What happened
In February 2026, an employee at Context AI — a third-party analytics tool for AI models — downloaded what appeared to be a Roblox "auto-farm" script and executor from an unofficial source. These types of files are notorious delivery mechanisms for infostealer malware. The file contained Lumma Stealer.
Lumma Stealer ran silently on the employee's device for approximately two months, extracting every password and session token saved in the browser — including corporate Google Workspace credentials, plus logins for Supabase, Datadog, and Authkit. The malware exfiltrated this data to attacker-controlled infrastructure with no visible signs to the victim.
How it escalated from one device to hundreds of organisations
Context AI's product — an "AI Office Suite" — was connected to users' Google accounts via OAuth ("Allow All" permissions). One of those users was a Vercel employee who had signed in with their enterprise Google Workspace account.
When attackers obtained Context AI's OAuth tokens via the stolen credentials, they inherited access to every account that had granted those permissions — including Vercel's internal Google Workspace. From there they accessed:
- Source code repositories
- API keys and NPM/GitHub tokens
- Internal deployment infrastructure
- Customer data across hundreds of organisations
Google removed Context AI's Chrome extension from the Web Store on 27 March 2026 after it was found to also embed a separate OAuth grant enabling read access to Google Drive files.
The attack chain — step by step
Step 1 — Context AI employee downloads a Roblox script from an unofficial site.
Step 2 — Lumma Stealer installs silently. No pop-ups. No warnings. It begins harvesting credentials immediately.
Step 3 — Over two months, it exfiltrates every saved browser password, session cookie, and autofill entry.
Step 4 — Attackers use the stolen Context AI credentials to access its AWS environment and OAuth token store.
Step 5 — Via OAuth inheritance, attackers enter Vercel's enterprise Google Workspace.
Step 6 — Source code, API keys, and customer data are extracted. The data is listed for sale publicly.
Step 7 — Vercel and Context AI are notified — by the breach becoming public, not by their own detection.
What this means for everyday users
You do not have to be an IT professional to understand the practical lessons here. The entry point was completely ordinary behaviour — downloading a file related to a video game.
- Only download software from official sources (developer websites, official app stores)
- Review which apps have OAuth access to your accounts — remove anything you no longer use
- Use a password manager so browser-saved passwords are not your only line of defence
- Run antivirus scans regularly, especially on devices used for both work and personal activity
- Download game cheats, mods, or unofficial scripts from unverified sites
- Grant "Allow All" OAuth permissions to apps you do not fully trust
- Store all your passwords only in your browser — it is the first thing infostealers target
- Assume that no visible warning means the device is safe
Why OAuth is now one of the biggest attack surfaces
OAuth is the mechanism that lets you click "Sign in with Google" on third-party apps. It is convenient — but every app you authorise gets a persistent token that can be stolen. When an attacker steals that token, they do not need your password or your MFA code. They log in as you.
Vercel's own security configurations allowed a consumer-level app sign-up to grant broad enterprise-level permissions. That is an organisational control gap. But the initial entry was a personal device, a personal download choice, and a token that was not revoked.
Sources
TechCrunch — Vercel confirms breach via Context AI
The Hacker News — Vercel breach tied to Context AI hack
BleepingComputer — Vercel confirms breach — data for sale
PKWARE — 2026 Data Breaches tracker