Someone at an AI startup called Context.ai went looking for Roblox auto-farm scripts and game exploit tools. They found malware instead. That single download set off a chain reaction that ultimately breached Vercel, one of the largest web hosting platforms in the world, and put customer credentials at risk.
The attack chain is a textbook example of how modern supply chain compromises work — and why every third-party tool you connect to your work accounts is a potential attack surface.
How It Happened
In February 2026, a Context.ai employee downloaded files containing Lumma Stealer, an info-stealing malware widely distributed through fake game cheats and cracked software. The malware harvested corporate credentials from the employee’s device, including Google Workspace access tokens and API keys for services like Supabase, Datadog, and Authkit.
The attacker used those stolen credentials to access Context.ai’s internal systems, where they found OAuth tokens — the authentication keys that let third-party apps access your accounts without needing your password. One of those tokens belonged to a Vercel employee who had signed up for Context.ai’s service using their enterprise Google account.
With that OAuth token, the attacker took over the Vercel employee’s Google Workspace account. From there, they pivoted into Vercel’s internal environments and began enumerating environment variables — the configuration secrets that developers store on the platform, including database passwords, API keys, and service credentials.
What Was Exposed
Vercel confirmed that the attacker accessed “non-sensitive environment variables” — those stored in plaintext rather than encrypted at rest. The distinction matters, but it’s cold comfort. Many developers store database connection strings, API keys, and service tokens as regular environment variables without marking them as “sensitive” in Vercel’s system.
Vercel’s encrypted environment variables (those explicitly marked as sensitive) showed no evidence of access. But the platform’s default behaviour stored new variables in plaintext unless a developer actively chose to encrypt them. That default worked against customers.
A “limited subset” of customers had credentials compromised — Vercel hasn’t disclosed exact numbers. On April 23, the company revealed it had found additional compromised accounts beyond the initial batch, some of which appeared to be from separate incidents predating the April breach.
The Third-Party Chain
Follow the trust chain: A Vercel customer trusts Vercel with their credentials. Vercel employees use third-party AI tools for their work. Those AI tool companies have their own employees, who download software from the internet onto devices with corporate access. One bad download and the entire chain unravels.
Context.ai identified and blocked the unauthorized AWS access in March 2026 and pulled its Chrome extension from the Web Store on March 27. But by then, the attacker had already used the stolen OAuth tokens to access Vercel. The breach wasn’t disclosed until April 19.
This is what supply chain attacks look like in practice. The attacker didn’t need to find a vulnerability in Vercel’s code. They didn’t need to bypass Vercel’s security controls. They just needed one employee at one vendor to make one bad decision — and then follow the OAuth tokens wherever they led.
Vercel’s Response
Vercel brought in Google Mandiant and engaged Microsoft, GitHub, npm, and Socket for the investigation. They confirmed that no npm packages published by Vercel were compromised — an important detail given Vercel’s central role in the JavaScript ecosystem through Next.js.
The company has since changed its default behaviour: new environment variables are now marked as “sensitive” by default, requiring encryption at rest. They’ve also recommended that all customers rotate their non-sensitive environment variables, enable multi-factor authentication, and review activity logs for suspicious deployments.
Why This Matters
The Vercel breach illustrates a risk that grows every time you connect another SaaS tool to your workflow. Every OAuth permission you grant, every third-party app that touches your work accounts, and every vendor your cloud provider’s employees use — each one extends your attack surface in ways you can’t monitor or control.
Vercel hosts websites and applications for millions of developers and companies. Environment variables on these platforms often contain the keys to production databases, payment processors, and internal APIs. When those secrets leak, it’s not just Vercel’s problem — it cascades to every service those credentials unlock.
The attack path from “employee downloads game cheats” to “customer production credentials exposed” sounds absurd, but it’s increasingly common. Lumma Stealer and similar info-stealers are mass-distributed through exactly these channels — game mods, cracked software, fake utilities. They’re designed to harvest browser sessions, OAuth tokens, and saved credentials, then sell that access to the highest bidder.
Protecting Yourself
If you use Vercel or any cloud hosting platform that stores environment variables:
- Rotate all secrets immediately — don’t wait for a breach notification to tell you it’s necessary
- Mark credentials as sensitive/encrypted in whatever platform you use. Never rely on the default
- Audit your OAuth grants regularly. Revoke access for any third-party apps you’re not actively using
- Use short-lived credentials where possible instead of long-lived API keys
- Treat environment variables as a security boundary, not a convenience feature
The deeper lesson is about trust chains. When you store credentials on a cloud platform, you’re trusting that platform’s security — and the security of every tool and service their employees use. That’s a lot of trust to extend to organisations you can’t audit.
Self-hosted infrastructure and zero-knowledge architectures exist specifically to break these trust chains. When your credentials never leave your environment, a breach at a third-party AI tool company can’t expose them. That’s not paranoia — as of this month, it’s just common sense.