On Saturday, Vercel disclosed that attackers accessed internal systems, environment variables, source code, and 580 employee records. The attackers didn't breach Vercel directly. They breached Context, a Thiel-Fellow-led AI startup whose "AI-native Office Suite" a Vercel employee had connected to their corporate Google Workspace with broad OAuth permissions.1 The chain: a game-cheat download infected a Context employee's machine with Lumma infostealer malware. The malware harvested credentials. The credentials opened Context's AWS. Context's AWS held OAuth tokens. One of those tokens belonged to a Vercel employee who had clicked "Allow All."
The Vercel employee wasn't careless in an obvious way. They tried a productivity tool and granted it the permissions the tool asked for. Reading and writing on their behalf is the pitch. It is also why every AI vendor in your trust boundary is an attack surface you didn't budget for.
The Chain
Here is what we know, stitched together from Vercel's bulletin, Context's security notice, and Hudson Rock's forensic reconstruction:123
February 2026: An employee at Context (the AI startup, not the LLM-analytics company OpenAI acqui-hired in 2025, and not Contextual AI the enterprise RAG platform) gets infected with Lumma Stealer. Browser history shows searches for Roblox auto-farms and game executors.3 That's the entry point. A game cheat.
The malware harvests everything: Google Workspace credentials, Supabase keys, Datadog logins, session cookies. Hudson Rock later finds the log in their infostealer database.
March 2026: Context detects unauthorized access to its AWS environment. They engage CrowdStrike. The attacker has already used compromised consumer OAuth tokens. One of those tokens belongs to a Vercel employee who signed up for Context's consumer "AI Office Suite" using their Vercel enterprise Google Workspace account, granting "Allow All" permissions.2
Sometime between March and April: The attacker uses that OAuth access to take over the Vercel employee's Google Workspace session. From there: Vercel environments. Environment variables not marked as "sensitive." Source code. Database data. NPM and GitHub tokens. Records on 580 Vercel employees.
April 19: Vercel publishes IOCs. Context publishes a coordinated security notice. A threat actor operating under the ShinyHunters brand posts the data on BreachForums and Telegram, claiming a $2 million ransom demand.4 The actual ShinyHunters operators deny involvement.4 Vercel has not confirmed any ransom negotiation.
April 20: Context shuts down its consumer AI Office Suite entirely. The product that created the OAuth bridge is now deprecated.
The Numbers We Don't Have
Vercel says the impact was "quite limited."1 They haven't disclosed a customer count. Context says "a subset" of consumer users were affected.2 They haven't disclosed a number either.
Vercel claims environment variables marked as "sensitive" remained encrypted and unaccessed. This is Vercel's word. No third-party verification exists.
The only named Vercel customer to comment is Orca, a Solana DEX that hosts wallet interfaces on Vercel. Orca says its protocol and user funds are safe.5 The crypto segment is rotating keys and watching closely. Everyone else is quiet.
Within 24 hours of disclosure, third-party incident-response playbooks appeared on GitHub.6 That's not a good sign. When the community has to write your IR guide for you, the guidance you provided wasn't enough.
The Roblox Cheat
Let's sit with the entry point for a moment.
A Context employee downloaded something promising free advantages in a children's game. That download contained Lumma Stealer. Lumma was supposed to be dead. Europol and the DOJ took down 2,300 of its command-and-control domains in May 2025.7 But Lumma is back at scale. New domains. New delivery lures: fake CAPTCHAs, cracked software, GitHub-hosted payloads, and yes, game cheats.7
This is not sophisticated. This is the commodity attack path. The one that works because someone, somewhere, always clicks.
And because that someone worked at an AI startup that held OAuth tokens to other companies' identity systems, the blast radius extended far beyond their machine.
— Context security notice
The Trust Boundary Problem
Every enterprise now has AI vendors in its trust boundary. Copilot. Cursor. Claude. A dozen smaller tools employees install without asking. They all want access to code, files, email, calendar. They all store OAuth tokens or session cookies server-side. And they all employ people who might click on the wrong thing.
Context was a $70 million-valuation startup backed by Lux Capital, General Catalyst, and Qualcomm Ventures.8 Its founder was a Thiel Fellow who left Stanford at 20. They claimed 50-million-token context windows and "swarm agents."8 And one of their employees downloaded a Roblox cheat.
