Skip to content
The AI-First Web

Vercel Breached via an AI Productivity Tool. An Employee Granted 'Allow All' Permissions to Context.ai. Lumma Stealer Stole the OAuth Tokens. Customer API Keys Compromised. Two Separate Breaches Found.

The hosting platform behind 'more than a million developer projects' was compromised because one employee installed an AI tool with full Google Workspace access. Lumma Stealer malware inside Context.ai stole OAuth tokens, bypassed MFA, pivoted into encrypted environment variables. ShinyHunters listed the data for $2 million. A second, older breach was discovered during investigation.

· 6 min read
Share on X LinkedIn
Vercel Breached via an AI Productivity Tool. An Employee Granted 'Allow All' Permissions to Context.ai. Lumma Stealer Stole the OAuth Tokens. Customer API Keys Compromised. Two Separate Breaches Found.

The AI Tool That Opened the Door

In April 2026, Vercel disclosed a security incident that originated not from a traditional attack vector — no phishing, no unpatched server, no credential stuffing — but from Context.ai, an AI productivity tool that a Vercel employee had integrated with their Google Workspace. The employee had granted Context.ai 'Allow All' permissions, giving the AI tool full access to their Google Workspace account. In February 2026, Lumma Stealer malware infected Context.ai's infrastructure, and the stolen Google Workspace OAuth tokens gave attackers full access — bypassing MFA entirely, since OAuth tokens are post-authentication.

From the compromised Google Workspace account, the attackers pivoted into Vercel's internal tooling: admin interfaces, issue trackers, and — critically — the encrypted environment variable store. Vercel's environment variables store customers' API keys, database credentials, and secrets. The encryption was server-side, but the attacker had admin-level access through the OAuth chain. ShinyHunters listed the exfiltrated data on BreachForums for $2 million. 580 Vercel employee records were exposed. The full scope of customer data compromise is still being assessed in June 2026 as customers rotate credentials.

Context.ai with 'Allow All' OAuth permissions
Entry point
AI productivity tool integrated by a Vercel employee.
Lumma Stealer → OAuth tokens → MFA bypass → admin access
Attack chain
No phishing, no credential stuffing — pure OAuth supply chain.
$2 million on BreachForums
Ransom demand
Listed by ShinyHunters. Customer environment variables compromised.
Second, older breach found during investigation
Discovery
Pre-dating the Context.ai chain. Source: Vercel knowledge base.

The OAuth Permission Problem

The employee granted Context.ai 'Allow All' permissions because the AI tool requested broad access to be useful — reading emails, calendar, documents, and Drive files to provide AI-powered productivity features. This is the standard operating model for AI productivity tools: they need access to your data to analyze it. The broader the access, the more useful the tool. The broader the access, the larger the blast radius when the tool is compromised.

OAuth's permission model was designed for applications that are trusted third parties. In 2026, every AI startup is requesting broad OAuth permissions to build AI features on top of enterprise data. The attack surface is no longer the number of passwords an organization manages — it is the number of OAuth tokens an organization has granted to third-party AI tools. Each token is a pre-authenticated, MFA-bypassing credential that persists until explicitly revoked. Most organizations do not inventory their OAuth grants. Most employees do not understand that 'Allow All' means 'give this app everything, forever, regardless of MFA.'

Two Breaches, Not One

During the investigation of the Context.ai-originated breach, Vercel discovered a second, independent compromise predating the first. The two breaches were unrelated — different attack vectors, different timelines, different scope. The second breach's details remain limited, but its discovery reveals that Vercel's security posture had undetected gaps before the Context.ai incident. The AI tool breach was not a single unlucky event. It was a symptom of broader security architecture gaps that allowed two separate breaches to exist simultaneously.

Vercel confirmed, in collaboration with GitHub, Microsoft, npm, and Socket, that no npm packages were compromised — a critical assurance given Vercel's deep integration with the npm ecosystem. But the customer environment variables — API keys for databases, payment processors, third-party services — were compromised. For Vercel's customers, the breach means rotating every secret stored in Vercel's environment variable system. For the ecosystem, it means the hosting platform that developers trusted with their secrets could not protect them from an employee's AI tool installation.

The Shadow IT of AI

Context.ai is not a known-malicious tool. It is a legitimate AI productivity application that was itself compromised by Lumma Stealer. The Vercel employee who installed it was trying to be more productive, not reckless. This is the shadow IT problem of the AI era: employees are adopting AI tools faster than security teams can evaluate them. Each AI tool requests broad permissions. Each set of permissions creates a pre-authenticated access path. Each access path is a breach waiting for the AI tool's own security to fail.

For web infrastructure teams, the Vercel breach is a direct warning. The hosting platform's security is only as strong as the weakest third-party tool any employee has connected. A FastAPI application deployed on Vercel with secrets stored in Vercel's environment variables is exposed not because of any flaw in FastAPI or the deployment architecture, but because a Vercel employee installed an AI productivity tool. The web framework choice is necessary but not sufficient. The hosting platform's security practices, the platform employees' tool installations, and the OAuth permission grants of the entire organization all contribute to the security posture of every application hosted on that platform.

Share this insight