惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Google Online Security Blog
Google Online Security Blog
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
Help Net Security
Help Net Security
Security Archives - TechRepublic
Security Archives - TechRepublic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
W
WeLiveSecurity
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Hacker News: Front Page
人人都是产品经理
人人都是产品经理
aimingoo的专栏
aimingoo的专栏
Vercel News
Vercel News
Microsoft Azure Blog
Microsoft Azure Blog
小众软件
小众软件
Project Zero
Project Zero
T
Tailwind CSS Blog
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
Know Your Adversary
Know Your Adversary
Last Week in AI
Last Week in AI
腾讯CDC
Schneier on Security
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
WordPress大学
WordPress大学
量子位
L
Lohrmann on Cybersecurity
J
Java Code Geeks
Cyberwarzone
Cyberwarzone
Recent Announcements
Recent Announcements
IT之家
IT之家
博客园_首页
罗磊的独立博客
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - Franky
P
Palo Alto Networks Blog
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Martin Fowler
Martin Fowler
N
News and Events Feed by Topic
C
Cybersecurity and Infrastructure Security Agency CISA
B
Blog RSS Feed
Cisco Talos Blog
Cisco Talos Blog
TaoSecurity Blog
TaoSecurity Blog
H
Heimdal Security Blog
G
GRAHAM CLULEY
Cloudbric
Cloudbric

The Register - Software: AI + ML

Anthropic, now atop the AI bubble, files for its IPO Sick and wrong: Ontario auditors find doctors' AI note takers routinely blow basic facts OpenAI exec says it will burn $50B on compute this year Astera speaks softly and carries a big switch Anthropic unleashes finance agents for Claude IBM asks DBAs to trust AI to act on their behalf ServiceNow adds agent kill switches to AI control tower British mathematician hands OpenClaw agent a credit card Microsoft fixes VS Code after Copilot credited human code Shadow IT has given way to shadow AI. Enter AI-BOMs AI inference just plays by different rules How TeamViewer ONE transforms IT operations from firefighting to autopilot How TeamViewer ONE transforms IT operations firefighting aut Inference is giving AI chip startups a 2nd chance to shine How to roll your own local AI coding agents CIOs will be the governors for AI agents Govern your bots carefully or chaos could ensue Mozilla pushes back against Google's Prompt API SAP user group slams 'uncertainty' in ERP giant's API policy Microsoft boss tells investors the company is working to 'win back fans' Anthropic tops OpenAI in LLM revenue stakes Amazon's chips become a $20B business Fooling large language models just keeps getting simpler Amazon tells its engineers to review all AI output ZTE powers 2026 Jiangsu Football League with 5G-A & AI robot Future holiday horror: ‘A robot lost my luggage in Tokyo’ The future of software development has less development OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock Vintage chatbot lives in the past like an elderly relative IBM's AI coding 'partner' Bob hits general availability Locked, stocked, and losing budget: AI vendor lock-in bites Ex-AWS legend explains what enterprises need to make AI work DeepSeek's new models offer big inference cost savings Anthropic admits it dumbed down Claude with 'úpgrades' Microsoft gives your Word documents an AI co-author you didn’t ask for Datadog digs down into GPU efficiency as AI costs soar Robotic arm powered by AI bats away ping-pong challenge Partnerships drive ZTE’s strategy to unlock AI potential Gov.uk says AI gaslighting Brits with stale Gov.uk data Google says it has all the answers for AI agent sprawl NeuBird plans a bright future for incident response NeuBird AI plans a bright future for incident response Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Schmoozebots: study finds flattery will get AI everywhere New Android development tool designed for robots, not humans AI is reshaping Britain's datacenter map away from London Just like phishing for gullible humans, prompt injecting AIs is here to stay Anthropic debuts Claude Design, because who needs designers? Mozilla takes on enterprise AI providers with Thunderbolt Anthropic ejects bundled tokens from enterprise seat deal Maine to pause big bit barns as local opposition spreads If you want into Anthropic's Claude club, you may have to show ID Git identity spoof fools Claude into giving bad code the nod Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Allbirds shoe company moving to AI infra is the top Bad teacher bots can leave hidden marks on model students Networks not ready for the challenges of AI traffic US states can't account for datacenter tax breaks. Literally Salesforce debuts Headless 360 agentic platform Waymo's self-driving cars face their toughest test yet: London Commvault has a Ctrl+Z for rogue AI agents Nvidia slaps forehead: AI, that's what quantum needs! OpenAI CEO Sam Altman home attack suspect charged Anthropic: Claude quota drain not caused by cache tweaks AI vs the cold hard reality of the legal profession China wants AI to prepare school lessons and mark homework Linux 7.0 debuts as Linus Torvalds ponders AI's impact Anthropic's Mythos has The Kettle crew curious, skeptical I vibe coded web app: It was enlightening and uncomfortable The AI divide putting open weights models in spotlight Amazon rejects AWS climate disclosure proposal UK to spend £15M on AI mapping in knife crime crackdown UK to spend £15M on AI-powered crime mapping in knife violence crackdown Rebrand automation as 'zero-token architecture' to master AI Call your existing automation ‘zero-token architecture’ to become an instant agentic AI wiz Only 28% of AI infrastructure projects fully pay off UALink delivers 2.0 spec before v. 1.0 silicon ships Only 28% of AI infrastructure projects fully pay off, survey finds No-Nvidia interconnect club delivers 2.0 spec before v1.0 silicon ships Anthropic reveals $30bn run rate and plans to use 3.5GW of new Google AI chips AI slop got better, so now maintainers have more work AMD's AI director slams Claude Code for becoming dumber and lazier since last update Anthropic closes door on subscription use of OpenClaw AI will make anyone a 10x programmer, but with 10x the cleanup PrismML debuts energy-sipping 1-bit LLM in bid to free AI from the cloud Netflix – yes, Netflix – jumps on the AI bandwagon with video editor AI models will deceive you to save their own kind Google battles Chinese open-weights models with Gemma 4 Microsoft shivs OpenAI with three new AI models for speech and images They thought they were downloading Claude Code source. They got a nasty dose of malware instead Even Microsoft knows Copilot shouldn't be trusted with anything important Google's TurboQuant saves memory, but won't save us from DRAM-pricing hell Claude Code bypasses safety rule if given too many commands OpenAI gets $122B to 'just build things' as the world blows them up One in seven Americans are ready for an AI boss, but they might not trust it Claude Code source leak reveals how much info Anthropic can hoover up about you and your system Oracle cuts jobs across sales, engineering, security Anthropic goes nude, exposes Claude Code source by accident GitHub backs down, kills Copilot pull-request ads after backlash Microsoft Fabric Database Hub only a 'partial' solution for admins
AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account
Carly Page · 2026-04-21 · via The Register - Software: AI + ML

