This morning we reported that Vercel had been breached through a compromised AI tool called Context.ai. Since then, the story has gotten significantly worse.

A post on cybercrime forum BreachForums claims to be selling Vercel data for $2 million, including access keys and source code. Crypto projects that host their frontends on Vercel are racing to rotate every credential they have. Solana-based decentralized exchange Orca confirmed it rotated all deployment credentials as a precaution. And security researchers are publishing incident response playbooks on GitHub because Vercel still has not sent a mass email to affected users.

The Attack Chain: An AI Tool Was the Front Door

Vercel CEO Guillermo Rauch confirmed the full attack path on X: Context.ai, a third-party AI analytics platform, was compromised first. A Vercel employee had connected their Google Workspace account to Context.ai through OAuth. When Context.ai fell, the attackers pivoted through that OAuth connection into the employee's Google Workspace, then escalated into Vercel's internal environments.

This is exactly the supply chain attack vector security researchers have been warning about for the past year. Companies rush to adopt AI tools, those tools request OAuth access to internal systems, and when the AI tool gets breached, every company that connected to it becomes a target. Context.ai was the weakest link. Vercel was the prize.

Why Crypto Is Panicking

Vercel is not just any web host. It is the primary steward of Next.js, one of the most widely used web development frameworks on the planet. A massive number of Web3 projects use Vercel to host wallet interfaces, trading dashboards, and decentralized app frontends. Those frontends store API keys in environment variables that connect to blockchain data providers and backend services.

Vercel says environment variables marked as "sensitive" are stored encrypted and there is no evidence they were accessed. But non-sensitive environment variables, which many projects use for API keys, database credentials, and service tokens, may have been exposed. The distinction between "sensitive" and "not sensitive" in Vercel's system is an opt-in checkbox most developers never think about.

The timing could not be worse. This breach landed the same weekend a $292 million exploit of Kelp DAO triggered a liquidity crunch across DeFi. That came weeks after Drift was drained for $285 million in an attack linked to North Korean actors. April 2026 is shaping up as one of the most devastating months for crypto security in history.

The Bigger Picture: AI Tools Are the New Attack Surface

This is the third major AI-enabled supply chain attack we have covered this year. First it was Mercor, the AI talent platform that was breached exposing 4 terabytes of data from OpenAI, Anthropic, and Meta contractors. Then researchers hijacked Claude, Gemini, and Copilot through GitHub credential exfiltration. Now an AI analytics tool is the entry point into one of the internet's most critical infrastructure providers.

The pattern is clear: every AI tool a company connects to its internal systems becomes a potential entry point for attackers. OAuth tokens, API integrations, Google Workspace connections. Each one is a door. Most companies are adding doors faster than they can lock them.

Vercel says it has engaged incident response firms and law enforcement. The $2 million BreachForums listing remains unverified. But the damage is already done: every Vercel customer who stored credentials in non-sensitive environment variables is now asking the same question. "What else did they get?"

Sources: CoinDesk, BleepingComputer, The Hacker News, Vercel official bulletin.