Full Report
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to the Vercel network and environment
Analysis Summary
# Incident Report: Vercel Environmental Variable Compromise
## Executive Summary
Vercel identified an unauthorized intrusion into its internal systems stemming from a supply chain compromise involving a third-party AI service, Context.ai. The attacker leveraged a compromised employee Google Workspace account to access Vercel environments, enabling them to enumerate and decrypt customer environment variables. Subsequent investigations revealed additional compromised accounts and evidence of long-term malware activity targeting developers.
## Incident Details
- **Discovery Date:** April 2026 (Investigation expanded on Wednesday, April 22, 2026)
- **Incident Date:** Initial infection February 2026; Breach activities April 2026
- **Affected Organization:** Vercel (and Context.ai)
- **Sector:** Software as a Service (SaaS) / Cloud Infrastructure
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026 (Patient Zero)
- **Vector:** Malware (Lumma Stealer)
- **Details:** A Context.ai employee was infected with Lumma Stealer while searching for "Roblox auto-farm scripts" and game exploits. This allowed the attacker to steal credentials/tokens.
### Lateral Movement
- **Supply Chain Pivot:** The attacker used stolen credentials to compromise Context.ai’s "AI Office Suite."
- **SaaS Pivot:** A Vercel employee utilized the compromised Context.ai integration, which allowed the attacker to seize control of the Vercel employee’s Google Workspace account via OAuth/token theft.
- **Internal Access:** From the Google Workspace account, the attacker gained access to Vercel’s internal environment.
### Data Exfiltration/Impact
- **Decryption:** Attackers maneuvered through internal systems to enumerate and decrypt non-sensitive environment variables for a "small number" of customer accounts.
- **Secondary Discovery:** Vercel uncovered a separate set of accounts compromised via independent methods (malware/social engineering) predating this specific incident.
### Detection & Response
- **Discovery:** Initially detected via anomalous activity linked to Context.ai; expanded investigation used new indicators of compromise (IoCs) to find more victims.
- **Log Review:** Analysts reviewed Vercel network requests and environment variable "read" events.
- **Notification:** Affected customers were notified.
## Attack Methodology
- **Initial Access:** Infostealer malware (Lumma Stealer) via drive-by download/malicious scripts.
- **Persistence:** OAuth token theft and session hijacking.
- **Privilege Escalation:** Pivoting from a personal/third-party application account (Context.ai) to a corporate Google Workspace account.
- **Defense Evasion:** Use of legitimate OAuth integrations to inherit trust and bypass traditional login controls.
- **Credential Access:** Token theft and decryption of stored environment variables.
- **Discovery:** Automated enumeration of internal cloud environments and system logs.
- **Lateral Movement:** Pivoting between SaaS providers (Context.ai -> Google Workspace -> Vercel).
- **Collection:** Identifying and reading environment variable logs.
- **Exfiltration:** Decryption and theft of customer-defined variables.
- **Impact:** Unauthorized access to configuration data and potential exposure of customer secrets.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response and forensic investigation.
- **Data Breach:** Non-sensitive (and potentially sensitive) environment variables belonging to a subset of customers.
- **Operational:** Context.ai deprecated their "AI Office Suite" entirely; Vercel was forced into an extensive security audit.
- **Reputational:** Increased scrutiny regarding "Shadow AI" and the risks of OAuth-based third-party integrations.
## Indicators of Compromise
- **Network indicators:** Requests originating from IPs associated with known infostealer C2 (Command & Control) infrastructure (defanged: *[.]context[.]ai* integrations).
- **File indicators:** presence of "Lumma Stealer" binaries on developer workstations.
- **Behavioral indicators:** Unusual environment variable "read" events in Vercel logs; unauthorized Google Workspace logins via third-party OAuth tokens.
## Response Actions
- **Containment:** Revoked compromised tokens and isolated affected internal environments.
- **Eradication:** Deprecated the vulnerable Context.ai integration.
- **Recovery:** Notified affected parties and force-rotated credentials where necessary.
- **Investigation:** Engaged third-party forensics (Hudson Rock) to identify the "Patient Zero" infection.
## Lessons Learned
- **Shadow AI Risk:** Employees using unvetted AI tools (Context.ai) created a bridge for attackers to enter the corporate environment.
- **OAuth Trust:** Large-scale trust inherited by OAuth integrations can bypass standard security perimeters.
- **Infostealer Prevalence:** Developer machines are high-value targets for malware (Lumma Stealer) due to the presence of session tokens and cloud keys.
## Recommendations
- **Integration Vetting:** Implement a strict "Allow-List" for OAuth applications and third-party SaaS integrations.
- **Endpoint Protection:** Enhance EDR (Endpoint Detection and Response) to detect infostealer activity on developer workstations.
- **Token Management:** Reduce session lifetimes for highly privileged accounts and monitor for token theft/anomalous usage.
- **Log Monitoring:** Implement real-time alerting for "read" events on sensitive configuration data like environment variables.