On Saturday, April 19, 2026, Vercel published a security bulletin. It was the kind of announcement that gets read by developers and quietly ignored by everyone else — until you understand what Vercel actually is. Vercel is the hosting platform that runs a meaningful portion of the modern web. It is the primary steward of Next.js, the framework with approximately 14.5 million weekly downloads that underlies the frontend of companies from startups to Fortune 500s. If you have used a modern tech company's website in the last two years, you have almost certainly loaded code that lives on Vercel. And on April 19, someone had been inside it. Source: Vercel security bulletin, April 19, 2026; Vercel CEO Guillermo Rauch, X post, April 19, 2026.
The breach didn't start at Vercel. That's the part that matters. It started at a small, third-party AI productivity tool called Context AI — a product that helps users manage documents, presentations, and spreadsheets using AI. One Vercel employee installed it and connected it to their Vercel enterprise Google account. They clicked 'Allow All' on the permissions prompt. And somewhere between that click and April 19, a highly sophisticated hacker group used that single trust relationship to walk into Vercel's internal systems. Source: Vercel security bulletin, April 19, 2026; TechCrunch, April 20, 2026.
The attacker is believed to be selling the stolen data — Vercel customer API keys, database credentials, cloud access tokens, source code — for $2 million on BreachForums, the underground forum where stolen enterprise data changes hands. ShinyHunters, the group behind the 2024 Ticketmaster breach, has been claimed as responsible, though ShinyHunters told BleepingComputer they are not involved. Vercel has engaged Mandiant and law enforcement. As of April 22, 2026, the investigation is active, the full scope of what was exfiltrated remains unknown, and this story is not over. Source: TechCrunch, April 20, 2026; The Hacker News, April 20, 2026; DevOps Daily, April 20, 2026.
Quick Answer: The Vercel breach originated at Context AI — a third-party AI productivity app — not at Vercel itself. A Context AI employee's laptop was infected with Lumma Stealer malware (reportedly from downloading a Roblox exploit script), which harvested OAuth tokens that eventually gave an attacker access to a Vercel employee's Google Workspace. From there the attacker pivoted into Vercel's internal systems. A threat actor claiming ShinyHunters affiliation posted the alleged stolen data on BreachForums with a $2M price tag — claiming it includes customer API keys, source code, and database data. Vercel's confirmed position: environment variables not marked 'Sensitive' for a limited customer subset were accessed. Next.js, Turbopack, and all Vercel npm packages were confirmed uncompromised as of April 20 (joint confirmation from GitHub, Microsoft, npm, and Socket). If you received a direct email from Vercel, treat every credential in that project as compromised. If you didn't — rotate non-sensitive env vars anyway and mark all variables as 'Sensitive' immediately. Sources: Vercel security bulletin, April 19, 2026; TechCrunch, April 20, 2026; InfoStealers, April 20, 2026.
Who Is Vercel and Why Should Non-Developers Care?
Vercel is a cloud platform that allows developers to deploy web applications with a single command. If you've ever clicked a fast-loading website for a tech company, a startup's landing page, or a modern e-commerce store, there's a substantial chance it was running on Vercel. The company is the creator and primary maintainer of Next.js — the most widely adopted web development framework on the internet, with approximately 14.5 million downloads every week. Next.js is used by companies including Hulu, TikTok, Twitch, GitHub, Nike, and thousands of startups. Vercel's platform stores the 'environment variables' — the secret credentials — that make all those applications connect to databases, payment processors, cloud providers, and external APIs. If you've ever entered your credit card on a Vercel-hosted site, the infrastructure sitting behind that transaction has Vercel in its stack. Source: Coindesk, April 20, 2026; Varonis security analysis, April 20, 2026.
Environment variables are the most sensitive data layer in any web application. They are where developers store the credentials that connect front-facing websites to everything else: your AWS keys that access cloud storage and databases, your Stripe secret key that processes payments, your GitHub tokens that can push code to production, your database passwords that open direct access to customer data. Vercel is the vault. On April 19, 2026, an attacker had accessed that vault — not by breaking Vercel's own security, but by walking in through a door a single employee had unknowingly left open. Source: Varonis security analysis, April 20, 2026; Vercel security bulletin, April 19, 2026.
