Lumma Stealer infection of a Context.ai employee
Malware Activity
Summary
Hide ▲
Show ▼
A Context.ai employee was infected with Lumma Stealer in February 2026, giving attackers a likely foothold that may have seeded the wider compromise chain affecting Vercel. The infection followed searches for Roblox auto-farm scripts and game exploit executors. That matters because the malware activity appears to have helped enable later account abuse and internal access.
Related Happenings
RubyGems pauses new account signups during major malicious attack
Security Tool/Service
First: 12.05.2026 17:47
Last: 12.05.2026 17:47
Sources 1
About this happening:
**RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
RubyGems pauses new account signups during major malicious attack
Security Tool/ServiceAbout this happening: **RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
DigiCert hit by network compromise
Incident
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
DigiCert hit by network compromise
IncidentAbout this happening: DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
Latest development: 04.05.2026 15:46
By April 17, DigiCert revoked 60 certificates tied to the support-portal compromise, including 27 explicitly linked to the threat actor and 11 used to sign Zhong Stealer, and canceled pending orders to close attacker access. DigiCert also enforced multi-factor authentication for administrative workflows, blocked access to initialization codes from proxied support users, restricted file types for support chat and Salesforce case attachments, and improved logging.
Vercel customer environment variables compromise
Data Leak
First: 21.04.2026 12:10
Last: 21.04.2026 12:10
Sources 1
About this happening:
**Vercel** confirmed that a **limited subset of customers** had **non-sensitive environment variables** compromised after an attacker abused access tied to an employee account. Th...
Vercel customer environment variables compromise
Data LeakAbout this happening: **Vercel** confirmed that a **limited subset of customers** had **non-sensitive environment variables** compromised after an attacker abused access tied to an employee account. Th...
Timeline
-
23.04.2026 11:40 2 articles · 1mo ago
Vercel identifies additional compromised customer accounts
Campaign Scope UpdateVercel said it identified additional customer accounts with evidence of prior compromise tied to unauthorized access to its internal systems after expanding its investigation to include extra compromise indicators and log review of Vercel network requests and environment variable read events. The company said it notified affected parties and did not disclose an exact count, while separate investigation linked the broader compromise chain to a Context.ai compromise used by a Vercel employee, takeover of a Google Workspace account, and a Lumma Stealer infection of a Context.ai employee in February 2026 that may have served as patient zero.
Show sources
- Vercel Finds More Compromised Accounts in Context.ai-Linked Breach — thehackernews.com — 23.04.2026 11:40
- Learning from the Vercel breach: Shadow AI & OAuth sprawl — www.bleepingcomputer.com — 29.04.2026 16:05