AI coding agents are the next attack surface for credential theft
A post from the grith team argues that AI coding agents like Claude Code, Cursor, and Codex already hold far more ambient authority than the OAuth token that enabled the Vercel breach — and a single prompt injection in a README is all an attacker needs to exploit it.
Score breakdown
Developers using AI coding agents should audit what credential files are readable in their home directories and consider egress controls, because any untrusted document the agent reads — a README, a GitHub issue, an npm description — is now a potential attack vector requiring no malware to exploit.
- 01The Vercel breach involved a Context.ai employee downloading a Roblox auto-farm executor, which let Lumma Stealer steal a Google Workspace OAuth token scoped to calendar, drive, and mail.
- 02The stolen Context.ai token sat unused for two months before the attacker pivoted through Google Workspace SSO into Vercel's admin plane.
- 03AI coding agents (Claude Code, Cursor, Codex, Cline, Aider) run on the same developer laptops and have read access to `~/.vercel/auth.json`, `~/.config/gh/hosts.yml`, `~/.aws/credentials`, `~/.ssh/`, and all `.env` files.
The grith team's post reframes the Vercel breach as the *easier* version of a credential-theft attack. The actual incident involved a Context.ai employee downloading a Roblox auto-farm executor, which allowed Lumma Stealer to collect OAuth tokens. One of those tokens — scoped only to calendar, drive, and mail — belonged to a Vercel employee's Google Workspace account and sat unused for two months before being exercised. The attacker still had to deliver malware, steal credentials, and pivot through Google Workspace SSO into Vercel's admin plane to do any damage.
It can execute `vercel env pull`, `vercel env ls`, `vercel deploy`, and every other subcommand, plus issue arbitrary `curl` requests over an unrestricted outbound network.
By contrast, a typical AI coding agent running on the same developer laptop already holds the full ambient authority of the shell user: read access to `~/.vercel/auth.json` (a long-lived Vercel CLI token), `~/.config/gh/hosts.yml` (GitHub PAT and OAuth tokens), `~/.aws/credentials`, `~/.kube/config`, `~/.config/gcloud/`, `~/.ssh/`, and every `.env` file the developer has created. It can execute `vercel env pull`, `vercel env ls`, `vercel deploy`, and every other subcommand, plus issue arbitrary `curl` requests over an unrestricted outbound network.
The post describes a concrete no-malware attack chain: an attacker embeds a prompt injection payload in a location the agent will read during a legitimate task — a malicious `README.md` in an npm package, a comment on a public GitHub issue, a docstring in a dependency, or a tool description returned from an MCP server. The injected instruction nudges the agent to run `vercel env pull .env.prod` and POST the resulting file to an attacker-controlled endpoint. Because coding agents routinely run `vercel`, `git`, `curl`, `npm`, and `python`, the command raises no flags. The post positions grith as a forthcoming OS-level security proxy for AI coding agents designed to address exactly this architectural gap.
Key facts
- 01The Vercel breach involved a Context.ai employee downloading a Roblox auto-farm executor, which let Lumma Stealer steal a Google Workspace OAuth token scoped to calendar, drive, and mail.
- 02The stolen Context.ai token sat unused for two months before the attacker pivoted through Google Workspace SSO into Vercel's admin plane.
- 03AI coding agents (Claude Code, Cursor, Codex, Cline, Aider) run on the same developer laptops and have read access to `~/.vercel/auth.json`, `~/.config/gh/hosts.yml`, `~/.aws/credentials`, `~/.ssh/`, and all `.env` files.
- 04Agents have full outbound network access and can execute arbitrary shell commands, including `vercel env pull`, `git`, `curl`, and `npm`.