In April 2026, a threat actor compromised Vercel developer infrastructure through an identity supply chain attack that never required stealing a single password. By exploiting a compromised third-party OAuth integration — Context.ai — the attacker inherited valid Google Workspace refresh tokens, bypassed multi-factor authentication entirely, and exfiltrated production secrets from internal dashboards. This incident represents a paradigm shift: the attack surface has moved from credentials to consent, and the blast radius extends to every application that trusts the identity provider.
This advisory is classified TLP:GREEN. This advisory may be freely shared without restriction.
The Valet Key Attack Chain
The compromise unfolded across four distinct phases, each exploiting a fundamental trust assumption in modern OAuth-based identity architectures. The attacker never needed to phish a credential — they inherited one.
Context.ai GCP Project Compromise
The attacker gained access to Context.ai's Google Cloud Platform project, extracting the OAuth Client Secret and all associated Refresh Tokens issued to users who had previously authorized the Context.ai integration. Because OAuth consent grants are persistent, the attacker inherited every active session — including those belonging to Vercel developers who had authorized Context.ai to access their Google Workspace accounts.
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj[.]apps[.]googleusercontent[.]com
This client ID was associated with the Context.ai application's GCP OAuth configuration. Any Google Workspace user who had previously granted consent to this application was immediately at risk — the attacker could impersonate them without any interaction from the victim.
Refresh Token Exchange
With the stolen Client Secret and Refresh Tokens, the attacker exchanged them for fresh Access Tokens against Google's OAuth2 token endpoint. This is the critical design flaw: token refresh operations do not trigger MFA re-evaluation.
POST https://oauth2.googleapis.com/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded client_id=110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com &client_secret=[REDACTED] &refresh_token=[STOLEN_REFRESH_TOKEN] &grant_type=refresh_token // Response: fresh access_token valid for 3600 seconds // No MFA challenge. No session validation. No user notification.
Google Workspace Conditional Access policies do not re-evaluate trust signals during token refresh operations. Once a user has completed initial authentication and granted consent, subsequent token refreshes are treated as trusted continuations of the original session — regardless of the source IP, device posture, or geographic location of the refresh request.
Targeted Data Discovery
Using the freshly minted access tokens, the attacker conducted systematic enumeration of Google Workspace resources. Network analysis revealed queries originating from the 194.26.135.0/24 IP range, targeting high-value keywords across Gmail, Drive, and internal documentation:
PROD_SECRETAPI_KEYgod-modeenvKMS
The search patterns suggest the attacker used automated tooling — likely AI-augmented — to rapidly identify and prioritize documents containing production credentials, environment configurations, and key management references.
God Mode Dashboard & C2 Exfiltration
The attacker located a "God Mode" internal administration dashboard — a privileged interface used by Vercel engineers for production debugging. While individual metadata fields within the dashboard were classified as non-sensitive, the attacker reconstructed sensitive production values by combining multiple non-sensitive metadata fields — a classic aggregation attack.
Exfiltrated data was transmitted to a command-and-control endpoint designed to mimic a legitimate API update service:
api-update-verification[.]com/collect
Attack Timeline
| Phase | Timeframe | Event |
|---|---|---|
| T-Unknown | Pre-Attack | Context.ai GCP project compromised. OAuth Client Secret and Refresh Tokens extracted from vendor infrastructure. |
| T+0 | Initial Access | Attacker begins refreshing stolen OAuth tokens against Google's token endpoint. Fresh Access Tokens issued for Vercel developer accounts. |
| T+2hrs | Enumeration | Systematic Workspace enumeration begins. High-value keyword searches across Gmail, Drive, and Docs from 194.26.135.0/24. |
| T+8hrs | Discovery | God Mode dashboard located. Non-sensitive metadata fields identified for aggregation attack against production secrets. |
| T+12hrs | Exfiltration | Production secrets reconstructed and exfiltrated via C2 at api-update-verification[.]com/collect. |
