboards, personnel records, API keys, NPM tokens, and GitHub tokens—creating a broad breach surface within Vercel’s environment.
This incident demonstrates a critical pattern: a seemingly isolated, self-service app can create an invisible node on an organization’s attack surface, which becomes valuable collateral once the app’s security is breached.
OAUTH SPRAWL AT SCALE: ATTACKERS TARGETING TOKEN-BASED MOATS
OAuth has become a preferred method for attackers seeking scalable access across cloud ecosystems. The trend is not limited to AI tools; it spans multiple attack surfaces and industries, with notable high-profile campaigns and widespread consequences.
- 2025: OAuth-driven supply chain attacks emerged against Salesforce and Google Workspace tenants. These attacks followed breaches of other platforms and leveraged compromised OAuth connections to access a broad range of enterprise data.
- The scope: Over 1,000 organizations affected, with a distribution of targets that included major providers and numerous enterprises. Stolen data volumes reached into the billions of records in some campaigns.
- Related campaigns: Attacks tied to various groups used a combination of supply chain intrusions and OAuth manipulation to move laterally, often accompanied by phishing variants designed to enroll attacker-controlled apps into enterprise tenants.
- Phishing as a doorway: Device code phishing and other OAuth-centric tactics have become common entry vectors, enabling attackers to prompt victims to authorize apps that grant broad API access.
- The broader takeaway: OAuth integrations are now one of the most abused attack surfaces in modern enterprises, and each new AI tool adopted by employees expands the potential attack corridor.
NEW FRONTIERS IN BROWSER-BASED ATTACKS AND SHADOW AI
Beyond direct OAuth abuse, browser-based attack techniques are increasingly capable of bypassing traditional defenses and enabling shadow AI sprawl. A suite of techniques exists to bypass controls and exfiltrate data through legitimate-looking channels.
- Browser-based delivery and manipulation: AI-enabled phishing, credential harvesting, and session hijacking increasingly rely on browser context and extensions.
- Malicious extensions: Untrusted browser extensions add another vector for bypassing controls and monitoring, widening visibility gaps and complicating enforcement.
- AI-facilitated exploitation: As AI tools become more integrated into daily workflows, attackers can leverage them to automate the discovery of insecure integrations and to optimize attack paths across SaaS ecosystems.
A RECENT RESOURCE ON BROWSER-BASED ATTACKS
Public-facing research and white papers highlight how browser-based attacks intersect with shadow AI sprawl, including techniques such as AI-driven phishing and malicious OAuth apps. These resources help explain why visibility and governance across all connected apps—beyond the primary enterprise cloud—are essential for reducing risk.
THE WEB OF OAUTH SPRAWL: BREADTH BEYOND THE CORE CLOUD
The Vercel breach illustrates a broader problem that extends far beyond a single cloud platform. Controlling OAuth within the core enterprise cloud environment is achievable with administrative controls, but the wider challenge lies in SaaS-to-SaaS connections and ungoverned third-party apps.
- Core cloud controls are valuable, but insufficient on their own: Admins can audit and restrict OAuth within popular platforms, yet many shadow integrations bypass these controls entirely.
- The inventory problem: Maintaining an up-to-date map of every app in use is difficult. Self-adopted apps may lack formal ownership or visibility, creating gaps in governance.
- App-level control limitations: Even when an app is approved, the underlying OAuth grants and data access privileges may be broader than intended, especially when multiple apps interact through APIs and data pipelines.
- The MCP connection reality: Modern integration patterns use OAuth to enable interconnectivity across core enterprise systems and a broad ecosystem of SaaS tools. This interconnectivity is powerful for productivity but potent as an attack surface.
ILLUSTRATIONS OF SPRAWL AND VISUAL CONTEXT
- An illustrative diagram shows OAuth sprawl from the primary enterprise cloud to core apps and outward to wider SaaS tools.
- In this visualization, AI apps are highlighted to indicate their role in bridging multiple services and data sources, underscoring how a single integration can ripple across the organization.
KEY OBSERVATIONS AND IMPLICATIONS FOR ORGANIZATIONS
- OAuth bridges are persistent: Once granted, tokens can outlive the original approval and persist across device restarts, user transitions, and app deprecations.
- Shadow AI accelerates risk: The faster tools are adopted, the more difficult it becomes to maintain comprehensive visibility, control, and regular audits.
- Interconnectedness raises the stakes: Each new integration increases the probability of lateral movement if a single app or token is compromised.
- Visibility is foundational: A complete, up-to-date inventory of apps, integrations, and tokens is essential for any meaningful risk assessment and remediation.
CLOSING THOUGHTS: A HUMAN CONTEXT FOR A HIGHLY CONNECTED WORLD
The Vercel breach and its related incidents highlight a foundational truth: modern enterprises are deeply interconnected through dozens, if not hundreds, of SaaS tools and AI-enabled apps. The promise of automation and efficiency comes with a parallel demand for robust governance over who connects to what, with what permissions, and under whose oversight. As attackers increasingly weaponize OAuth tokens and browser-based vectors, organizations must prioritize visibility, risk assessment, and governance across the entire ecosystem of apps—not just within the primary cloud environment.
APPENDIX: CONTENT ORIGINS AND REFERENCE POINTS
- Context.ai’s trial and the Vercel context illustrate how a non-customer app can become a security dependency.
- Broad industry trends indicate a growing pattern of OAuth-focused attacks, including supply chain compromises and device code phishing.
- Recent research and reports emphasize the effectiveness of browser-based defenses and the persistent challenges of shadow IT in an AI-rich environment.
ENDNOTE: THE LOOMING CONSIDERATION FOR ENTERPRISES
Shadow AI and OAuth sprawl are not merely theoretical concerns; they are observable realities shaping the security landscape. The Vercel incident serves as a reminder that governance, visibility, and careful management of third-party integrations are essential to maintaining a resilient posture in an era of pervasive AI-enabled workflows. As organizations navigate the opportunities and risks of AI, a disciplined approach to shadow IT and OAuth governance will continue to be a critical factor in reducing exposure and preserving trust across ecosystems.