Vercel's CEO reckons the crooks behind its recent breach likely had a helping hand from AI, saying the attackers moved with "surprising velocity" and a deep understanding of the company's infrastructure.

In a public update following the incident, Guillermo Rauch reckons the intrusion began with a compromised employee account linked to Context.ai. An attacker used that access to hijack the employee's Vercel Google Workspace account to drill into the company's systems. From there, the hacker poked around environment variables – including ones not marked as sensitive – and used that to get deeper in.

Rauch says the attacker may not have been working alone.

"We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI," Rauch said. "They moved with surprising velocity and in-depth understanding of Vercel."

Rauch didn't go into detail on the AI claim, saying only that the cyber baddies didn't hang about. They got in, found what they needed, and kept moving – no fancy exploit chain, just OAuth abuse and too much trust.

Researchers at Hudson Rock point to a February infostealer infection as the likely starting point, with Lumma stealer malware lifting corporate credentials from an employee's machine. The same system was used to download Roblox "auto-farm" scripts and exploit tools – a common way these infections get a foothold.

Vercel says customer environment variables are encrypted at rest, but it also allows some to be marked as "non-sensitive." That distinction looks to have mattered once the attacker got inside, giving them a set of values that didn't carry the same level of protection and were easier to sift through.

So far, Vercel thinks the number of affected customers is "quite limited," and that it has contacted those at risk. It's also urging users to rotate credentials, keep an eye on access logs, and take another look at what they've marked as sensitive. Behind the scenes, Rauch says Vercel is working with external incident responders, industry peers, and law enforcement, with help from Google-owned Mandiant.

Outside the company, the story is already taking on a life of its own. Researchers at OX Security claim data allegedly stolen in the breach is being offered for sale on BreachForums for $2 million, including API keys, deployment credentials, GitHub and npm tokens, and what's described as internal database records. The same listing reportedly includes a file containing details on hundreds of Vercel employees. 

The post carries the "ShinyHunters" name, but the group says it's not involved. That leaves the usual uncertainty about who's actually behind the listing.

Vercel, for its part, published an update today saying it has confirmed that no npm packages published by Vercel had been compromised. "There is no evidence of tampering, and we believe the supply chain remains safe," the statement adds.

For now, Vercel is in cleanup mode and telling customers to rotate credentials. If the attackers really were moving with AI in the loop, they didn't need much else beyond access that worked. ®