SynRadar

Contact Us
Menu

From One Infected Machine to Vercel’s Breach in April 2026: Lumma, OAuth

By /

Why this matters?

Supply chain attacks are not new — Codecov in 2021, CircleCI in 2023, Snowflake in 2024, and now Vercel in 2026.

The pattern remains consistent. Attackers compromise a trusted third party, leverage that trust to gain access, and exfiltrate credentials at scale. The concerning part is not just the sophistication, but how simple the initial entry point often is.

In this case, the attack reportedly began with commodity malware — Lumma Infostealer — which is available at low cost on underground forums (Source 3, 5).

Who is responsible

Context[.]ai, a third-party AI tool used by a Vercel employee, was compromised. A Lumma infostealer infection on the employee’s machine reportedly harvested 16 corporate credentials and 343 sensitive cookies. The impacted accounts included Google, Qualcomm OAuth, Datadog, Cal[.]com, and others associated with @context[.]ai. Password reuse was also observed across multiple accounts.

Lumma is a commodity malware strain sold on underground forums that silently harvests browser-stored credentials and session cookies from infected machines. It typically relies on social engineering rather than sophisticated exploitation.

On Vercel’s side, the OAuth configuration allowed a non-authorized vendor to be granted broad permissions by an employee. Context[.]ai was not an authorized Vercel vendor, yet “Allow All” permissions were granted. Vercel’s internal OAuth configuration permitted this level of access.

Both Vercel and Context AI have acknowledged aspects of the incident in their respective security statements (Sources 1, 2).

The Attack Chain

One infected machine. One employee. One trusted third-party tool — that was sufficient.

Reported attack sequence:

  • Lumma infects a Context[.]ai employee’s machine (potentially via malicious downloads such as game cheats)
  • Lumma harvests credentials and session cookies
  • Attacker leverages stolen OAuth tokens
  • Compromise of the employee’s Vercel Google Workspace account
  • Lateral movement into Vercel’s internal systems
  • Enumeration of customer environment variables (reported as non-sensitive)

The dwell time is notable. Initial compromise traces back to approximately June 2024, while public disclosure occurred in April 2026 — suggesting a potential exposure window of up to 22 months.

Additionally, one customer reported receiving a leaked API key notification from OpenAI nine days prior to Vercel’s official bulletin (Source 4).

The Threat Actor

An individual or group claiming to be ShinyHunters posted on BreachForums, stating they were selling Vercel-related data — including source code, employee accounts, and GitHub/NPM tokens — for $2 million.

However, some individuals associated with ShinyHunters have denied involvement in statements to BleepingComputer.

Attribution in such cases is often uncertain, as threat actor identities can be misrepresented or exaggerated. These claims should therefore be treated as unverified.

What Is Confirmed Safe

As of 21st April 2026 (08:00 AM IST), Vercel’s security team, in collaboration with GitHub, Microsoft, npm, and Socket, has stated that:

  • No npm packages published by Vercel have been compromised
  • There is no evidence of tampering
  • Next.js, Turbopack, and other Vercel open-source projects remain unaffected

Check If Your Google Workspace Was Exposed

Navigate to your Google Admin Console:
Admin Console → Security → API Controls → Accessed Apps

Direct link:
https://admin.google.com/ac/owl/list?tab=apps

Steps:

  • Click Add a filter
  • Select ID
  • Paste:
    110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Interpretation:

  • No results → No exposure detected
  • Any result → The application had OAuth access to your organization’s Google data

IMG_1

IMG_2

IMG_3

If you are a Vercel Customer

  • Rotate all non-sensitive environment variables immediately
  • Deleting your Vercel project alone is not sufficient — rotate credentials first, then redeploy
  • Enable sensitive environment variables for all deployments going forward
  • Enable MFA using an authenticator app or passkeys
  • Review activity logs for any suspicious activity
  • Ensure Deployment Protection is set to at least “Standard”
  • Rotate Deployment Protection tokens, if configured

Final Note

OAuth applications should not be treated as simple integrations. They function as third-party vendors with persistent access to your corporate identity.

Regularly audit these applications, monitor their access, and revoke permissions that are no longer required.

Sources

  1. Vercel Security Bulletin (April 21, 2026)
    https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
  2. Context AI Security Statement
    https://context.ai/security-update
  3. Cyber Swachhta Kendra
    https://www.csk.gov.in/index.html
  4. Public report by Vercel customer
    https://x.com/andreyzagoruiko/status/2046000612341653885
  5. Lumma Stealer Analysis (Microsoft)
    https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

Scroll to Top