It started with someone downloading a Roblox auto-farm script.
Not at Vercel. At Context.ai — a small AI productivity startup that most developers had probably never heard of. Sometime in February 2026, one of their employees, a core member of the team with access to a lot of sensitive systems, went looking for a Roblox exploit online. They found it. They downloaded it. And with it came Lumma Stealer, one of the most widely deployed infostealer malwares circulating right now.
By April 2026, Vercel — the platform that hosts a significant slice of the modern web — was publishing a security bulletin.
That's a supply chain attack in its purest form. One person's bad download. One overlooked third-party integration. One OAuth token left alive too long. And suddenly a threat actor is rummaging through environment variables belonging to companies that had never even heard of Context.ai.
Here's how the chain actually unfolded.
Context.ai had built a consumer product called the AI Office Suite — a workspace that let users hook up AI agents to their Google Workspace, letting the agents take actions across docs, sheets, and slides. To do that, it needed OAuth permissions. Broad ones. The kind where clicking "Allow All" felt like a small, forgettable UX decision.
At least one Vercel employee had signed up for this product using their Vercel enterprise Google account. When that Vercel employee's Context.ai OAuth token got stolen — because that Context.ai employee had downloaded that Roblox script, which had harvested credentials across the board — the attacker had a working key to a Vercel Google Workspace account.
From there, it wasn't complex. They used that Google Workspace access to get into Vercel's internal environments. They found environment variables that weren't flagged as "sensitive." API keys. Database credentials. Tokens. The kind of stuff that's painful to rotate when you have it across dozens of services.
Hudson Rock, the cybersecurity firm that traced the infection path, noted that Context.ai only had a single infostealer record in their database — this one employee, from a month before the breach hit. That's a remarkable correlation. One machine. One bad download. One cascade.
The attacker is believed to be ShinyHunters, the same group behind breaches at Ticketmaster and Santander back in 2024. They're reportedly selling the Vercel data on a hacking forum for $2 million. Whether the actual buyers show up is a separate story, but the claim alone sent the security community into weekend-ruining mode.
Vercel's response has been reasonably transparent. They published a live bulletin, worked with Mandiant on the forensics, looped in GitHub, Microsoft, npm, and Socket to verify the supply chain hadn't been poisoned — and confirmed that npm packages are clean. Their CEO Guillermo Rauch posted publicly on X about the remediation steps being shipped. They've added new dashboard features, defaulted environment variable creation to "sensitive: on," and improved the activity log UI.
The environment variables marked as sensitive — stored encrypted in a way that prevents them from being read out — appear untouched. That distinction matters. It's the difference between a bad week and a catastrophic one.
Context.ai, for their part, shut down the compromised AWS environment and deprecated the entire AI Office Suite product. They say the OAuth tokens were stolen while that environment was still live, and that environment is now gone. Small comfort if your token was one of them.
The part that's genuinely uncomfortable about this story isn't the breach mechanics. Those are pretty standard. Infostealer on employee machine, credentials harvested, lateral movement through OAuth. We've seen this pattern.
What's uncomfortable is how invisible the attack surface was.
Vercel didn't get breached because they did something obviously wrong. Their sensitive environment variables held. Their npm packages were clean. The entry point was a consumer productivity app that one employee signed up for on their own, granting broad Google Workspace permissions, on a platform that got compromised at the vendor level. The employee probably didn't think twice about it. Most people don't.
That's the real takeaway from this incident — not "rotate your credentials" (though yes, do that), but the fact that the threat surface for any company now includes the personal download habits of employees at companies you've never contracted with, don't monitor, and can't audit.
One Roblox script on one laptop in one company's corner of the internet. And here we are.
If you're a Vercel user: Check your environment variables, rotate anything not marked sensitive, look at your activity log, and search your Google Workspace admin console for this OAuth Client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. If it shows up, revoke it immediately.
If you're anyone else: Think about every third-party OAuth integration sitting in your Google Workspace right now. Count them. Check when they were last used. Ask yourself what "Allow All" actually means in practice.
The attack surface has never been smaller than the trust we extend without thinking about it.
Comments (0)
Sign in to join the conversation.
No comments yet. Be the first to share your thoughts.