Vercel Finds More Compromised Accounts in Context.ai-Linked Breach

Summary

Vercel has identified additional compromised customer accounts following a security breach that originated from a third-party compromise of Context.ai. The incident involved an attacker leveraging a hijacked Google Workspace account to pivot into Vercel's internal environment and access non-sensitive environment variables.

Key Points

• The breach was initiated via a compromise of Context.ai, which allowed attackers to seize control of a Vercel employee's Google Workspace account.
• Attackers successfully pivoted from the compromised account into the Vercel environment to enumerate and decrypt non-sensitive environment variables.
• The initial infection vector was identified as Lumma Stealer malware, which infected a Context.ai employee in February 2026.
• Vercel identified a separate subset of customer accounts that were compromised through independent methods, including social engineering and malware.
• The attack exploited the trust relationship provided by OAuth integrations between third-party AI tools and enterprise accounts.

Technical Details

The attack chain began with the distribution of Lumma Stealer malware, likely through malicious software searches (such as Roblox scripts), which compromised a Context.ai employee. This compromise enabled the threat actor to hijack a Vercel employee's Google Workspace account via the Context AI Office Suite. Once access was established, the attacker utilized the authenticated session to pivot into Vercel's internal systems.

The attackers demonstrated high velocity in enumerating and decrypting non-sensitive environment variables within the Vercel environment. This incident highlights the risks associated with "Shadow AI"—the unauthorized use of third-party AI tools within an organization—and demonstrates how attackers can abuse approved OAuth integrations to bypass traditional account security controls and move laterally through an organization's infrastructure.

Impact / Why It Matters

Developers and organizations must audit third-party OAuth integrations and implement strict controls over the use of unauthorized AI tools to prevent supply chain attacks. This incident emphasizes that the primary challenge for defenders is shifting from simple prevention to rapid scoping and blast-radius reduction during an active breach.