A data breach at Vercel, the company behind Next.js and Turbo.js, was triggered by a compromised third-party AI application called Context.ai, which exploited OAuth to access internal systems. An employee's use of this application allowed attackers to take control of their Google Workspace account, granting access to certain environment variables. Although Vercel stores sensitive environment variables in a secure manner, the breach still poses significant risks. The incident highlights the vulnerabilities associated with trusting AI integrations and the importance of scrutinizing third-party applications. The fact that the breach involved a Google Workspace account takeover suggests that attackers are evolving their methods to target cloud-based services1. This breach matters to practitioners because it may lead to downstream regulatory and supply-chain effects, underscoring the need for enhanced security measures when integrating AI applications.