| T+72hrs | Detection | Anomalous OAuth token refresh patterns detected by Vercel security. Context.ai OAuth integration revoked. Incident response initiated. |
Indicators of Compromise
| Indicator | Type | Confidence | Status | MITRE Technique |
|---|---|---|---|---|
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj[.]apps[.]googleusercontent[.]com | OAuth Client ID | High | Revoked | T1195.003 |
194.26.135.0/24 | Actor IP Range | Medium | Active | T1087.003 |
api-update-verification[.]com | C2 Domain | High | Active | T1041 |
| Context.ai (GCP OAuth App) | Compromised Vendor | High | Confirmed | T1195.003 |
oauth2.googleapis.com/token (anomalous refresh volume) | Token Endpoint Abuse | Medium | Behavioral | T1550.001 |
api-update-verification[.]com/collect | Exfil Endpoint | High | Active | T1041 |
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | Relevance |
|---|---|---|---|
| T1195.003 | Supply Chain Compromise: Compromise Software Supply Chain | Initial Access | Compromise of Context.ai OAuth integration as supply chain entry point |
| T1566.002 | Phishing: Spearphishing Link | Initial Access | Original consent phishing that established OAuth grants to Context.ai |
| T1550.001 | Use Alternate Authentication Material: Application Access Token | Defense Evasion | Reuse of stolen OAuth refresh tokens to generate fresh access tokens |
| T1528 | Steal Application Access Token | Credential Access | Extraction of refresh tokens from compromised Context.ai GCP project |
| T1087.003 | Account Discovery: Email Account | Discovery | Enumeration of Google Workspace accounts and resources via API |
| T1114.002 | Email Collection: Remote Email Collection | Collection | Targeted keyword searches across Gmail and Drive via OAuth-authorized API |
| T1552.001 | Unsecured Credentials: Credentials In Files | Credential Access | Discovery of production secrets in internal dashboards and documentation |
| T1041 | Exfiltration Over C2 Channel | Exfiltration | Production secrets exfiltrated via api-update-verification[.]com/collect |
Tactical Hunting: Google Workspace Log Queries
The following queries target Google Workspace Admin SDK and audit logs. They are designed to detect the specific patterns observed in this incident and should be adapted to your environment.
Query 1: Malicious OAuth Grant Detection
Detects OAuth consent grants to the known compromised Context.ai Client ID via the Google Workspace Authorize API Site event.
event_name = "authorize" AND api_name = "API Site" AND client_id = "110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com" // Returns: user, timestamp, scopes granted, IP address // Action: Any match confirms prior consent to the compromised app. // Immediately revoke the token and investigate the account.
Query 2: Token Anomaly — High-Privilege Account Refresh Activity
Identifies unusual token refresh patterns from accounts with elevated privileges — a key indicator of stolen refresh token abuse.
event_name = "token_refresh" AND actor.is_admin = true AND ( ip_address NOT IN [corporate_ip_ranges] OR geo.country NOT IN [expected_countries] ) GROUP BY actor.email, client_id HAVING COUNT(*) > 10 WITHIN 1 HOUR // Flags: Rapid token refresh from non-corporate IPs for admin accounts // Threshold: Adjust based on your baseline refresh patterns
Query 3: Admin SDK Scope Abuse — Third-Party App Behaviour
Detects third-party applications exercising Admin SDK or high-privilege scopes — a pattern consistent with compromised OAuth integrations performing unauthorized enumeration.
event_name IN ("list_users", "list_groups", "list_org_units") AND actor.caller_type = "THIRD_PARTY_APP" AND client_id NOT IN [approved_app_whitelist] // Detects: Unauthorized apps using Admin SDK Directory API // Scopes to monitor: // - https://www.googleapis.com/auth/admin.directory.user.readonly // - https://www.googleapis.com/auth/admin.directory.group.readonly // - https://www.googleapis.com/auth/gmail.readonly
Lessons Learned
For Investigators
- OAuth tokens are credentials. Treat refresh token theft with the same severity as password compromise. A stolen refresh token provides persistent, MFA-bypassing access to every resource the original consent grant authorized.
- Third-party app consent is a lateral movement vector. When investigating a compromised identity, enumerate every third-party app the user has authorized. Each consent grant is a potential persistence mechanism and a bridge to the vendor's infrastructure.
- Token refresh logs are the new authentication logs. Standard sign-in logs will show nothing abnormal. The attack signal lives in token refresh patterns: unusual IPs, unusual frequency, unusual client IDs refreshing tokens for accounts they should not be associated with.
