Vercel Finds More Compromised Accounts in Context.ai-Linked Breach

Published:

23 april 2026 om 08:40:00

Alert date:

23 april 2026 om 10:01:03

Source:

thehackernews.com

Cloud & Virtualization, Data Breach & Exfiltration, Identity & Access, Supply Chain & Dependencies

Vercel discovered additional compromised customer accounts in a security incident linked to Context.ai that enabled unauthorized access to internal systems. The company expanded its investigation to include more compromise indicators and reviewed network requests. This represents an ongoing data breach affecting multiple customer accounts with potential for unauthorized system access.

Technical details

The breach originated from a compromise of Context.ai after being used by a Vercel employee. The attacker gained control of the employee's Google Workspace account and used it to access their Vercel account. From there, they pivoted into Vercel's environment and maneuvered through systems to enumerate and decrypt non-sensitive environment variables. Investigation revealed that a Context.ai employee was infected with Lumma Stealer malware in February 2026 after searching for Roblox auto-farm scripts and game exploit executors, which may have been the initial infection point. The attack involved OAuth integrations that can inherit trust from users and organizations, allowing attackers to avoid some security controls.

Mitigation steps:

Vercel has notified affected parties in both cases of compromise. Context.ai has deprecated the AI Office Suite. Organizations should review OAuth integrations and implement controls for direct account compromise, focus on rapid scoping and blast-radius reduction rather than just prevention, and be aware of shadow AI usage where employees use unauthorized AI tools without formal IT review.

Affected products:

Vercel
Context.ai
Context AI Office Suite
Google Workspace
Next.js framework