On April 19, 2026, Vercel — the cloud platform behind the widely adopted Next.js web framework and a core piece of infrastructure for thousands of JavaScript developers and Web3 projects — publicly confirmed a security incident involving unauthorized access to certain internal systems. The breach did not originate from a direct attack on Vercel's infrastructure. Instead, it followed a classic supply chain compromise path: a third-party AI tool was breached first, which gave the attacker the foothold needed to pivot into Vercel's environment.
As of April 21, 2026, the investigation remains active. Vercel is working with Mandiant, law enforcement and Context.ai to determine the full scope of the intrusion.
Timeline of Events
| Date | Event |
|---|---|
| February 2026 | A Context.ai employee is compromised with Lumma Stealer after downloading malicious Roblox "auto-farm" scripts and executors |
| March 2026 | Context.ai identifies and blocks unauthorized access to its AWS environment but does not yet identify OAuth token compromise |
| March 27, 2026 | Google removes Context.ai's Chrome extension (ID: omddlmnhcofjbnbflmjginpjjblphbgk) from the Chrome Web Store |
| April 19, 2026 | Vercel publishes its security bulletin disclosing unauthorized access to internal systems and direct outreach to impacted customers |
| April 19, 2026 | A BreachForums post attributed to "ShinyHunters" offers stolen Vercel data and source code for $2 million USD |
| April 20, 2026 | Vercel CEO Guillermo Rauch publicly attributes the breach to the Context.ai compromise and notes "surprising velocity" by the attacker |
| April 20, 2026 | Vercel collaborates with Microsoft, GitHub, npm and Socket — no evidence of npm package compromise found |
| April 21, 2026 | Hudson Rock publishes analysis tracing the Lumma Stealer infection to a Context.ai employee downloading gaming exploits |
| April 21, 2026 | ShinyHunters publicly denies involvement; BreachForums post is removed |
The Attack Chain
This breach is best understood as an identity supply chain attack executed in multiple stages.
Stage 1: Initial Access via Infostealer
According to Hudson Rock, a Context.ai employee with sensitive access privileges was compromised by Lumma Stealer in February 2026. The infection vector was the employee searching for and downloading Roblox "auto-farm" scripts and executors — a well-documented delivery mechanism for Lumma Stealer. The harvested credentials from this infection included Google Workspace credentials along with keys for Supabase, Datadog and Authkit.
Stage 2: OAuth Application Abuse
Context.ai operates as an enterprise AI platform that builds agents trained on company-specific institutional knowledge. During the onboarding process, users are required to connect their Google account and allow access to Google Drive, with the OAuth application requesting broad read permissions across Workspace data.
At least one Vercel employee had signed up for the AI Office Suite using their Vercel enterprise account and granted "Allow All" permissions. Vercel's internal OAuth configurations appear to have allowed this to grant broad permissions in Vercel's enterprise Google Workspace environment.
The attacker used the compromised OAuth token from the Context.ai breach to access the Vercel employee's Google Workspace account.
Stage 3: Internal Pivot and Credential Harvesting
With access to the employee's Google Workspace account, the attacker was able to gain access to some Vercel environments and environment variables that were not marked as "sensitive." Environment variables in Vercel that are not flagged as sensitive decrypt to plaintext, meaning secrets such as API keys, tokens, database credentials and signing material stored without the sensitive flag were exposed.
Vercel described the attacker as sophisticated based on their "operational velocity and detailed understanding of Vercel's systems." Vercel CEO Guillermo Rauch publicly suggested the attacker may not have been working alone, implying potential AI-assisted reconnaissance and lateral movement.
Stage 4: Data Sale Claim
A BreachForums post under the "ShinyHunters" name surfaced on April 19, 2026 claiming to sell stolen Vercel data including employee accounts, internal deployment access, source code, database data, GitHub tokens and npm tokens for $2 million USD. The real ShinyHunters subsequently denied any involvement and the post was removed.
What Was Exposed
Based on confirmed public statements from Vercel's official bulletin:
- Confirmed exposed: Non-sensitive environment variables stored on Vercel (those that decrypt to plaintext) for a limited subset of customers — including API keys, tokens, database credentials and signing keys stored without the "sensitive" flag
- Confirmed safe: Sensitive environment variables (those that were flagged and encrypted at rest), Next.js source code and Turbopack — Vercel confirmed collaboration with Microsoft, GitHub, npm and Socket found no evidence of open-source project compromise
- Unconfirmed scope: Whether broader internal data such as source code or GitHub/npm tokens were accessed or exfiltrated remains under active investigation
Indicator of Compromise (IOC)
Vercel published the following IOC in their official security bulletin. Google Workspace administrators should immediately check for usage of this OAuth application across their environment.
Malicious OAuth App Client ID:
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
To identify this in Google Workspace: navigate to Security > Access and Data Control > API Controls and check the accessed and pending apps list for this client ID.
