title: "Vercel Was Breached Via an AI Meeting Tool in February and Nobody Noticed for Two Months" description: "The Vercel supply chain breach through Context.ai, LMDeploy exploited via SSRF thirteen hours after disclosure, Microsoft shipping an AI admin role with privilege escalation built in, Reflection AI's $25B valuation with nothing shipped yet, and the one funding bet this week that is actually interesting." publishedAt: "2026-04-28" author: "Alex Rivera" category: "news" tags: ["hacker-news", "security", "vercel", "supply-chain", "AI", "startups", "developer-tools", "funding", "LMDeploy", "microsoft"]

The thing that surprised me about the Vercel breach — and I have been reading postmortems professionally since before most people writing about them had a LinkedIn account — is not that it happened. Supply chain attacks happen. Third-party tooling gets compromised. That is table stakes now. What surprised me is the specific chain: the initial compromise happened via Lumma Stealer malware hitting Context.ai, an AI meeting intelligence product that a Vercel employee was using as part of their normal workflow. The attacker used the session tokens from that to walk into the employee's Google Workspace account, which handed them access to the employee's Vercel account, which gave them enough internal foothold to enumerate and eventually decrypt what Vercel is calling "non-sensitive" environment variables across a subset of customer accounts. The database — or something representing itself as the database — showed up on BreachForums priced at two million dollars.

Two months. Vercel's own bulletin places the initial compromise in February 2026 and the discovery in April. The dwell time was approximately two months.

The HN thread on this story is long and the discussion is significantly more informative than the official bulletin. Several engineers pointed out that the "sensitive" versus "non-sensitive" environment variable distinction is doing a lot of heavy lifting in Vercel's framing. Sensitive environment variables are stored in a way that prevents them from being read — Vercel says there is no evidence those were accessed. But the variables that weren't marked sensitive are where the exposure lives. One commenter who identified as a long-time Vercel customer put it bluntly: "The question isn't whether my secrets were 'sensitive.' The question is why I'm supposed to remember to click a box to store something securely when the default should be secure storage." That is a fair critique. Security posture that depends on users remembering to opt into protection consistently fails at scale.

Theo from t3.gg confirmed the broad strokes publicly from his own sources: sensitive vars are safe, non-sensitive vars should be rotated as a precaution, and the primary internal victims were Vercel's own systems including Linear and GitHub repositories. TechCrunch confirmed Vercel hadn't received a ransom demand and had engaged incident response experts. A Trend Micro writeup called it an OAuth supply chain attack, which is the technically precise framing — the initial access was through a third-party service that had OAuth-delegated access to the employee's identity.

Here is what I want you to actually take from this story rather than the usual "rotate your credentials" boilerplate. The initial vector — Lumma Stealer through an AI productivity tool — is going to become the dominant attack pattern against developer teams. Think about how many AI tools your team is using right now that have OAuth access to your Google Workspace, your GitHub, your Slack. The average engineering team in 2026 has added six to ten AI productivity tools in the last eighteen months: meeting intelligence, code review bots, documentation generators, coding assistants with full repository access. Each one is a potential initial access point. Each has employees somewhere who may or may not be running current endpoint protection. The attack surface has expanded faster than most organizations' security teams have noticed, and the Vercel incident is the first high-profile proof of that at scale against a platform that millions of developers deploy on.

If you are running on Vercel: rotate everything that wasn't marked sensitive regardless of whether you think it matters. If you are a CTO or platform lead: audit which third-party AI tools in your organization have OAuth scopes into your primary identity provider this week, not next month. Context.ai is the answer to "what access does this AI productivity tool actually need" becoming a first-tier security question rather than a procurement checkbox.

Speaking of AI tooling being weaponized before the ecosystem is ready for it, CVE-2026-33626 dropped earlier this week and was actively exploited in production environments within thirteen hours of public disclosure. The vulnerable component is LMDeploy — an open-source toolkit from the InternLM team for compressing, deploying, and serving large language models. The specific flaw is in the vision-language image loader: the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating whether they point to internal or private IP addresses. That is a classic Server-Side Request Forgery vulnerability. Anyone who has done offensive security work for more than a year can spot that pattern from across the room.

Sysdig's honeypot systems caught the first exploitation attempt twelve hours and thirty-one minutes after the advisory published on GitHub. In one eight-minute session, the attacker used the image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server — hitting the AWS Instance Metadata Service, Redis, MySQL, and an administrative interface, then finishing with out-of-band DNS exfiltration. That is not someone fumbling around. That is someone who had the exploit built before the advisory dropped, or had tooling that automatically picks up newly published CVEs and begins testing within hours.

The security community discussion on this was candid in a way the formal advisories are not. Multiple researchers noted that vision-language image loaders across the inference server ecosystem share this same structural vulnerability because they were designed by ML researchers optimizing for capability and convenience, not by security engineers thinking about what happens when the URL parameter is user-controlled. This is not a knock on the InternLM team specifically — it is a pattern. AI infrastructure code tends to be written under research norms that assume trusted inputs and university networks, and then gets deployed in production environments where those assumptions collapse immediately.

The broader signal here — which several people noted explicitly — is that we are entering a period where AI inference infrastructure is being attacked with the same intensity as web application infrastructure was in 2010 through 2015. The vulnerability categories are not new: SSRF, injection, authentication bypass. What is new is that the AI infrastructure layer is younger, less audited, and being deployed at extraordinary speed into environments where it has access to sensitive data and internal network resources. If you are running LMDeploy with vision-language support anywhere in your stack, patch immediately. If you are running any open-source inference server in a production environment, add network-level controls that prevent server-side requests to internal address ranges and metadata endpoints before the next disclosure lands.

The Microsoft Entra story from earlier this month deserves more traction than it received. Silverfort researchers found that the Agent ID Administrator role — a new built-in role Microsoft introduced as part of its agent identity platform, designed to manage AI agent lifecycle operations in a tenant — had a scope problem. Users assigned that role could take over arbitrary service principals, including ones that had nothing to do with AI agents. The mechanism was straightforward: become an owner of the target service principal, add your own credentials, authenticate as that principal. About 99% of Entra tenants have at least one privileged service principal. More than half use agent identities averaging around a hundred per tenant. If you had been handed the Agent ID Administrator role and knew what you were doing, you could escalate to essentially any identity in the tenant.

Microsoft patched it April 9th after Silverfort reported in March. The patch is deployed. But the story is not really about the specific bug — it is about what the bug reveals. Microsoft is shipping AI agent infrastructure features at a pace that its security review process clearly isn't keeping up with. The Agent ID Administrator role was introduced to support a new product capability, granted broad permissions by default, and didn't get adequate security boundary analysis before it landed in production tenants across the enterprise. That is not a Microsoft-specific failure — that is what happens when every platform is simultaneously rushing to ship AI agent features and security teams are stretched thinner than they have been in years.

The HN commentary was largely resigned rather than alarmed, which itself tells you something about where security fatigue sits in the developer community right now. The comment that captured the thread's mood was something close to: "So they built a new privileged role for AI agents, didn't think carefully about its scope, and it turned out to grant too much access. Bold prediction: this will happen several more times in the next twelve months with different platforms." That is not cynicism for its own sake. That is an accurate forecast of what happens when identity and authorization features ship under competitive time pressure.

On the funding circus, because I cannot write one of these without acknowledging the ambient madness: Reflection AI is in talks to raise $2.5 billion at a $25 billion pre-money valuation, per reporting from earlier this month. This is a company that launched with $130 million in March 2025, raised $2 billion at $8 billion in October 2025, and is now apparently worth $25 billion before the current round has even closed. It is positioning itself as "America's open frontier AI lab," which is a pitch aimed squarely at post-DeepSeek anxiety in Washington and among LPs who want to have backed the American answer to Chinese open-source AI. The Turing Post ran a profile with the subtitle "The $20B Open-Model Startup That Has Yet to Ship" and I cannot improve on that framing.

There is a standard HN genre for announcements like this and the comments write themselves: some variation of "has anyone used a model from them yet," followed by people discovering the answer is essentially no, followed by a debate about whether this is visionary capital allocation or the most expensive vaporware in the history of the industry. I do not think Reflection is fraudulent — the people involved are serious, the technical direction is legitimate, and the open-source AI lab positioning is a real market gap. But valuation trajectory outrunning the shipping trajectory by this margin is a classic indicator that market narrative is doing more work than product momentum. At $25 billion, there is essentially no outcome where early investors do well unless this becomes a top-two or top-three frontier lab. That is possible. It requires shipping something.