The Attack Chain: How One AI App Became the Key to Vercel
Understanding exactly how this attack unfolded is essential — not because the technical specifics are interesting on their own, but because this same attack chain can be replicated against any company whose employees use AI productivity tools. The mechanics are described by Vercel, Context AI, cybersecurity firm Varonis, OX Security, and Trend Micro in independent post-incident analyses. Every step below is sourced to primary disclosures. Source: Vercel security bulletin, April 19, 2026; Context AI security bulletin, April 19, 2026; Varonis, April 20, 2026; OX Security, April 20, 2026; Trend Micro, April 20, 2026.
- Step 1 — The Context AI compromise (February–March 2026): Sometime around February 2026, a Context AI employee's computer was infected with Lumma Stealer — a type of malware that silently harvests saved passwords, browser session cookies, and application credentials from infected machines. Lumma Stealer is commercially available on cybercriminal forums for a few hundred dollars a month. It is not exotic malware; it is commodity infrastructure. The credentials harvested from the infected Context AI employee included access to Context AI's AWS environment, Google Workspace logins, Supabase credentials, Datadog keys, and the 'support@context.ai' account — the support email address that, in most organizations, has elevated access to customer accounts and ticketing systems. Source: Hudson Rock analysis, April 20, 2026; The Hacker News, April 20, 2026.
- Step 2 — The OAuth token harvest (March 2026): With access to Context AI's AWS environment and internal systems, the attacker found something more valuable than any individual credential: the OAuth tokens that Context AI had issued to its users. Context AI offered a Chrome extension (Chrome extension ID: omddlmnhcofjbnbflmjginpjjblphbgk — the same ID published as an Indicator of Compromise by Vercel). This extension allowed users to search and gather information from their Google Drive files. During onboarding, users were required to connect their Google account and grant full read access to all their Google Drive files — including anyone who used their enterprise Google account. The extension was removed on March 27, 2026. Context AI initially disclosed the breach in March, believing the scope was limited. It was not. Source: OX Security analysis, April 20, 2026; Context AI security bulletin, April 19, 2026.
- Step 3 — The pivot to Vercel's Google Workspace: Context AI stated explicitly that 'Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted Allow All permissions.' With a stolen OAuth token for that Vercel employee, the attacker had something with a specific and critical property: OAuth tokens, once issued, do not require re-authentication. They do not trigger multi-factor authentication prompts. The employee who issued the token may have enabled every MFA protection Vercel required — hardware keys, authenticator apps, all of it. None of it mattered. The token was already issued, already valid, and the attacker used it as if they were the employee. Source: Context AI security bulletin, April 19, 2026; Varonis, April 20, 2026; The Register, April 20, 2026.
- Step 4 — Lateral movement inside Vercel: From the compromised Google Workspace account, the attacker moved into Vercel's internal systems. Vercel CEO Guillermo Rauch described the attacker as 'highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems' and separately noted the attacking group was 'likely significantly accelerated by AI.' CrowdStrike, which Context AI had engaged to investigate the initial March breach, had missed the OAuth tokens in its investigation scope — meaning Context AI believed the incident was contained when it was not. The attacker had been inside Context AI's systems for approximately a month before Vercel knew anything had happened. Source: Vercel security bulletin, April 19, 2026; DevOps Daily, April 20, 2026; ShipSafe analysis, April 20, 2026.
- Step 5 — The environment variable exfiltration: Inside Vercel's systems, the attacker bulk-extracted environment variables from customer projects — but specifically those not marked as 'sensitive.' Vercel's architecture has a specific setting: environment variables flagged as 'sensitive' are stored in a way that prevents them from being read even by Vercel staff, and there is no evidence those values were accessed. The non-sensitive variables — which many customers store API keys, connection strings, and service credentials in — were readable and appear to have been exfiltrated. Vercel has contacted affected customers directly. The full count of impacted customers has not been disclosed, but Vercel and Context AI both describe it as 'limited.' Source: Vercel security bulletin, April 19, 2026; Varonis, April 20, 2026.
The attack chain, laid out in sequence: Lumma Stealer malware → Context AI employee credentials → Context AI AWS environment → Context AI OAuth token database → Vercel employee's OAuth token → Vercel employee's Google Workspace account → Vercel internal systems → Vercel customer environment variables. Seven steps, starting from a piece of commodity malware costing a few hundred dollars a month. The entry point was not a zero-day vulnerability in Vercel's security architecture. It was a small AI productivity app a single employee installed and connected to their work Google account. One more detail that reframes the entire story: Trend Micro's analysis found that the initial OAuth compromise appears to trace back to approximately June 2024 — nearly 22 months before Vercel's public disclosure. And at least one public customer report suggests credentials were being flagged as leaked in the wild 9 days before Vercel's April 19 announcement. The attacker had a very long runway. Source: Trend Micro, April 20, 2026; OX Security, April 20, 2026.
Did Next.js or npm Get Compromised? The Answer — and Why It Was the Right First Question
The first question the developer community asked when this breach was disclosed was the correct one: if attackers were inside Vercel's systems, could they have touched Vercel's npm publishing pipeline? Next.js alone has approximately 14.5 million weekly downloads — a number that doubled in the year leading up to this breach, per Next.js core team lead Tim Neutkens on April 13, 2026. A malicious package slipped into Next.js would be one of the largest software supply chain attacks in history — significantly larger than the SolarWinds breach in scale of affected downstream systems. Source: Coindesk, April 20, 2026; DevOps Daily, April 20, 2026.
Vercel has been explicit and direct: in collaboration with GitHub, Microsoft, npm, and Socket, its security team confirmed that no npm packages published by Vercel were compromised as a result of the breach. This confirmation was made on April 20, 2026 and represents a joint assessment by four independent organizations — not just Vercel's self-certification. The integrity of Next.js, Turbopack, @vercel/analytics, and all other Vercel-published packages appears to be intact. Source: Vercel X update, April 20, 2026; TechCrunch, April 20, 2026.
The reason this question matters even though the answer is reassuring is that the theoretical worst case was real. If the attacker had accessed npm publishing tokens or GitHub workflow credentials before Vercel detected and contained the breach, a malicious version of Next.js could have been pushed to npm and downloaded by developers worldwide in the next automated build. The fact that this did not happen is a combination of Vercel's environment variable sensitivity architecture, the attacker's apparent focus on credential harvesting rather than supply chain tampering, and the speed of Vercel's detection and response. None of those factors are guaranteed to be present in the next incident of this type. Source: DevOps Daily, April 20, 2026; ShipSafe analysis, April 20, 2026.
The Crypto Dimension: Why This Breach Hit Harder Than Most
The Vercel breach arrived in the middle of what Coindesk described as 'one of the worst months for crypto exploits' in 2026. Solana-based perpetuals protocol Drift was drained for approximately $285 million in early April in an attack later linked to North Korean-affiliated actors. The $292 million Kelp DAO rsETH exploit triggered a broad liquidity crunch across DeFi lending platforms including Aave. Against this backdrop, the Vercel breach hit a community that was already on high alert. Source: Coindesk, April 20, 2026.
Many Web3 teams host wallet interfaces and decentralized app dashboards on Vercel, relying on environment variables to store the credentials that connect their frontends to blockchain data providers and backend services. Solana-based decentralized exchange Orca, whose frontend is hosted on Vercel, said it rotated all deployment credentials as a precaution. Its on-chain protocol and user funds were not affected. But the scenario the breach introduced — compromised frontend deployment credentials on a platform hosting wallet interfaces — represents one of the highest-severity possible consequences of the attack chain. If an attacker with access to Vercel's publishing pipeline chose to target crypto frontends rather than simply exfiltrate credentials, the damage vector would point directly at user funds. Source: Coindesk, April 20, 2026.
Why This Is Not a Vercel Problem — And Why It Will Happen Again
The most important insight from cybersecurity researchers analyzing this incident is that the Vercel breach is not a story about Vercel's security failures. Vercel made mistakes — the most significant being that its OAuth configuration allowed the 'Allow All' permission grant at the enterprise level, and that it did not default all environment variables to 'Sensitive.' Both have been addressed. But the root cause of the breach is a pattern that affects every organization whose employees use AI productivity tools. Source: The Register, April 20, 2026; ShipSafe analysis, April 20, 2026.
