Fake Vercel / Netlify / Cloudflare-Pages PR-preview env-var exfil click-through lure — "Vercel preview ready — review env scrape route" / "Netlify deploy preview exposes process.env.NEXT_PUBLIC_API_KEY and adds a /api/_debug endpoint dumping the full env." Sender NOT on the canonical preview-deploy / SCM allowlist (vercel.com, vercel.app, netlify.com, netlify.app, cloudflare.com, pages.dev, workers.dev, github.com, githubusercontent.com, githubapp.com, gitlab.com, bitbucket.org, render.com, fly.io, railway.app, heroku.com, firebase.google.com, amplifyapp.com, amazonaws.com). Real preview-deploy notifications come from the canonical preview-deploy vendor and do not advertise env-var exfil endpoints — they link to the verified preview URL and ship from the vendor's no-reply address. Distinct from R7 GHA-disclosure-lure and R8 cloud-build-matrix — this signal is specifically the *PR-preview env exfil* pretext (Vercel deploy-preview workflow where the PR-preview branch exposes `process.env.NEXT_PUBLIC_*` and accidentally leaks server-side env vars via a `/api/_debug` route added in the PR; the lure click-through scrapes the env). Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).

Fake Vercel / Netlify / Cloudflare-Pages PR-preview env-var exfil click-through lure targeting front-end engineers and Next.js / SvelteKit / Astro maintainers. The phish narrative arrives as: "Your Vercel preview deployment is ready for review. The preview branch exposes process.env.NEXT_PUBLIC_API_KEY and adds a /api/_debug route that dumps server-side env vars. Click below within 24 hours to review the deploy preview. Action required," or "A new Netlify deploy preview branch has been built. The preview exposes process.env.NEXT_PUBLIC_* and adds an /api/_debug endpoint dumping the full env. Please click below within 48 hours to review the preview deploy. Mandatory." The PR-preview env-exfil attack pattern: an attacker opens a PR against the maintainer's repo that adds a `/api/_debug` route or similar endpoint exposing `process.env.NEXT_PUBLIC_*` and accidentally-leaked server-side env vars. The auto-built deploy-preview is then advertised in a Renovate-styled / Vercel-styled email lure asking the maintainer to "review the deploy preview." When the maintainer clicks through to the preview URL, the attacker-controlled `_debug` route renders the env in the response, scraped by the attacker via prepared headers / iframes. Real preview-deploy notifications come from the canonical preview-deploy vendor (vercel.com, netlify.com, cloudflare.com, etc.) and link to the verified preview URL — they ship from the vendor's no-reply address and do not advertise env-var exfil endpoints. Sender NOT on the canonical preview-deploy / SCM allowlist (vercel.com, vercel.app, netlify.com, netlify.app, cloudflare.com, pages.dev, workers.dev, github.com, githubusercontent.com, githubapp.com, gitlab.com, bitbucket.org, render.com, fly.io, railway.app, heroku.com, firebase.google.com, amplifyapp.com, amazonaws.com). Distinct from R7 GHA-disclosure-lure and R8 cloud-build-matrix — this signal is specifically the *PR-preview env exfil* pretext (Vercel deploy-preview workflow). Fires when body references "vercel (preview/deploy(ment) preview)" / "netlify (deploy) preview" / "cloudflare-pages preview" / "pr-preview" / "deploy-preview" / "preview (branch/deployment/deploy)" / "preview ready" AND "process.env(.NEXT_PUBLIC*|.<VAR>)" / "env vars?" / "env-var(iable)?s?" / "NEXT_PUBLIC_*" / "/api/_debug" / "api _debug" / "_debug (route/endpoint)" / "debug (route/endpoint) that dumps" / "server-side env (vars/variables)" / "env scrape" / "env (dump/exfil/leak)" AND "click (below/here) (within/to (review/view))" / "review (the) (deploy preview/preview/preview deploy(ment)/env)" / "view (the) (deploy preview/preview/preview deployment)" / "please click (below/here/on)" AND within N hours-days / 24-48 hours / action required / mandatory / "preview (will) (expir/reject/removed)" urgency. Excludes the canonical preview-deploy / SCM / cloud-host domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).