OAuth

Vercel said no npm packages were compromised in the OAuth-linked incident and updated its security bulletin with MFA and environment-variable auditing guidance. Treat credential deletion as separate from rotation and follow the bulletin to narrow supply-chain risk.

Vercel disclosed unauthorized access to internal systems affecting a limited subset of customers and said a compromised Google Workspace OAuth app at a third-party AI tool was the entry point. Some non-sensitive environment variables may have been exposed, so teams should review SaaS integrations and secret handling now.

Keycard released an execution-time identity layer for coding agents, issuing short-lived credentials tied to user, agent, runtime, and task. It targets the gap between noisy permission prompts and unsafe skip-permissions workflows.

Anthropic’s Claude Code docs say consumer OAuth tokens from Free, Pro, and Max cannot be used with the Agent SDK, and staff said clearer guidance is coming. If you automate local dev loops or parallel workers, use API keys until the allowed auth patterns are explicit.