Varonis, a data security company, articulated the pattern with precision: 'AI productivity tools are the new supply chain attack vector. These tools require broad access to email, documents, and identity systems to function — and most organizations have not established governance programs to track or control those permissions. A compromise at a small AI vendor can cascade into breaches at many enterprises.' The attack did not route through code. It routed through identity. The SaaS app your employee logged into with their work Google account last month is now part of your attack surface. You almost certainly cannot list every one of those apps. Source: Varonis, April 20, 2026.
The Register summarized the structural problem this way: 'All of the actors in this mess made mistakes. Context.ai clearly didn't have great infosec. CrowdStrike's investigation appears to have missed a trick or two. Vercel didn't lock down its Google Workspace. And now the world has an example of an agentic AI product linking to third-party services and causing trouble, just the kind of risk infosec experts have warned about.' This is the AI era's version of the supply chain attack. Source: The Register, April 20, 2026.
| Attack Type | Traditional Supply Chain | AI Tool OAuth Attack (Vercel Pattern) |
|---|---|---|
| Entry vector | Compromised npm package, build script, or update mechanism | Compromised OAuth token from a third-party AI SaaS tool |
| Detection difficulty | Detectable via package hash verification and dependency scanning | Invisible to traditional security tools — legitimate OAuth token, legitimate authenticated user |
| Bypasses MFA | No — MFA still required for human authentication events | Yes — OAuth tokens are pre-authenticated; no MFA prompt on use |
| Detection timeline | Hours to days in most mature security programs | Weeks — Context AI was compromised ~1 month before Vercel detection |
| Blast radius | All downstream users of the compromised package | All internal systems accessible via the compromised employee's Google account |
| Root cause | Code tampering in a trusted dependency | Trust relationships in SaaS identity chains — 'Allow All' OAuth permissions |
| Current defenses | Lock file pinning, hash verification, Socket.dev, npm audit | Almost none in standard security tooling — new attack class requiring new controls |
What Was Stolen and What It Could Be Used For
The threat actor posting data on BreachForums claimed to be selling access to customer API keys, source code, and database data stolen from Vercel, priced at $2 million. Vercel has stated it has not received any ransom communication from the attacker, and the company does not know for certain whether the BreachForums listing represents actual exfiltrated data. What Vercel has confirmed: a limited subset of customers had non-sensitive environment variables accessed. Those environment variables typically include the following categories of credentials, in order of severity. Source: TechCrunch, April 20, 2026; Varonis, April 20, 2026.
- Cloud access keys (AWS, Azure, GCP): These are the most dangerous category. A compromised AWS key with write permissions provides direct access to a company's cloud infrastructure — the ability to read databases, access storage buckets containing user data, create additional access credentials, spin up compute resources (often for crypto mining), or pivot to other internal systems. AWS keys by default have no expiration unless explicitly configured. A key that was valid on April 19 is still valid today unless explicitly rotated. Source: Varonis, April 20, 2026.
- Database credentials: Direct access to production databases means access to customer data, personal information, financial records, and application state. In most applications, the database is where every sensitive user record lives. A compromised database credential does not set off alarms in the same way a login attempt does — it looks like a legitimate application connection. Source: Varonis, April 20, 2026.
- GitHub tokens: GitHub tokens with write access can push code to a repository. If that repository has automated deployment (CI/CD pipelines that automatically deploy code commits to production), a stolen GitHub token is a direct code execution path. This is the category that most worried the broader developer community — GitHub tokens in Vercel env vars that could have been used to push malicious commits to production codebases. Vercel confirmed no evidence of compromise in npm packages, but rotated GitHub tokens are a non-optional precaution if you were a potentially affected customer. Source: DevOps Daily, April 20, 2026.
- Payment and third-party API keys: Stripe keys, Twilio keys, SendGrid keys, and other service credentials. These can be used directly to impersonate the application — sending emails from the company's domain, processing charges to payment methods on file, accessing customer communications data. Source: Varonis, April 20, 2026.
What You Should Do Right Now — Developer and Non-Developer Versions
Vercel has contacted customers whose credentials were confirmed to have been accessed and requested immediate credential rotation. If you received that email, treat every credential in that project as compromised and proceed with the steps below. If you did not receive that email, Vercel says there is no indication your account was specifically compromised — but the conservative action is to verify and harden regardless. Source: Vercel security bulletin, April 19, 2026; DevOps Daily, April 20, 2026.