- Aggregation attacks bypass data classification. Individual metadata fields classified as "non-sensitive" can be combined to reconstruct sensitive values. Investigate what was accessed in aggregate, not just individual file classifications.
- C2 domains mimic legitimate services. The exfiltration endpoint (api-update-verification[.]com) was designed to blend with legitimate API traffic. DNS and proxy log analysis must look beyond simple blocklist matching.
For Security Engineers
- Implement OAuth application whitelisting. Do not allow users to grant consent to arbitrary third-party applications. Use Google Workspace Admin > Security > API Controls to restrict which apps can access organizational data.
- Deploy token binding or continuous access evaluation (CAE). Where supported, enable Conditional Access policies that force re-evaluation of trust signals on every token refresh — not just initial authentication.
- Monitor and alert on token refresh anomalies. Build detection rules that correlate token refresh events with expected client IDs, IP ranges, and geographic locations. Any mismatch should trigger an investigation.
- Segment secrets from identity-accessible surfaces. Production secrets should never be accessible through the same identity plane that serves email and documents. Use dedicated secret management infrastructure (HSMs, Vault, KMS) with separate authentication chains.
- Audit third-party vendor OAuth integrations quarterly. Maintain an inventory of every OAuth consent grant in your organization. Review scopes, assess vendor risk, and revoke grants for applications no longer in active use.
CISO Checklist
- OAuth Application Whitelisting: Restrict third-party OAuth consent to pre-approved applications only. Implement Google Workspace API Controls to enforce organizational policy on which apps can access user data. Block new consent grants by default.
- Token Inventory & Revocation: Conduct an immediate audit of all active OAuth tokens in your Google Workspace tenant. Identify and revoke tokens associated with the compromised Context.ai Client ID. Establish a recurring token review cadence (minimum quarterly).
- Secret Isolation: Ensure production secrets, API keys, and KMS configurations are not stored in or accessible through Google Workspace surfaces (Gmail, Drive, Docs). Migrate to dedicated secret management infrastructure with separate authentication chains.
- Third-Party Risk Assessment: Review all OAuth-integrated vendors for security posture. Request SOC 2 Type II reports, penetration test results, and incident response plans. Evaluate whether each vendor's access scopes are appropriately minimized.
- MFA Hardening (FIDO2): Transition from push-based MFA to phishing-resistant FIDO2/WebAuthn tokens for all privileged accounts. Note: FIDO2 does not prevent OAuth token reuse attacks — but it eliminates the consent phishing vector that created the initial grants.
- Identity Threat Detection & Response (ITDR): Deploy ITDR capabilities that monitor the identity layer independently of endpoint and network detection. Focus on OAuth-specific signals: anomalous token refresh patterns, new consent grants, scope escalation, and cross-tenant token usage.
Mjolnir Security — Identity Security & Incident Response
Mjolnir Security provides specialized identity security services to detect, investigate, and remediate OAuth-based attacks and identity supply chain compromises.
- Incident Response: 24/7 incident response for identity compromise, OAuth token theft, and cloud-native attacks. Our DFIR team specializes in Google Workspace and Microsoft 365 forensics with sub-4-hour response times.
- OAuth Security Assessment: Comprehensive audit of your OAuth ecosystem — consent grants, token lifetimes, scope inventory, and third-party application risk scoring. Identifies over-privileged integrations before attackers do.
- Identity Threat Detection: Custom ITDR detection rules tailored to your identity infrastructure. We build and tune alerting for token anomalies, consent phishing, and identity supply chain indicators.
- Cloud Forensics: Deep forensic analysis of Google Workspace, Azure AD/Entra ID, and AWS IAM logs. We trace attacker activity from initial token abuse through lateral movement and data exfiltration.
References
- "Vercel Security Incident Report: OAuth Token Compromise via Third-Party Integration," Vercel Blog, April 2026. vercel.com/blog
- "T1550.001 - Use Alternate Authentication Material: Application Access Token," MITRE ATT&CK. attack.mitre.org
- "T1195.003 - Supply Chain Compromise: Compromise Software Supply Chain," MITRE ATT&CK. attack.mitre.org
- "OAuth 2.0 Security Best Current Practice," IETF RFC 9700. ietf.org
- "Identity Supply Chain Attack Analysis: Context.ai Incident," Mjolnir Labs, April 2026. mjolnirsecurity.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts