Leaked Vercel access token — deploy access + secret leak

A Vercel access token grants API access to deploy, read environment variables, and inspect project metadata. Leakage = full project compromise.

The next 60 seconds matter

The attacker lists projects, reads environment variables (which often include every backend API key), triggers deploys of malicious code, or deletes projects.

  • Read environment variables (exfiltrates every backend key)
  • Trigger deploys with attacker-authored code
  • Delete deployments or projects
  • Access deployment logs + build output

Rotation playbook

  1. vercel.com/account/tokens → Delete the leaked token
  2. Rotate every environment variable the token could have read
  3. Audit deployments in the past 24 hours for unauthorized builds

Prevent the next one

  • Prefer team-scoped tokens over user tokens
  • Use GitHub Actions' Vercel integration with OIDC instead of long-lived tokens
  • Rotate tokens on team-member departure
Pattern we scan for
{24+ chars, various formats}