Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems.
The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company.
"The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as 'sensitive,'" the company said in a bulletin.
Vercel said environment variables marked as "sensitive" are stored in an encrypted manner that prevents them from being read, and that there is currently no evidence suggesting that those values were accessed by the attacker.
It described the threat actor behind the incident as "sophisticated" based on their "operational velocity and detailed understanding of Vercel's systems." The company also said it's working with Google-owned Mandiant and other cybersecurity firms, as well as notifying law enforcement and engaging with Context.ai to better understand the full scope of the breach.
A "limited subset" of customers is said to have had their credentials compromised, with Vercel reaching out to them directly and urging them to rotate their credentials with immediate effect. The company is continuing to investigate what data was exfiltrated, and plans to contact customers if further evidence of compromise is discovered.
Vercel is also advising Google Workspace administrators and Google account owners to check for the following application OAuth application:
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
As additional mitigations, the following best practices have been recommended -
- Review activity log for signs of suspicious activity.
- Audit and rotate environment variables that contain secrets and are not marked as sensitive. Use sensitive environment variables to ensure secrets are protected.
- Investigate recent deployments for anything unexpected or suspicious. Ensure that Deployment Protection is set to Standard at a minimum.
- Rotate Deployment Protection tokens, if set.
While Vercel has yet to share details about which of its systems were broken into, how many customers were affected, and who may be behind it, a threat actor using the ShinyHunters persona has claimed responsibility for the hack, selling the stolen data for an asking price of $2 million.
Context.ai has also published a security bulletin in which it disclosed a March 2026 incident that saw it identify and block unauthorized access to its AWS environment. However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users.
"We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace," the company said. "Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions. Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace."
Context.ai said it immediately alerted all impacted customers and provided them with the necessary steps they needed to take. It did not reveal how many customers were affected by the breach.
In a report published today, Hudson Rock has uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the "supply chain escalation." The corporate credentials harvested during the attack consisted of Google Workspace credentials, along with keys and logins for Supabase, Datadog, and Authkit.
Also present among the stolen records was the "support@context.ai" account, likely allowing the threat actor to escalate privileges, bypass security controls, and successfully pivot into Vercel's infrastructure. The user is assessed to be a core member of the "context-inc" Vercel team.
"Logs indicate the user was actively searching for and downloading game exploits, specifically Roblox 'auto-farm' scripts and executors," the cybersecurity company said. "These types of malicious downloads are notorious vectors for Lumma Stealer deployments."
"We've deployed extensive protection measures and monitoring. We've analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community," Vercel CEO Guillermo Rauch said in a post on X.
"In response to this, and to aid in the improvement of all of our customers’ security postures, we've already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive environment variable creation and management."