The story I am actually genuinely interested in — and I want to be clear that genuine interest is rare for me in a week this heavy with security disclosures and funding theater — is Yann LeCun's AMI Labs. The company raised $1.03 billion in a seed round at a $3.5 billion valuation in March, which sounds absurd until you read what they are actually doing and who is doing it. LeCun left Meta after decades building one of the most significant AI research organizations in the world, and his thesis is simple and publicly stated: large language models are the wrong architecture for general intelligence. They cannot plan reliably. They hallucinate because they generate token by token without a model of the world. They will hit a ceiling before anything resembling reasoning emerges from scaling further. AMI Labs is building world models using JEPA — Joint Embedding Predictive Architecture — which LeCun introduced in 2022. JEPA learns abstract representations and predicts in compressed latent space rather than reconstructing every token, which is a fundamentally different claim about what cognition requires.

The HN community reaction to the funding announcement was notably different from the reaction to most AI funding news, which usually ranges from skeptical to contemptuous. The thread had a quality of "Yann gets to prove his point" energy — people who have read his work and genuinely disagree with the LLM scaling thesis expressing something like cautious optimism that someone is finally putting serious capital behind the alternative. A few commenters noted that LeCun has been publicly wrong about specific predictions before — he dismissed transformer-based approaches more than once, which did not age well — but also that his core architectural intuitions have a strong track record going back decades. The response that stuck with me was simple: "Very bullish on AMI Labs because of the team quality and open research ambition. We need someone to actually test the world model hypothesis at scale."

I do not know if JEPA-based world models will outpace frontier LLMs. Nobody does, including LeCun. What I do know is that this is a genuinely different scientific bet, backed by a serious researcher who has earned the right to be wrong in interesting ways, and the alternative hypothesis — that scaling LLMs indefinitely produces general intelligence — is also unproven at any scale we have actually achieved. If AMI Labs produces open research, which they have committed to, the field improves regardless of whether the product succeeds commercially. The company is targeting industrial, robotic, and healthcare applications where LLM limitations are most consequential. That is a defensible market selection if the architecture delivers. This is the one billion-dollar raise this week that I do not feel the need to put in air quotes.

One more thing worth noting briefly because it is part of a pattern you should be tracking: OpenAI's acquisition of Hiro Finance earlier this month. Hiro was a personal finance planning tool — scenario modeling for income, debt, and spending — with about thirteen people. OpenAI acquired the team. The product stopped working April 20th. User data gets deleted May 13th. This is OpenAI's second acqui-hire in roughly a month following the same playbook: identify a team building interesting domain expertise in a vertical, acquire them, shut the product down fast enough that users barely have time to export their data, absorb the talent into OpenAI's own push into that vertical.

If you are a founder building a vertical AI application right now, this is the market structure you are operating in. OpenAI is systematically acquiring domain expertise in the verticals it wants to compete in while shutting down the products those users depended on. That is legal and rational from OpenAI's perspective. It is worth being clear-eyed about what it means for what you build and who you build it on top of. The moat for a vertical AI application is not the AI capability — that moat erodes the moment the platform company decides to compete. It is distribution, proprietary data, and customer relationships that a thirteen-person startup rarely has time to build before the acqui-hire offer arrives. Plan accordingly.

Sources:

• Vercel April 2026 security incident | Hacker News
• Vercel April 2026 security incident | Vercel Knowledge Base
• App host Vercel says it was hacked and customer data stolen | TechCrunch
• Vercel confirms breach as hackers claim to be selling stolen data | BleepingComputer
• The Vercel Breach: OAuth Supply Chain Attack | Trend Micro
• LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours | The Hacker News
• CVE-2026-33626: How attackers exploited LMDeploy in 12 hours | Sysdig
• Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover | The Hacker News
• Microsoft Entra Agent ID Flaw Enabled Tenant Takeover | HackRead
• Reflection AI eyes $2.5B raise at $25B valuation | TechFundingNews
• Inside Reflection AI: The $20B Open-Model Startup That Has Yet to Ship | Turing Post
• Yann LeCun raises $1B to build AI that understands the physical world | Hacker News
• Yann LeCun's AMI Labs raises $1.03B to build world models | TechCrunch
• OpenAI has bought AI personal finance startup Hiro | Hacker News
• OpenAI has bought AI personal finance startup Hiro | TechCrunch