Full Report
Compromised Context.ai OAuth tokens enabled attackers to perform a supply chain attack via trusted SaaS integrations. Learn how to assess the risk in your environment and how to prevent the next attack.
Analysis Summary
# Incident Report: Context.ai OAuth Token Compromise & Supply Chain Attack
## Executive Summary
A compromise of OAuth tokens at the third-party AI provider Context.ai enabled attackers to perform a "double supply chain attack." By hijacking a Vercel employee's Google Workspace account via a compromised token, the attackers gained access to internal Vercel systems. This access potentially extended the blast radius to Vercel's customers, highlighting the critical risk of broad delegated permissions in SaaS integrations.
## Incident Details
- **Discovery Date:** April 4, 2026
- **Incident Date:** Early April 2026
- **Affected Organization:** Context.ai (Initial), Vercel (Downstream)
- **Sector:** Technology / Software-as-a-Service (SaaS) / Artificial Intelligence
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Likely an Infostealer infection of a Context.ai employee.
- **Details:** Reports indicate an infostealer compromised a Context.ai employee’s device, allowing attackers to access internal systems and acquire OAuth application credentials (Client IDs/Secrets).
### Lateral Movement
- **Supply Chain Pivot:** Attackers used the stolen OAuth credentials to access the accounts of Context.ai users.
- **Vercel Entry:** A Vercel employee had authorized the Context.ai app with "Allow All" permissions. Attackers used the compromised token to gain unauthorized access to Vercel's internal Google Workspace environment.
### Data Exfiltration/Impact
- **Vercel Systems:** Unauthorized access to internal systems was confirmed by Vercel on April 4th.
- **Downstream Risk:** As a supply chain attack, the compromise of Vercel creates a subsequent risk profile for Vercel's own customers.
### Detection & Response
- **Discovery:** Vercel identified unauthorized access to internal systems and disclosed the breach on April 4, 2026.
- **Response actions taken:** Context.ai confirmed the compromise of their consumer-focused suite; Vercel issued a security advisory and began rotating credentials.
## Attack Methodology
- **Initial Access:** Infostealer infection (suspected) leading to OAuth credential theft.
- **Persistence:** Abuse of long-lived OAuth tokens and delegated permissions.
- **Privilege Escalation:** Exploitation of "Allow All" broad permission scopes granted by users to the third-party app.
- **Defense Evasion:** Use of legitimate APIs and pre-authorized tokens to bypass traditional multi-factor authentication (MFA) and login alerts.
- **Lateral Movement:** Pivot from a third-party vendor (Context.ai) to a customer (Vercel) via shared SaaS integrations.
- **Impact:** Unauthorized access to enterprise identity providers (Google Workspace) and downstream CI/CD or hosting environments.
## Impact Assessment
- **Financial:** Undisclosed, but involves significant remediation and investigation costs.
- **Data Breach:** Exposure of OAuth tokens; potential unauthorized access to Google Workspace data (emails, files, etc.).
- **Operational:** Disruption for Vercel and Context.ai as they force credential rotations and audit logs.
- **Reputational:** High-profile breach impacting trust in the Vercel platform and AI SaaS providers.
## Indicators of Compromise
- **OAuth App client ID:** `110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj[.]apps[.]googleusercontent[.]com`
- **Behavioral indicators:** Unusual API calls coming from legitimate third-party application service accounts; unauthorized "authorize" events for the specific Client ID in Google Workspace logs.
## Response Actions
- **Containment:** Revocation of the compromised Context.ai OAuth application across Google Workspace environments.
- **Eradication:** Rotation of all tokens and credentials associated with affected users.
- **Recovery:** Auditing Google Workspace activity logs for signs of data exfiltration or unauthorized configuration changes.
## Lessons Learned
- **Permission Proliferation:** Users granting "Allow All" permissions to third-party tools creates a massive security vacuum that bypasses traditional perimeter defenses.
- **SaaS Interconnectivity:** The security of an organization is now inextricably linked to the security of its employees' chosen AI tools.
- **Infostealer Risk:** Endpoint infections on vendor devices can lead to large-scale cloud breaches via stolen application secrets.
## Recommendations
- **OAuth Governance:** Implement a "Least Privilege" model for OAuth applications. Use policies to restrict or block third-party apps that request broad scopes (e.g., full mailbox access or file modification).
- **Inventory Integrations:** Regularly audit authorized third-party applications in Google Workspace, Microsoft 365, and GitHub.
- **Continuous Monitoring:** Monitor for anomalous API traffic or high volumes of data transfer originating from third-party service principals.
- **Vendor Risk Management:** Assess the security posture of consumer-focused AI tools before allowing employees to integrate them with corporate identities.