On April 19, 2026, Vercel disclosed that a "limited subset" of its customers had their non-sensitive environment variables read out of its platform by an attacker who had pivoted in through a single employee's Google Workspace account. By the time CEO Guillermo Rauch confirmed the incident the next day, security firms had already traced the chain back two months and through three companies. The trailhead was a Context.ai employee who, in February, downloaded a Roblox auto-farm script.

That sentence is the entire story compressed. The expanded version is worth reading because every link in the chain is something a reasonable engineering team has already done.

The chain, in order

The reconstruction below is consistent across Vercel's own incident bulletin, Context.ai's security update, and Help Net Security's write-up of Hudson Rock's infostealer analysis. I'm citing only steps where at least two of those agree.

1. February 2026. A Context.ai employee searched for and downloaded Roblox "auto-farm" scripts and executors on their work machine. These have been a known carrier for the Lumma infostealer for over a year. The malware ran, and the credentials it scraped included the employee's Google Workspace login plus keys to Supabase, Datadog, and Authkit.
2. March 2026. The attacker used the harvested credentials to reach Context.ai's AWS environment. From there they pulled OAuth tokens belonging to users of Context.ai's "AI Office Suite" — a deprecated consumer product Context launched in June 2025 and has since moved away from in favour of an enterprise Bedrock offering. Context says it "independently identified and stopped" the AWS-side intrusion before April, engaged CrowdStrike, and shut down the AWS environment and the OAuth application.
3. Some date in late 2025 or early 2026. A Vercel employee — at home or on a personal device, using their corporate Google Workspace identity — signed up for Context's AI Office Suite. The OAuth consent screen asked for Google Workspace permissions. They clicked "allow all". This is the load-bearing decision in the entire timeline.
4. April 2026. With the stolen OAuth token, the attacker logged into the Vercel employee's Google Workspace account, found their way into the employee's Vercel account, and used Vercel's product API surface to enumerate and decrypt non-sensitive environment variables across a subset of customer projects.
5. April 19–20, 2026. Vercel disclosed. A threat actor on BreachForums posted that the data was for sale at $2 million, claiming affiliation with the well-known crew ShinyHunters; the real ShinyHunters denied it via Bleeping Computer and the post was eventually pulled. Vercel engaged Mandiant. The company also confirmed, with GitHub, Microsoft, npm and Socket, that no Vercel-published npm packages had been tampered with — which was the secondary thing the entire JavaScript ecosystem was nervously waiting to hear.

That is the chain. Two months, three companies, one OAuth grant.

The detail everyone underweights

Read the disclosure carefully and the most quoted line is Rauch's: "We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI." It is a great sentence for a press release. It is also the least diagnostic sentence in the whole story.

The diagnostic sentence is Context.ai's: "at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'allow all' permissions." That sentence costs everyone in this story two months of investigation, a CrowdStrike retainer, a Mandiant retainer, and an unknown number of customer-side credential rotations. The clever bit of the attack is not what came after the OAuth grant. The clever bit is that an OAuth grant to a deprecated consumer AI tool was treated by every system in the chain as if it were equivalent to a corporate SSO sign-in.

This is the actual moral. Not "AI tools are dangerous" — the AI tool was incidental, the same chain works with any third-party productivity app — but rather: OAuth grants to consumer-grade SaaS are now a peer of corporate SSO in your blast radius, and almost no security team treats them that way. Trend Micro's writeup of the same incident calls this "the OAuth gap most security teams cannot detect, scope, or contain", and that is approximately right. Most identity providers will not even surface the list of every OAuth third-party app that has standing access to a workspace, let alone which scopes were granted.

Why the AI-tool framing is half-right

It is fair to call this an "AI-adjacent" incident, but for a narrower reason than most coverage suggests. AI productivity tools have grown into the role that browser extensions occupied a decade ago: they are installed informally, by individual employees, on the strength of a Twitter recommendation, and they ask for very broad scopes because they need to read your inbox or your calendar to do anything interesting. That is the part of the AI angle that matters.

The Roblox cheat is the other half of the AI angle, and it is more uncomfortable. Lumma stealer is delivered via cracked-software, fake updates, and game-cheat lures because the people downloading those things are reliably less careful. The new wrinkle is that the targeting funnel doesn't end at consumer credentials any more — it ends at corporate Google Workspace identities, because remote work has collapsed the distinction between the laptop you play Roblox on and the laptop you sign Google OAuth grants on. There is a temptation to be sniffy about this. Resist it. It is happening at companies whose security postures are excellent.

What didn't happen, which matters

A few things explicitly did not happen, and they matter for calibration:

• No npm-package supply-chain compromise. Vercel publishes a long list of widely-used packages — next, swr, turbo, @vercel/*. None were tampered with. Confirmed against GitHub, Microsoft, npm, and Socket. If you were reading "Vercel breached" and bracing for an event-stream-style incident, breathe out.
• No Next.js or Turbopack project compromise. Vercel's framework infrastructure was not the target.
• No customer source code en masse. Some early reporting implied otherwise; Vercel's bulletin and subsequent updates clarify that the data accessed was account-level metadata and non-sensitive environment variables (i.e., variables configured to decrypt to plaintext), not project source.

The third point is the one customers should read carefully. "Non-sensitive" is the label developers attach to environment variables they decided weren't secrets. Anyone who has run a CI/CD pipeline knows that label is not always honest. GitGuardian's incident write-up catalogues the categories that routinely end up there — third-party API keys, signed URLs that look harmless until you read the docs, internal-service base URLs that double as enumeration aids. If you ran a Vercel project during the window, the rotation question is not "did I have anything sensitive" but "did anything I labelled non-sensitive contain something I would not paste into a Slack channel."

What this means

Three takeaways, none of them about AI.

1. Inventory the OAuth third-party apps in your Workspace. Today. Set a recurring calendar event to do it again in three months. The list will surprise you.
2. Stop using "non-sensitive" as a real category. Either a value is a secret or it is in version control. The middle category is where these incidents live.
3. Assume an OAuth-token compromise on any third party that handles your employees' calendars or mail is equivalent to an SSO compromise. That is what the Vercel chain proves at the platform level, and it is what your audit team will eventually conclude on its own. Beating them to the conclusion is cheaper.

The depressing version of the moral is that none of the six companies in this chain — Context.ai, the unnamed Roblox-cheat distributor, the Lumma operators, the BreachForums reseller, Vercel, and the affected Vercel customer — did anything genuinely novel. The chain held together because each link is normal practice. The encouraging version is that breaking any one link would have stopped it. Patching the OAuth-grant link is the one within reach for everyone reading this. Patching the Roblox-cheat link is, regrettably, somebody else's problem.