Hacker News new | ask | show | jobs
by BrianneLee011 60 days ago
The real story isn't Vercel. It's that a Context.ai employee got infostealer'd in February and four months later that single compromise propagated through an 'Allow All' Google Workspace OAuth grant into Vercel's env vars. This is less a Vercel incident and more the chronic OAuth-supply-chain problem finally surfacing somewhere visible.
4 comments
pier25 60 days ago
How do you go from a Google Workspace to production env vars without Vercel doing something wrong?
link
ctmnt 60 days ago
Not just into Vercel's env vars, but into Vercel's customer's env vars.
link
brazukadev 60 days ago
The real story is Vercel letting users with access to their infrastructure install random apps not vetted by any security system.
link
ctmnt 60 days ago
Where did you see that a Context employee had credentials stolen in February? I haven't run into that particular data point.
link