- Immediate: Rotate all non-sensitive credentials in Vercel. Log into your Vercel dashboard, go to each project's environment variables, and rotate every secret that was not already marked 'Sensitive.' This means generating new keys in AWS/GCP/Azure, creating new database passwords, refreshing GitHub tokens, and replacing any service API keys. Do not wait to determine if you were specifically affected. Rotation is low-cost; a compromised key is not. Source: Vercel CEO Guillermo Rauch, X post, April 19, 2026.
- Immediately after: Mark all environment variables as 'Sensitive' in Vercel. Vercel has now made 'Sensitive' the default for new variables, but existing variables retain their previous setting. Go through every variable in every project and set it to Sensitive. Sensitive variables are stored in a way that prevents them from being read even by Vercel staff — they were not accessible in this breach. This is the architectural change that contains the blast radius of any future incident. Source: Vercel security bulletin, April 19, 2026.
- Audit which AI tools your team members have connected to corporate Google Workspace accounts. Ask your team specifically: what third-party apps have you connected to your work Google account? What Chrome extensions do you have installed that are connected to Google Drive or Google Workspace? Vercel published an OAuth App Indicator of Compromise (IOC): 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Check whether any account in your organization granted this app access — the attack may not stop at Vercel. Google Workspace administrators can audit this in the Admin Console under Security → Access and data controls → API controls. Source: Vercel security bulletin, April 19, 2026; OX Security, April 20, 2026.
- Pin your GitHub Actions and Vercel deploy actions to specific SHA commits. If your CI/CD pipeline references Vercel or any AI tool GitHub Action by a version tag (e.g., @v2 rather than @a3f8c1d2...), that tag is mutable — it can be pointed to different code without warning. Pinning to a specific commit SHA means the action you specified is the exact code that runs, and any attacker who compromises the action's repository cannot silently swap in malicious code. This is a software supply chain hardening step that is broadly recommended and specifically relevant in the aftermath of any deployment platform breach. Source: ShipSafe analysis, April 20, 2026.
- For non-developers: If you received an email from a service you use saying credentials were rotated after the Vercel breach, follow their instructions immediately. If you use any web application that stores payment information and you receive unexpected account activity alerts in the coming weeks, treat them seriously. The credentials that were accessed are service-level — not end-user passwords — so your individual account password is not at direct risk from this breach. However, if a stolen service credential is used to access a company's database, your data in that database may be accessible to the attacker. The individual action available to you is the same as always: use strong unique passwords per service (managed by a password manager) and enable two-factor authentication on any account that stores financial data or personal identity information. Source: Varonis, April 20, 2026.
The Pattern Everyone in Tech Should Memorize
OX Security published what is likely the most important framing for what happened: 'The latest Vercel and Context AI breach shows a clear common pattern in AI systems and supply chain security. As we've seen in our latest MCP supply chain research, AI based systems are being shipped faster than their security review and process capabilities.' Source: OX Security, April 20, 2026.
The pattern is: AI tool (broad OAuth permissions) → employee identity → cloud identity provider (Google Workspace) → internal platform (Vercel) → customer credentials → downstream companies. This is the attack template for the AI era. SolarWinds was the defining supply chain attack of the 2020s. The Vercel/Context AI chain is the opening example of a new attack class that routes through AI identity rather than software packages — and it is harder to detect, harder to defend against with traditional tooling, and reproducible against any organization whose employees install AI productivity tools with enterprise account permissions. Source: ShipSafe analysis, April 20, 2026; Trend Micro, April 20, 2026.
The Vercel breach will not be the last attack of this type. The attack surface has been defined. The template has been validated. The defenders — including Vercel, which is now shipping improved environment variable management and has updated its OAuth configuration — are responding. But the 1,000+ organizations whose employees have installed AI productivity tools with 'Allow All' Google Workspace permissions right now, today, have not reviewed those connections. Most of them do not know the Vercel breach happened. The window between this incident and the next one like it is the time defenders have to get ahead of it. Source: Varonis, April 20, 2026; The Register, April 20, 2026.
Frequently Asked Questions
01Was my Vercel project affected?
Vercel has contacted customers whose environment variables were confirmed to have been accessed and asked them to rotate credentials immediately. If you did not receive an email from Vercel about this incident, Vercel says there is no indication your account was specifically compromised. However, the conservative response is to rotate all non-sensitive credentials and mark all remaining variables as 'Sensitive' regardless. Source: Vercel security bulletin, April 19, 2026.
02Is Next.js safe to use? Should I pin my dependencies?
Yes, Next.js is safe. Vercel confirmed in collaboration with GitHub, Microsoft, npm, and Socket that no npm packages Vercel publishes were compromised. You can continue using Next.js normally. That said, pinning dependencies to specific versions or commit SHAs in your CI/CD pipeline is a broadly recommended hardening practice and is worth implementing regardless of this specific incident. Source: Vercel X update, April 20, 2026.
03What is the Context AI Chrome extension IOC and how do I check for it?
The Indicator of Compromise (IOC) published by Vercel is the OAuth App ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Google Workspace administrators can check for usage of this app under Admin Console → Security → Access and data controls → API controls → App access control. Individual users can check their Google account permissions at myaccount.google.com/permissions. The Chrome extension itself (extension ID: omddlmnhcofjbnbflmjginpjjblphbgk) was removed from the Chrome Web Store on March 27, 2026. Source: Vercel security bulletin, April 19, 2026; OX Security, April 20, 2026.
04Why did CrowdStrike miss the OAuth token compromise in their initial investigation?
CrowdStrike was engaged by Context AI to investigate the March 2026 breach of their AWS environment. Standard incident response focuses on the systems that were explicitly accessed — AWS infrastructure, internal tooling. OAuth tokens issued to end users are often out of scope for a pure infrastructure investigation unless the investigator knows to look specifically for them. Context AI stated that 'based on information provided by Vercel and some additional internal investigation' they learned the breach was broader than initially understood. This is a documented gap in how most organizations scope incident response for SaaS breaches: the OAuth tokens that users have issued represent a separate blast radius that requires explicit investigation. Source: Context AI security bulletin, April 19, 2026; DevOps Daily, April 20, 2026.
05Who is ShinyHunters and are they responsible?
ShinyHunters is a well-documented cybercriminal group known for targeting cloud-based and database companies. They were responsible for the 2024 Ticketmaster breach. A threat actor using the ShinyHunters persona has claimed responsibility for the Vercel breach on BreachForums and is reportedly selling the data for $2 million. However, ShinyHunters told BleepingComputer they are not involved in this incident. Attribution in cybercrime incidents is frequently contested — claiming association with a known group inflates the perceived value of stolen data and can be inaccurate. Vercel has stated it has not received any communication from the threat actor. The investigation is ongoing. Source: TechCrunch, April 20, 2026; The Hacker News, April 20, 2026.
06What is the 'OAuth bypass of MFA' issue this attack exploited?
When you connect a third-party app to your Google account using OAuth, Google issues that app a token — a cryptographic credential that lets the app act on your behalf. This token is issued after you authenticate with MFA. But once issued, it does not expire automatically and does not require re-authentication. If an attacker steals that token (by compromising the app's server, where tokens are stored), they can use it as if they are you — without ever needing your password, MFA code, hardware key, or any other factor you've enabled. OAuth tokens are effectively 'permanent authenticated sessions' unless explicitly revoked. The defense is limiting OAuth scopes (read-only where possible), auditing what apps have tokens for your accounts, and revoking tokens for apps you no longer use. Source: Varonis, April 20, 2026; Context AI security bulletin, April 19, 2026.
The single most important action from this breach for every developer and engineering team: log into your Google Workspace Admin Console today and audit which third-party applications have OAuth tokens for your team's accounts. The specific question is: which apps have 'broad' or 'all' access to employee Google Drives, emails, or calendars? Revoke access for any app that is not actively business-critical. For apps you keep, change permissions to the minimum scope required. The IOC from Vercel for this specific incident: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Check if this is present and revoke it immediately if so. This audit should take 20 minutes and is the direct defense against the attack class this incident defines. Source: Vercel security bulletin, April 19, 2026; Varonis, April 20, 2026.