Removed Chrome Extension:
Chrome Web Store ID: omddlmnhcofjbnbflmjginpjjblphbgk
MITRE ATT&CK TTPs
The following ATT&CK techniques map to confirmed or highly probable behavior observed in this incident.
| TTP | Technique | Notes |
|---|---|---|
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Context.ai was compromised upstream and used as a vector to reach Vercel |
| T1078.004 | Valid Accounts: Cloud Accounts | Attacker used stolen credentials to authenticate to Google Workspace as a legitimate Vercel employee |
| T1550.001 | Use Alternate Authentication Material: Application Access Token | Compromised OAuth token was used to access Vercel's Google Workspace without needing the employee's actual password |
| T1528 | Steal Application Access Token | OAuth tokens were harvested from the Context.ai compromise enabling account takeover |
| T1552.001 | Unsecured Credentials: Credentials In Files | Non-sensitive environment variables stored in plaintext were accessed and likely exfiltrated |
| T1555 | Credentials from Password Stores | Lumma Stealer is known to harvest credentials from browsers and local credential stores on the initially compromised Context.ai endpoint |
| T1539 | Steal Web Session Cookie | Lumma Stealer commonly harvests session cookies alongside credentials — likely part of the initial Context.ai employee compromise |
| T1059.007 | Command and Scripting Interpreter: JavaScript | Malicious Roblox "auto-farm" scripts and executors served as the initial delivery mechanism for Lumma Stealer |
| T1568 | Dynamic Resolution | Lumma Stealer is known to use domain generation or dynamic C2 resolution for payload retrieval and exfiltration |
Why This Matters Beyond Vercel
This incident is not an isolated event. Trend Micro noted that the Vercel breach fits a broader 2026 convergence pattern involving LiteLLM and Axios in which attackers consistently target developer-stored credentials across CI/CD pipelines, package registries, OAuth integrations and deployment platforms.
The specific danger with Vercel as a target is the downstream reach. Vercel is the primary steward of Next.js and hosts frontend infrastructure for thousands of applications including a significant number of Web3 and crypto-facing projects. The crypto industry responded immediately — numerous decentralized applications and Web3 projects were forced to rotate credentials and review their frontends following the disclosure.
The fact that npm packages were confirmed clean is significant relief, but the window of investigation is not closed. Organizations that relied on non-sensitive Vercel environment variables for connecting frontends to blockchain data providers, payment processors or other sensitive services should treat those credentials as burned.
Defensive Recommendations
Based on guidance from Vercel's official bulletin and supporting analysis:
- Check for the malicious OAuth app in Google Workspace Admin Console using the published Client ID IOC. If found, revoke immediately and treat the affected account as fully compromised.
- Rotate all non-sensitive environment variables on Vercel — any secret not flagged as "sensitive" during the exposure window should be treated as exposed.
- Audit third-party AI tool OAuth grants in your organization. Treat any OAuth application with broad Workspace access ("Allow All" or full Drive read) as a high-risk integration requiring explicit approval.
- Review deployment history in Vercel for any deployments that cannot be mapped to a known commit or known author.
- Audit connected CI/CD configurations for any modified workflows that introduce new secrets, new runners or unexpected outbound connections.
- Review CloudTrail, GCP Audit Logs and Azure Activity Logs for usage of credentials stored as Vercel environment variables from unexpected IPs or user agents during the exposure window.
- Enforce MFA on all cloud accounts connected to third-party integrations.
- Implement OAuth governance — require explicit IT approval for any OAuth application requesting broad access to enterprise Workspace accounts.
Closing Thoughts
This breach is a textbook example of how the modern software delivery chain is only as secure as its weakest third-party integration. The attacker never needed to touch Vercel directly. A developer at an AI tool provider downloaded a game cheat script, got infected with an infostealer, and that single action set off a chain of events that reached one of the most consequential pieces of developer infrastructure on the web.
The lesson here is not unique to Vercel. It applies to every organization that has employees connecting personal or enterprise accounts to AI productivity tools, browser extensions and developer utilities with broad OAuth scopes. The attack surface is your employees' SaaS integrations — and most organizations have no inventory of them.
References
- Vercel Official Security Bulletin (last updated April 21, 2026): https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
- BleepingComputer — Vercel confirms breach as hackers claim to be selling stolen data: https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/
- The Hacker News — Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials: https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html
- The Register — AI-pwned: Vercel breach traced to stolen employee creds: https://www.theregister.com/2026/04/21/vercel_ceo_points_to_aidriven/
- Help Net Security — Vercel breached via compromised third-party AI tool: https://www.helpnetsecurity.com/2026/04/20/vercel-breached/
- Trend Micro — The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables: https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
- Bastion — Vercel Data Breach April 2026: Timeline, Impact and Response: https://bastion.tech/blog/vercel-april-2026-data-breach
- Ox Security — Supply Chain Attack Hits Vercel: https://www.ox.security/blog/vercel-context-ai-supply-chain-attack-breachforums/
- Hudson Rock (via Help Net Security) — Lumma Stealer root cause analysis: https://www.helpnetsecurity.com/2026/04/20/vercel-breached/
- CoinDesk — Hack at Vercel sends crypto developers scrambling to lock down API keys: https://www.coindesk.com/tech/2026/04/20/hack-at-vercel-sends-crypto-developers-scrambling-to-lock-down-api-keys
- GitHub — OpenSourceMalware Vercel April 2026 Incident Response Playbook: https://github.com/OpenSourceMalware/vercel-april2026-incident-response