ATTACK VECTOR
OAuth
Third-party AI tool OAuth token compromise
→ Context.ai → Google Workspace → Vercel
DATA AT RISK
Env vars
Non-sensitive environment variables exposed
↓ Sensitive (encrypted) vars show no evidence of access
ASKING PRICE
$2M
ShinyHunters persona listing stolen data
↑ Sophisticated actor with deep Vercel knowledge
ROOT CAUSE
Infostealer
Lumma Stealer on Context.ai employee device
↑ Feb 2026 infection triggered the chain
How the attack unfolded — step by step
The breach did not start at Vercel. It started months earlier with a malware infection on a device belonging to a Context.ai employee.
In February 2026, Hudson Rock found evidence that the Context.ai employee was compromised with Lumma Stealer— a commodity infostealer sold on criminal forums. The stolen credentials included Google Workspace logins, Supabase keys, Datadog tokens, and Authkit logins. The “support@context.ai” account was among the harvested records.
The employee had apparently been downloading Roblox “auto-farm” scripts — a classic Lumma Stealer delivery vector. With those credentials in hand, the attacker gained access to Context.ai's AWS environment in March 2026.
Context.ai said it identified and blocked the intrusion — but the attacker had already harvested OAuth tokens for consumer users of the product, including at least one Vercel employee who had signed up with their enterprise Google account and granted “Allow All” permissions.
The pivot: from Context.ai into Vercel
With a live OAuth token tied to a Vercel employee's Google Workspace account, the attacker pivoted directly into Vercel's internal systems.
According to Vercel, the attacker accessed environment variables not marked as “sensitive” across Vercel environments. Environment variables flagged as sensitive are stored encrypted and cannot be read even by Vercel employees — the company says there is currently no evidence those were accessed.
Vercel described the threat actor as “sophisticated” — citing their operational velocity and detailed understanding of Vercel's systems.
| Stage | What happened | When |
|---|---|---|
| 1. Initial infection | Lumma Stealer deployed on Context.ai employee device via malicious game script download | Feb 2026 |
| 2. Credential harvest | Google Workspace, Supabase, Datadog, Authkit credentials stolen including support@context.ai | Feb 2026 |
| 3. AWS intrusion | Attacker gains unauthorized access to Context.ai's AWS environment | March 2026 |
| 4. OAuth token theft | OAuth tokens for Context.ai consumer users harvested — including a Vercel employee's enterprise token | March 2026 |
| 5. Google Workspace takeover | Attacker uses OAuth token to take over Vercel employee's Google Workspace account | April 2026 |
| 6. Vercel env access | Internal Vercel environments accessed; non-sensitive environment variables read | April 2026 |
| 7. Public disclosure | Vercel publishes security bulletin; ShinyHunters claims breach, lists data for $2M | April 20, 2026 |
ShinyHunters and the $2 million listing
A threat actor using the ShinyHunters persona — a name associated with high-profile breaches including Ticketmaster (2024) — has claimed responsibility for the Vercel hack and is reportedly selling the stolen data for an asking price of $2 million.
Vercel has not confirmed which specific data was exfiltrated or how many customers are affected. A “limited subset” of customers has been contacted directly with instructions to rotate credentials.
The company is working with Google-owned Mandiant, additional cybersecurity firms, and law enforcement. It has also engaged Context.ai to establish the full scope of the breach.
What Vercel users need to do right now
Vercel has published official guidance. Here is the full checklist, translated from their bulletin into plain language.
Check your Vercel activity log
Go to vercel.com/activity-log and look for any unexpected deployments, environment variable reads, or access patterns you do not recognise.
Audit and rotate all non-sensitive environment variables
If any environment variable stores a secret (API key, DB connection string, webhook token) and is NOT marked sensitive, rotate it immediately. Then mark it sensitive going forward.
Mark secrets as sensitive
Sensitive environment variables are stored encrypted and cannot be read even by Vercel. Any secret that is not marked sensitive right now is readable by anyone who gains account access.
Audit recent deployments
Review your last 30 days of deployments for anything unexpected. Enable Deployment Protection set to Standard minimum.
Rotate Deployment Protection tokens
If you use Protection Bypass tokens for automation, rotate them now and check which systems hold the current values.
Check for the Context.ai OAuth app in Google Workspace
If your team uses Google Workspace, check for this OAuth client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com — if present, revoke it.
The real lesson: third-party AI tools are a new attack surface
This breach did not start with a Vercel vulnerability. It started with an employee downloading a gaming cheat script on a personal activity, which installed an infostealer on a machine with access to a third-party AI tool that had broad OAuth permissions to enterprise infrastructure.
That chain — personal device compromise → credential theft → third-party SaaS → enterprise identity system → production infrastructure — is exactly the model that nation-state actors and organised criminal groups have been refining for the past three years.
The attack surface for any business is no longer defined by the tools it controls — it is defined by the tools its employees and vendors use and the permissions those tools carry.
Vercel CEO Guillermo Rauch stated that Next.js, Turbopack, and Vercel's open source projects remain safe — but the company has already shipped new dashboard tooling for environment variable management and sensitivity controls in response to this incident.
Organisation-level controls that would have broken this chain
| Control | Where it breaks the chain | Difficulty |
|---|---|---|
| OAuth app allowlisting | Prevents unapproved apps from connecting to Google Workspace at all | Low |
| Least-privilege OAuth scopes | Limits what a compromised token can access — no 'Allow All' | Low |
| Endpoint detection on all work devices | Detects Lumma Stealer before credential harvest | Medium |
| Device posture checks for SSO | Blocks sign-in from compromised or unmanaged devices | Medium |
| All secrets marked sensitive | Encrypted at rest — unreadable even by an authenticated attacker | Low |
| Third-party vendor security review | Ensures AI tools comply with security standards before adoption | Medium |
Sources
- Vercel Security Bulletin — April 2026 (vercel.com/kb/bulletin/vercel-april-2026-security-incident)
- Context.ai Security Update — April 2026 (context.ai/security-update)
- Hudson Rock — “Vercel Breach Linked to Infostealer Infection at Context AI” (infostealers.com)
- The Hacker News — “Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials” — April 20, 2026