Executive Summary
On April 2026, Vercel, a leading cloud application hosting provider, disclosed a security incident linked to a breach at Context.ai, a third-party AI tool. The breach originated from the compromise of a Context.ai employee via the Lumma Stealer malware, which enabled attackers to access a Vercel employee’s Google Workspace and subsequently their Vercel account. This access allowed the attacker to enumerate and decrypt non-sensitive environment variables, such as API keys and database credentials, stored in plaintext on Vercel’s platform. The investigation, conducted in collaboration with Google Mandiant, law enforcement, and other cybersecurity partners, confirmed that no sensitive environment variables or npm packages were compromised, and Vercel’s open-source projects (Next.js, Turbopack) were unaffected. However, further investigation revealed additional compromised customer accounts, and Vercel notified all affected parties. The incident underscores the risks associated with third-party OAuth integrations and shadow AI tools in SaaS environments. Vercel has issued recommendations including enabling multi-factor authentication, rotating environment variables, and reviewing activity logs. All findings are corroborated by primary sources, including Vercel’s official security bulletin, The Hacker News, and TechCrunch. (Vercel KB, April 24, 2026, The Hacker News, April 23, 2026, TechCrunch, April 20, 2026)
Technical Information
The breach began with the compromise of a Context.ai employee in February 2026, who was infected with the Lumma Stealer infostealer malware. This malware is designed to harvest browser-stored credentials, session cookies, and authentication tokens. The attacker leveraged these stolen credentials to access the employee’s Google Workspace account, which in turn provided access to their Vercel account. This sequence of events enabled the attacker to pivot into Vercel’s internal environment.
Once inside the Vercel environment, the attacker enumerated and decrypted non-sensitive environment variables. These variables included API keys, tokens, database credentials, and signing keys that were stored in plaintext and not marked as “sensitive.” The attacker’s operational velocity and understanding of Vercel’s API surface led Vercel to assess the threat actor as highly sophisticated. The attacker also abused OAuth tokens, specifically the OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com, to maintain persistence and facilitate lateral movement within the environment (Vercel KB, April 24, 2026).
The attacker exfiltrated the decrypted environment variables, and some of this data was reportedly offered for sale online. Claims were made that the threat actor represented the ShinyHunters group, but ShinyHunters denied involvement and no technical evidence supports this attribution (TechCrunch, April 20, 2026). The breach did not impact Vercel’s open-source projects (Next.js, Turbopack) or any npm packages, as confirmed by Vercel in collaboration with GitHub, Microsoft, npm, and Socket.
The incident highlights the risks of third-party OAuth integrations and the use of unauthorized AI tools (“shadow AI”) in SaaS environments. The attack is classified as a supply chain compromise, with potential downstream impacts on Vercel’s customers, particularly those in the technology sector. Vercel’s investigation also identified a small number of customer accounts with signs of compromise unrelated to the April 2026 incident, likely due to social engineering or malware.
The technical attack chain can be mapped to the following MITRE ATT&CK techniques: - Initial access via credential theft (T1555: Credentials from Password Stores, T1539: Steal Web Session Cookie) - Use of valid accounts and OAuth tokens (T1078, T1078.004) - Enumeration of environment variables (T1087, T1530) - Data exfiltration (T1567) - Lateral movement in SaaS/cloud environments (T1529) - Abuse of application layer protocols (T1550)
All technical claims are supported by primary sources and mapped to MITRE ATT&CK where possible. Attribution confidence levels are explicitly stated, with high confidence in the use of Lumma Stealer and OAuth token abuse, and low confidence in threat actor attribution.
Affected Versions & Timeline
The breach did not affect specific versions of Vercel’s platform or its open-source projects. The affected assets were customer accounts whose non-sensitive environment variables were stored in plaintext and not marked as “sensitive.” The timeline of the incident is as follows:
In February 2026, a Context.ai employee was infected with Lumma Stealer malware (The Hacker News, April 23, 2026). In March 2026, Context.ai confirmed a breach involving its Office Suite consumer app, which allowed automation across third-party applications (TechCrunch, April 20, 2026). On April 19, 2026, Vercel published initial details and recommendations. On April 20, 2026, Vercel confirmed that no npm packages were compromised and issued further guidance. Between April 22 and April 24, 2026, Vercel expanded its investigation, identified additional compromised accounts, and updated customers and law enforcement (Vercel KB, April 24, 2026).
Threat Activity
The threat actor gained initial access through the compromise of a Context.ai employee’s credentials, harvested by the Lumma Stealer malware. Using these credentials, the attacker accessed the employee’s Google Workspace and Vercel accounts. The attacker then enumerated and decrypted non-sensitive environment variables within Vercel’s environment, exfiltrating API keys, tokens, and database credentials. Some of this data was reportedly offered for sale online, although the full extent of data exposure remains under investigation.
The attacker demonstrated a high level of sophistication, moving quickly through Vercel’s systems and leveraging OAuth tokens for persistence. The use of OAuth tokens and session cookies allowed the attacker to maintain access without triggering immediate detection. Vercel’s investigation, supported by Google Mandiant and other cybersecurity firms, found no evidence of compromise to sensitive environment variables, npm packages, or Vercel’s open-source projects.
The threat actor claimed to be associated with the ShinyHunters group, but this claim was denied by ShinyHunters and is not supported by technical evidence. The incident is consistent with recent supply chain and SaaS-targeted attacks involving infostealer malware and OAuth token abuse. Vercel also identified a small number of customer accounts with signs of compromise unrelated to this incident, likely due to social engineering or malware.
Mitigation & Workarounds
The following mitigation steps are recommended, prioritized by severity:
Critical: Enable multi-factor authentication (MFA) for all accounts to prevent unauthorized access using stolen credentials.
High: Review and rotate all environment variables, especially those not marked as “sensitive,” to invalidate any potentially compromised credentials.
High: Monitor OAuth app authorizations and activity logs for suspicious behavior, focusing on the OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.
High: Investigate recent deployments for anomalies or unexpected changes that could indicate unauthorized activity.
Medium: Rotate deployment protection tokens if they are in use.
Medium: Educate employees about the risks of shadow AI tools and unauthorized third-party integrations in SaaS environments.
Medium: Review and update incident response plans to address supply chain and OAuth-related threats.
All mitigation recommendations are based on Vercel’s official guidance and industry best practices (Vercel KB, April 24, 2026).
References
Vercel April 2026 Security Incident Bulletin (last updated April 24, 2026): https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
The Hacker News, "Vercel Finds More Compromised Accounts in Context.ai-Linked Breach" (April 23, 2026): https://thehackernews.com/2026/04/vercel-finds-more-compromised-accounts.html
TechCrunch, "App host Vercel says it was hacked and customer data stolen" (April 20, 2026): https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external vendors and SaaS integrations. Our platform enables continuous monitoring of supply chain exposures, supports rapid incident response, and provides actionable insights into third-party security posture. For questions about this advisory or to discuss your organization’s risk management needs, contact us at ops@rescana.com.
