CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromise of Third-Party AI Tool via Infostealer Leads to Vercel Breach and OAuth Token Theft Chain

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors compromised a third-party AI vendor, Context.ai, via an infostealer delivered through a gaming cheat script, then used a compromised OAuth token belonging to a Vercel employee to breach Vercel’s environments. The incident resulted in unauthorized access to some Vercel environments and environment variables, with potential downstream customer credential compromise. The attack highlights risks from unsanctioned AI tool usage, overprivileged OAuth grants, and the expanding threat surface presented by AI integrations. Vercel is collaborating with Mandiant on incident response and has notified a limited subset of customers, recommending credential rotation.

Timeline

  1. 21.04.2026 00:01 1 articles · 4h ago

    Third-party AI Vendor Compromise via Infostealer Enables Vercel Breach via OAuth Token Theft

    Context.ai, an AI tool vendor, was compromised by an infostealer delivered through a gaming cheat script. Attackers used the breach to steal OAuth tokens, including one belonging to a Vercel employee who had granted "Allow All" permissions to Context.ai. The compromised token enabled unauthorized access to Vercel’s environments and environment variables, leading to a breach with potential downstream customer credential compromise. Vercel is collaborating with Mandiant and has notified affected customers.

    Show sources
    Open in new tab

Information Snippets

  • Context.ai, an AI tool vendor, was compromised by an infostealer delivered via a gaming cheat script downloaded by one of its employees.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • A compromised OAuth token belonging to a Vercel employee who used their Vercel Google Workspace account to sign up for Context.ai’s AI Office Suite was used to gain access to Vercel’s environments.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • The attacker accessed some Vercel environments and environment variables not marked as "sensitive," according to Vercel’s security bulletin.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • Vercel reported no evidence that "sensitive" environment variables were accessed but could not rule out exposure of non-sensitive variables that may still contain customer data.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • Context.ai confirmed the theft of OAuth tokens occurred prior to the AWS environment shutdown and identified that some consumer OAuth tokens were likely compromised.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • A threat actor, allegedly ShinyHunters, is reportedly selling the Vercel breach for $2 million on underground forums.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources

  • Vercel has contacted a limited subset of customers whose credentials were compromised and recommended immediate rotation of those credentials.

    First reported: 21.04.2026 00:01
    1 source, 1 article
    Show sources