Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems.
The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company.
"The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as 'sensitive,'" the company said in a bulletin.
Vercel said environment variables marked as "sensitive" are stored in an encrypted manner that prevents them from being read, and that there is currently no evidence suggesting that those values were accessed by the attacker.
It described the threat actor behind the incident as "sophisticated" based on their "operational velocity and detailed understanding of Vercel's systems." The company also said it's working with Google-owned Mandiant and other cybersecurity firms, as well as notifying law enforcement and engaging with Context.ai to better understand the full scope of the breach.
A "limited subset" of customers is said to have had their credentials compromised, with Vercel reaching out to them directly and urging them to rotate their credentials with immediate effect. The company is continuing to investigate what data was exfiltrated, and plans to contact customers if further evidence of compromise is discovered.
Vercel is also advising Google Workspace administrators and Google account owners to check for the following application OAuth application:
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
As additional mitigations, the following best practices have been recommended -
- Enable multi-factor authentication.
- Review activity log for signs of suspicious activity.
- Audit and rotate environment variables that contain secrets and are not marked as sensitive. Use sensitive environment variables to ensure secrets are protected.
- Investigate recent deployments for anything unexpected or suspicious. Ensure that Deployment Protection is set to Standard at a minimum.
- Rotate Deployment Protection tokens, if set.
While Vercel has yet to share details about which of its systems were broken into, how many customers were affected, and who may be behind it, a threat actor using the ShinyHunters persona has claimed responsibility for the hack, selling the stolen data for an asking price of $2 million.
Context.ai has also published a security bulletin in which it disclosed a March 2026 incident that saw it identify and block unauthorized access to its AWS environment. However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users.
"We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace," the company said. "Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions. Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace."
Context.ai said it immediately alerted all impacted customers and provided them with the necessary steps they needed to take. It did not reveal how many customers were affected by the breach.
In a report published today, Hudson Rock has uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the "supply chain escalation." The corporate credentials harvested during the attack consisted of Google Workspace credentials, along with keys and logins for Supabase, Datadog, and Authkit.
Also present among the stolen records was the "support@context.ai" account, likely allowing the threat actor to escalate privileges, bypass security controls, and successfully pivot into Vercel's infrastructure. The user is assessed to be a core member of the "context-inc" Vercel team.
"Logs indicate the user was actively searching for and downloading game exploits, specifically Roblox 'auto-farm' scripts and executors," the cybersecurity company said. "These types of malicious downloads are notorious vectors for Lumma Stealer deployments."
"We've deployed extensive protection measures and monitoring. We've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community," Vercel CEO Guillermo Rauch said in a post on X.
"In response to this, and to aid in the improvement of all of our customers’ security postures, we've already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive environment variable creation and management."
Update
In an update shared on April 20, 2026, Vercel said it collaborated with Microsoft, GitHub, npm, and Socket and found no evidence of its npm packages being compromised as a result of the breach. The company also said it's releasing updates that are aimed at improving the security posture, including defaulting environment variable creation to "sensitive and enhancing team-wide management of environment variables.
Additional details shared by Jaime Blasco, CTO of Nudge Security, have revealed that Google also removed Context.ai's Google Chrome extension (ID: omddlmnhcofjbnbflmjginpjjblphbgk) from the Chrome Web Store on March 27, 2026. The extension has been found to embed another OAuth grant that enables read access to a user's Google Drive files -
110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com
OX Security, in its own analysis of the incident, said the initial access began when the Vercel employee installed the Context.ai browser extension and signed into it using their enterprise Google account, enabling the attacker to obtain unauthorized access and burrow deeper into Vercel's environment.
Although a group claiming to be ShinyHunters has taken responsibility for the attack, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), noted in a LinkedIn post that the threat actor behind the attack is likely an "imposter attempting to use an established name to inflate their notoriety."
"This is the new attack surface, and we've seen it play out over and over again in the last year," Blasco said. Salesloft Drift, Gainsight, etc. Now Context.ai and Vercel. Different vendors, same story: attackers compromise a small AI or SaaS vendor, steal the OAuth tokens that vendor holds on behalf of its customers, and walk into hundreds of downstream enterprises using credentials the platform was designed to issue."
"None of this required a novel AI attack technique. Agentic AI makes it worse because these platforms sit at the center of a hub of OAuth grants with expansive scopes, usually at young companies without mature security programs behind them. OAuth is the new lateral movement. Until the industry treats OAuth tokens as high-value credentials, we're going to keep reading the same breach writeup with the vendor names swapped out."
(The story was updated after publication to reflect the latest developments.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.