Stolen OAuth token widens Vercel breach

Attackers used an OAuth token stolen from a Context.ai employee infected with Lumma Stealer malware to access a Vercel Google Workspace account, widening an April 2026 security incident that exposed non-sensitive environment variables and could affect hundreds of developers, particularly those building AI agent workflows.

Vercel wrote in an April 19 security bulletin that the company was not the initial point of entry. The attacker first compromised a Context.ai employee who downloaded a Roblox auto-farm script and game exploit tools, common distribution methods for Lumma Stealer. The malware exfiltrated Google Workspace credentials and access keys for services including Supabase, Datadog and Authkit.

Using the stolen OAuth token, the attacker accessed a Google Workspace account tied to a Vercel enterprise-created user that had broad “allow all” permissions. Vercel had enabled permissive OAuth settings in its Google Workspace environment, which increased the attacker’s ability to reach resources linked to Vercel projects.

The attacker decrypted environment variables that were not stored as protected secrets in Vercel. Variables explicitly stored as sensitive remained inaccessible. Many developers keep API keys, database connection strings and webhook secrets in plain environment variables within deployments; that practice is common in AI workflows that use multiple provider keys and tool tokens.

After the incident, Vercel changed product defaults so new environment variables are marked sensitive by default and can only be reverted by the developer. The company noted the change does not recover values that were exposed before the update.

The bulletin warned the scope of the incident is larger than initially reported and that it could affect hundreds of users across multiple organizations because the compromised OAuth app was not exclusive to Vercel. Vercel shared the unique identifier of the OAuth app and urged Google Workspace administrators and account holders to check whether the application had access to their systems.

Context.ai discovered the initial employee compromise and worked with security professionals, including Nudge Security CTO Jaime Blasco, to trace additional permission grants. Context.ai identified another OAuth grant that included Google Drive access, notified affected customers and provided recommended remediation steps.

Vercel and Context.ai continue to investigate the incident and update customers as they identify further details.