Author name: Aayan Ta

Why this matters? Supply chain attacks are not new — Codecov in 2021, CircleCI in 2023, Snowflake in 2024, and now Vercel in 2026. The pattern remains consistent. Attackers compromise a trusted third party, leverage that trust to gain access, and exfiltrate credentials at scale. The concerning part is not just the sophistication, but how simple the initial entry point often is. In this case, the attack reportedly began with commodity malware — Lumma Infostealer — which is available at low cost on underground forums (Source 3, 5). Who is responsible Context[.]ai, a third-party AI tool used by a Vercel employee, was compromised. A Lumma infostealer infection on the employee’s machine reportedly harvested 16 corporate credentials and 343 sensitive cookies. The impacted accounts included Google, Qualcomm OAuth, Datadog, Cal[.]com, and others associated with @context[.]ai. Password reuse was also observed across multiple accounts. Lumma is a commodity malware strain sold on underground forums that silently harvests browser-stored credentials and session cookies from infected machines. It typically relies on social engineering rather than sophisticated exploitation. On Vercel’s side, the OAuth configuration allowed a non-authorized vendor to be granted broad permissions by an employee. Context[.]ai was not an authorized Vercel vendor, yet “Allow All” permissions were granted. Vercel’s internal OAuth configuration permitted this level of access. Both Vercel and Context AI have acknowledged aspects of the incident in their respective security statements (Sources 1, 2). The Attack Chain One infected machine. One employee. One trusted third-party tool — that was sufficient. Reported attack sequence: The dwell time is notable. Initial compromise traces back to approximately June 2024, while public disclosure occurred in April 2026 — suggesting a potential exposure window of up to 22 months. Additionally, one customer reported receiving a leaked API key notification from OpenAI nine days prior to Vercel’s official bulletin (Source 4). The Threat Actor An individual or group claiming to be ShinyHunters posted on BreachForums, stating they were selling Vercel-related data — including source code, employee accounts, and GitHub/NPM tokens — for $2 million. However, some individuals associated with ShinyHunters have denied involvement in statements to BleepingComputer. Attribution in such cases is often uncertain, as threat actor identities can be misrepresented or exaggerated. These claims should therefore be treated as unverified. What Is Confirmed Safe As of 21st April 2026 (08:00 AM IST), Vercel’s security team, in collaboration with GitHub, Microsoft, npm, and Socket, has stated that: Check If Your Google Workspace Was Exposed Navigate to your Google Admin Console:Admin Console → Security → API Controls → Accessed Apps Direct link:https://admin.google.com/ac/owl/list?tab=apps Steps: Interpretation: IMG_1 IMG_2 IMG_3 If you are a Vercel Customer Final Note OAuth applications should not be treated as simple integrations. They function as third-party vendors with persistent access to your corporate identity. Regularly audit these applications, monitor their access, and revoke permissions that are no longer required. Sources