Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The real story isn't Vercel. It's that a Context.ai employee got infostealer'd in February and four months later that single compromise propagated through an 'Allow All' Google Workspace OAuth grant into Vercel's env vars. This is less a Vercel incident and more the chronic OAuth-supply-chain problem finally surfacing somewhere visible.
 help



How do you go from a Google Workspace to production env vars without Vercel doing something wrong?

reply


Not just into Vercel's env vars, but into Vercel's customer's env vars.

reply


The real story is Vercel letting users with access to their infrastructure install random apps not vetted by any security system.

reply


Where did you see that a Context employee had credentials stolen in February? I haven't run into that particular data point.

reply




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: