OAuth marketplace apps keep access after publishers vanish

### Executive summary An Offroad/OAuth audit of 2,890 public marketplace OAuth apps (1,595 Google Workspace, 1,295 GitHub) found 918 apps (32%) showing at least one exposure signal—overbroad scopes relative to function, AI apps with broad write access, dead or buyable publisher domains, and domain threat-intel flags—covering a lower-bound combined install footprint of roughly 1.85 billion. The audit highlights large-scale supply-chain and identity risks from long-lived OAuth grants, limited continuous marketplace re-validation, and recommends inventorying grants, tighter scope justification, monitoring high-privilege actions, separation of AI apps, and scheduled rotation or revocation of high-risk authorizations.