I’m going to be direct: Vercel just revealed one of the most instructive supply chain breaches we’ve seen in years, and the root cause wasn’t a zero-day, a misconfigured firewall, or a sophisticated chain of exploits. It was an employee granting “Allow All” OAuth permissions to a small AI productivity tool. That single click escalated to compromising entire internal environments, exposing customer credentials, and generating a $2M ransom demand from an actor operating under the ShinyHunters brand on BreachForums.
If you deploy on Vercel — or if your team uses AI tools connected to your Google Workspace — this is the story you need to understand right now.
The Kill Chain: From Roblox Cheats to Enterprise Breach
The forensics paint a remarkably detailed picture, and every link in this chain is worth examining.
Step 1 — The infostealer. In February 2026, a Context.ai employee downloaded Roblox auto-farm scripts and game exploits on what appears to have been a work machine. Those downloads came with a Lumma stealer payload. The malware harvested corporate credentials from Google Workspace, Supabase, Datadog, and Authkit — the complete toolkit of someone with admin-level access at Context.ai.
Step 2 — Pivoting to OAuth tokens. Context.ai is an enterprise AI platform that also offered a consumer product called “AI Office Suite” — a workspace for building presentations and documents with AI agents. That suite connected to users’ Google Workspace accounts via OAuth. When attackers compromised Context.ai’s AWS environment (detected in March 2026), they also obtained OAuth tokens from consumer users of that suite.
Step 3 — The Vercel connection. Vercel was never a Context.ai customer. But at least one Vercel employee had registered for the AI Office Suite using their enterprise Google account and granted “Allow All” permissions. That single OAuth grant gave the attackers a direct path to Vercel’s Google Workspace — and from there, to Vercel’s environments.
Step 4 — Environment variable enumeration. Vercel distinguishes between “sensitive” environment variables (encrypted at rest, unreadable) and standard ones. The attacker enumerated the non-sensitive variables, which — despite the name — contained API keys, tokens, database credentials, and signing keys that customers hadn’t marked as sensitive. Vercel describes the attacker as “highly sophisticated” with deep knowledge of their systems and notable operational speed.
Step 5 — The ransom. A threat actor claiming to belong to ShinyHunters posted on BreachForums offering the alleged dataset — access keys, source code, internal databases, GitHub tokens, NPM tokens, and 580 employee records — for $2 million starting with $500K in Bitcoin. Actors linked to ShinyHunters denied involvement in this specific breach, so attribution remains uncertain.
What CrowdStrike Didn’t See
There’s an uncomfortable layer here. Context.ai hired CrowdStrike after the AWS incident in March. CrowdStrike investigated and Context.ai shut down the affected environment. But the OAuth token compromise wasn’t identified at that time — it only came to light when Vercel provided additional information to Context.ai on April 19. Hudson Rock’s cyber intelligence had flagged the infostealer infection of the Context.ai employee more than a month before Vercel’s disclosure. If that credential exposure had been detected and revoked immediately, this entire supply chain cascade could have been prevented.
Three Failures, Not One
The Register put it well: every actor in this story made mistakes.
Context.ai had an employee whose machine was compromised by a Lumma stealer delivered through game exploit downloads — suggesting weak endpoint security and no effective credential monitoring.
CrowdStrike’s investigation appears to have overlooked the OAuth token compromise during the initial forensic review, only catching it after Vercel brought the connection to light weeks later.
Vercel didn’t restrict OAuth scope grants in its enterprise Google Workspace. A single employee was able to grant “Allow All” permissions to an external AI tool — a configuration that should never have been possible under a properly governed Workspace.
What You Should Do Right Now
If your team deploys on Vercel or uses AI tools connected to Google Workspace, here are the immediate actions:
Check the IOC. Go to your Google Admin Console → Security → Access and Data Control → API Controls → Manage Third-Party App Access. Look for this OAuth Client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. If it appears, revoke it immediately and start your incident response protocol.
Rotate your Vercel secrets. Review all environment variables. Anything stored as “non-sensitive” that actually contains API keys, tokens, or database credentials should be rotated now and re-marked as sensitive. Vercel released new features in the dashboard to make this easier.
Audit your OAuth grants. List every third-party app connected to your organization’s Google Workspace. For each one, ask yourself: does this app need these scopes? Was the grant reviewed? Can you restrict it to read-only or specific scopes? If you’re an admin, consider configuring Google Workspace to require admin approval for high-scope OAuth grants.
Review your env var classification. The distinction between “sensitive” and “non-sensitive” in Vercel isn’t cosmetic — it determines encryption at rest. If you’ve been lazy about marking variables as sensitive, this breach is the reason to fix that today.
The Biggest Lesson
This isn’t just a Vercel story. It’s a story about the growing attack surface created by AI tools that ask for OAuth access to your workspace. Every popup saying “Connect to Google Drive,” “Access your Gmail,” “Allow all permissions” is a potential lateral movement path for an attacker. And most organizations don’t govern those grants at all.
The 2024 playbook was “be careful what npm packages you install.” The 2026 playbook needs to add: “be just as careful about what AI tools you connect to your enterprise accounts — and restrict the scopes when you do.”
A download of Roblox cheats. An unreviewed OAuth grant. An unmonitored credential exposure. That’s all it took.
Vercel’s investigation is ongoing. If additional details emerge, we’ll update this article. If you deploy on Vercel, check your environment variables today — don’t wait.