The AI Office Suite was a consumer product. The breach vector was an enterprise employee using their corporate identity to sign up for a consumer product. That's a policy gap, not a technical one. But the technical tooling made it easy. OAuth makes it trivially easy to grant broad access with a single click. "Allow All" is a button. The blast radius of that button is not obvious until it's too late.
What Vercel Is Asking Customers to Do
Vercel's bulletin recommends: review activity logs, rotate non-sensitive environment variables, mark secrets as "sensitive" going forward, investigate recent deployments, enable Deployment Protection, rotate protection tokens.1
This is reasonable advice. It is also a lot of work that Vercel's customers did not plan to do this weekend.
The implicit message: if you didn't mark your environment variables as sensitive, assume they were read. If you can't prove something wasn't accessed, act as if it was. The defensive perimeter now includes every AI tool any employee ever connected, and you need to audit all of them.
How many companies can actually do that audit?
The Precedent
This is not the first supply-chain compromise via an AI vendor. In February, we wrote about hackerbot-claw, an autonomous agent that systematically compromised major open-source projects via exploitable GitHub Actions workflows: Trivy, Microsoft, DataDog, CNCF.9 That attack used the agent's own capabilities. This one used the access that AI tools accumulate as a side effect of doing their job.
Both patterns point the same direction. AI tools are credential magnets. They ask for access. They store that access. They become high-value targets precisely because they hold keys to everything else.
Vercel's pre-IPO positioning makes this breach especially visible. But the pattern isn't unique to Vercel. Every company using AI productivity tools has the same exposure. The question is whether anyone is asking: what happens when the AI vendor gets popped?
What We Don't Know Yet
The mechanism is still slightly fuzzy. Context's notice emphasizes OAuth tokens. Hudson Rock's analysis emphasizes session cookies and raw credentials. Both paths are plausible. The distinction matters for remediation (rotating OAuth grants is different from rotating passwords), but the outcome is the same: unauthorized access to Vercel via a third party.
We also don't know how many other companies had employees who signed up for Context's consumer product with their corporate accounts. Context served "a subset" of consumer users across "many organizations."2 Vercel is the one that disclosed. That doesn't mean Vercel is the only one affected.
Lux Capital, Context's lead investor, has not responded to requests for comment. Neither has Peter Thiel's team, despite CEO Joseph Semrai's Thiel Fellowship. The silence is expected. It's still silence.
This is a story about trust boundaries that moved without anyone noticing.
When an employee installs an AI tool, they're not just adding a feature. They're extending the company's attack surface to include that tool's entire security posture: its employees, its infrastructure, its credential storage, its operational hygiene. One Roblox cheat, one harvested token, one "Allow All" click, and Vercel's internal systems were open.
The AI vendor is the attack surface now. Plan accordingly.
Disclosure
This article was written with the assistance of Claude, an AI made by Anthropic. The irony of using an AI tool to write about the risks of AI tools is noted. Corrections welcome at bustah_oa@sloppish.com.
Sources
- Vercel, "Security Incident Bulletin," April 19-20, 2026. vercel.com. Also: BleepingComputer, The Register, CoinDesk, CyberInsider coverage.
- Context, "Security Update," April 19, 2026. context.ai.
- Hudson Rock / infostealers.com, "Breaking: Vercel Breach Linked to Infostealer Infection at Context AI," April 20, 2026. infostealers.com.
- BleepingComputer, "Vercel confirms breach as hackers claim to be selling stolen data," April 19, 2026. ShinyHunters operators denied involvement to BleepingComputer. bleepingcomputer.com.
- CoinDesk, "Hack at Vercel Sends Crypto Developers Scrambling to Lock Down API Keys," April 20, 2026. coindesk.com.
- OpenSourceMalware, "vercel-april2026-incident-response," GitHub. github.com.
- Lumma Stealer resurgence: Bitdefender, SecurityWeek, Check Point, Lumu. Operation Endgame disrupted ~2,300 domains in May 2025; Lumma returned within weeks with new infrastructure and delivery methods including game-cheat bundles.
- Context $11M seed at $70M valuation: TechCrunch, May 28, 2025; BusinessWire launch release, July 8, 2025. Not to be confused with Context.ai (OpenAI acqui-hire, April 2025) or Contextual AI (enterprise RAG platform).
- Sloppish, "The Chain Reaction," on hackerbot-claw GitHub Actions exploitation. sloppish.com.