How to test dev website by a non-tech person?

Cloud platform Versel recently became a victim of a modern supply chain attack by a compromised third-party AI tool (Context.ai) which has raised a great concern over the security of third-party AI tools and supply chain attacks.

Vercel is a 10$ billion company providing a safe space for ‘Frontend Cloud’ that makes it easy to build, scale, and host modern web applications. Many front-end developers and software engineers use Vercel to host, manage and deploy web applications.

In April 2026, Vercel disclosed a security breach involving unauthorised access to internal systems, which caused impact to a limited subset of customers as per ‘Vercel’. There is no direct vulnerability in Vercel’s infrastructure. Instead, the attack originated from a compromised third-party AI tool (Context.ai) used by an internal employee.

This incident shows that modern cyberattacks are no longer limited to direct system breaches. Instead, attackers are increasingly targeting trusted integrations, third-party tools, and identity systems to gain indirect access.

How the Vercel hack actually happened (simple flow):

• A Vercel employee used a third-party AI (Context.ai) using a Vercel enterprise account and granted “Allow All” permissions.
• Context.ai was already compromised by hackers.
• The hackers used OAuth access (Google Workspace login permissions).
• They took over the employee’s account.
• From there, they accessed Vercel's internal systems.

Imp: This type of attack mocks traditional perimeter defenses entirely. Instead of breaking in, the attacker operated through legitimate access channels (through Versel’s employee’s account).

What data was exposed in the Vercel hacking case?

Some internal system access, environmental variables (API keys, tokens, credentials) which were not marked as sensitive were exposed with limited customer data. Encrypted (“sensitive”) data and environmental variables remained protected which shows that encrypting data and codes are very important.

It is also claimed that stolen data was offered for sale, reportedly for up to $2 million, indicating financial motivation behind the attack. After this attack, investigation started against compromised OAuth tokens.

Now these kinds of attacks raise concern against the security of the common features that businesses are relying on day to day activities. This incident is a classic example of a supply chain attack and OAuth access abuse, where attackers first compromise a trusted third-party component instead of the primary target.

Let’s understand about supply chain attacks and OAuth access scope and how to avoid such attacks on your application.

What are supply chain attacks and how to prevent it?

Supply chain attacks occur when attackers compromise a trusted external component such as a software dependency, SaaS platform, or integration to gain indirect access to a target organisation.

Why it concerns:

• Modern development relies heavily on integrations like AI tools, SaaS platforms, APIs. Each integration extends the attack surface.
• OAuth-based access risks in which OAuth simplifies workflows but introduces risk when permissions are too broad, tokens are lone-lived, access is not continuously monitored.
• Once attackers gain access to a trusted identity, they can move laterally, access internal systems, and operate without triggering traditional alerts.
• Any connected tool can become a gateway into enterprise systems.

Supply chain security is about controlling access at the employee, device, and integration level, not just securing code.

How companies and enterprises can prevent supply chain attacks:

• Restrict employees to approved third-party tools, restrict browsers extensions to verified ones only and block installation of unknown apps on company devices.
• Review and limit OAuth app permissions and connected accounts.
• Enforce company-managed devices with endpoint security controls.
• Apply role-based access control (RBAC).
• Secure and rotate API keys, tokens and environmental variables.
• Monitor real-time activity for unusual logins, app connections and API usage.
• Regular awareness and audit sessions.

What is OAuth and how can companies secure OAuth access?

OAuth (Open Authorization) is a widely used authorization framework that allows applications or websites to access user data from other services without sharing passwords. It works by issuing temporary access tokens that grant limited permissions. For example, using “Sign in with Google” allows an application to access basic profile information from your Google account without exposing your login credentials.

In this process, passwords are never shared with the third-party app, the app gets only limited access, and you can revoke access at any time.

How does OAuth work?

Let’s decode OAuth working with an example:

-> Request: “Sign in with Google”.
-> Consent: You go to Google, enter password and authorise the app.
-> Token: Google sends a secret access token back to the app.
-> Access: The app uses this token to access your allowed data.

OAuth becomes a security concern when:

• Applications are granted excessive permissions.
• Access tokens are not properly secured or rotated.
• Third-party apps with access become compromised(such as the Versel breach case).

Security measures for companies to a secure OAuth access:

• Allow only approved OAuth apps and block unknown tools from connecting to company accounts (prevent compromised apps like Context.ai).
• Grant minimum required permission (scopes) instead of full account access.
• Use short-lived tokens and enforce automatic token rotation.
• Enforce multi-factor authentication (MFA) on all accounts.
• Set up alerts for new OAuth app connections to quickly detect unauthorised access attempts.

What does Bugsmirror suggest?

As a mobile application security provider, Bugsmirror’s red teaming experts continuously analyse real-world attack patterns to understand how modern threats evolve and where security controls fail. These assessments focus not only on identifying vulnerabilities, but also on evaluating how attackers can chain weaknesses across systems.

In a recent Bugsmirror red teaming assessment on a mobile payment application, a critical OAuth scope misconfiguration was identified. Access to a single user account enabled unintended access to associated accounts across multiple applications within the same ecosystem. This highlighted excessive permission scopes and inadequate access segmentation, creating a significant risk of lateral account compromise.

A similar pattern can be observed in the Vercel incident, where misuse of OAuth-based access contributed to unauthorised system exposure. These cases reinforce the need for strict OAuth scope control, least privilege enforcement, and continuous monitoring of delegated access.

For a robust organizational and application security, we suggest that:

* Secure code and dependencies. Always encrypt sensitive codes, as exposed codes are first to get exploited. Bugsmirror Shield is an advanced code obfuscation tool that encrypts the codes which can't be decrypted by any other tools.

* Test applications in real-world conditions. Simulate attack scenarios to check API weaknesses, authentical flaws, and runtime vulnerabilities. Red teaming should not be limited to application, but company devices should also audit regularly to avoid security breaches.

* Protect application at runtime to detect and prevent tampering, abnormal behaviour, block active threats directly on the device. Bugsmirror Defender is an advanced RASP solution protecting many mobile apps from 45+ runtime threats.

* Maintain a unified, real-time view of threats across users, devices, and applications to identify attack patterns, anomalies, and high-risk behaviours early.

* Continuously update protections, dynamically adjust policies, and rapidly contain threats to minimise impact in evolving attack scenarios. Bugsmirror Cloud solution offers real time threat intelligence and Over-The-Air Updates for app security policy change.

Similar to supply chain attacks, runtime vulnerabilities like Account takeover attacks and sophisticated frauds are also causing financial loss to organizations and users. Get a complimentary security audit and identify the vulnerabilities of your business mobile application and protect it today.

FAQs:

1. What is supply chain compromise?

   A supply chain compromise happens when attackers exploit a trusted third-party tool, dependency, or integration to gain access to an organisation. Instead of attacking directly, they use these external connections as entry points, making the attack harder to detect.

2. What are access-layer attacks?

   Access-layer attacks target identities, permissions, or authentication systems. Attackers use compromised credentials or excessive access rights to enter systems through legitimate channels and move across applications without raising alerts.

3. What is granular access control?

   Granular access control means giving users and applications only the exact permissions they need. It limits unnecessary access, reduces risk, and helps prevent misuse or lateral movement during a breach.

4. What is OAuth access and its scope?

   OAuth access allows apps to use user data without sharing passwords through access tokens. These scopes define what the application can do, such as reading user data or modifying settings. If scopes are too broad or not properly managed, they can become a security risk, allowing attackers to gain excessive access if the token is compromised.