Vercel Got Hacked: The April 2026 Breach Tied to a Context AI Misstep

The timeline is almost embarrassing in its simplicity. A stolen token. A single “Allow All” click. One of the bigger web infrastructure providers on the internet suddenly breathing into a mask.

This piece walks you through what happened, what the intruder actually touched, what the firm said in its security bulletin, and what the whole mess tells us about the way we hand permissions to cloud helpers now. If the head of web hosting can get pwned through a Roblox auto-farm script, what does that mean for the rest of us who plug new services into Google Workspace every other Tuesday?

What happened in the Vercel hack disclosed in April 2026

The company disclosed a security breach through its security bulletin on April 19, and updated the page four times over April 19 and 20. The language was careful. The damage was real.

Here is the core line, quoted from the bulletin on the official website:

“We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems. [...] We have engaged incident response experts to help investigate and remediate. We have notified law enforcement and will update this page as the investigation progresses.”

Vercel said it has engaged Mandiant, the Google-owned incident response firm, plus other cybersecurity peers. The team also notified a “limited subset of customers” whose logins were compromised, contacted them directly, and told them to cycle keys immediately.

Vercel CEO Guillermo Rauch shared a post on X describing how the intruder moved with surprising velocity. The bulletin put it more formally: the attacker showed “operational velocity and detailed understanding” of the platform’s systems. Cybernews reported that Rauch believes the attacker was likely using AI, which is a notable public attribution of an intrusion’s speed to machine-assisted tooling.

Reports from The Hacker News, TechCrunch, and Cybernews followed within hours. The cybersecurity news cycle moved fast.

How the breach tied back to Context.ai

The compromise of Context.ai did not start in April. It started in February with a Lumma Stealer infection that nobody noticed for weeks.

February: a Roblox auto-farm script starts the chain

Security research firm Hudson Rock traced the initial access back to a Context employee who was downloading Roblox auto-farm scripts on their work device. The scripts carried Lumma Stealer. The malware scooped up every credential on the machine. That haul included Google Workspace logins, along with secrets for Supabase, Datadog, and Authkit. The support@context.ai account was in the dump, and Hudson Rock assessed that user as a core member of the team that worked directly with the hosting platform.

The infected device sat quiet for almost four weeks.

March: the AWS environment got breached

By March, the operator had pivoted from the stolen secrets into Context’s AWS cloud environment. Inside AWS, they found something more interesting than the usual S3 bucket: a pile of compromised access grants that the vendor was holding on behalf of its consumer users. This is what happens when an assistant sits in the middle of a hub of authorizations with expansive scopes.

Google noticed. On March 27, the search giant quietly removed Context’s Chrome extension (omddlmnhcofjbnbflmjginpjjblphbgk) from the Web Store after finding a second grant embedded inside it that read Drive files. Reporting varies on how widely Context communicated at the time. TechCrunch wrote that the vendor initially notified one customer; the firm later told The Hacker News it had alerted all impacted customers. The wider disclosure came into view only after the Vercel incident went public.

April: the access grant unlocks a Workspace account

Now the chain becomes the incident everyone is talking about.

At least one Vercel employee had signed up for Context’s AI Office Suite using their enterprise Google Workspace account. This was the third-party ai tool used to anchor the whole chain. When the signup flow asked for permissions, the Vercel employee’s Google account and granted “Allow All” scopes for the Office Suite. That single click handed the vendor a key with wide read access across the workspace.

Context’s own advisory pinned it on Vercel’s internal configuration, which allowed the broad permissions to be granted to the Office Suite in the first place.

The attacker used that access to take over the employee’s Vercel Google Workspace account. From there, they went on to gain access to some Vercel environments and environment variables, then moved laterally through whatever the Workspace account could reach. Neither the bulletin nor Mandiant has publicly detailed the intermediate hops.

The host-side configuration let the intruder reach a broader slice of the workspace than anyone expected. The bridge worked as designed, with one weak end.

What was exposed: credentials, secrets, and plaintext environment variables

The firm said environment variables marked as “sensitive” are stored in a form that “prevents them from being read” by anyone. Variables marked as sensitive were not touched as far as forensics can tell. The bigger problem was every other variable sitting in the same internal systems.

Here is the exact language from the bulletin:

“Review and rotate environment variables that were not marked as ‘sensitive.’ Those values (API keys, tokens, database credentials, signing keys, etc.) should be treated as potentially exposed and rotated as a priority.”

Read that back slowly. The list of things the platform treats as “non-sensitive” is exactly the list most developers would call the crown of their production stack. A Redditor called Mol7er put it plainly. If those are not sensitive, the only thing left is nuclear launch codes.

What the dark-web seller claimed on the forum listing was wider. Cybernews reported the seller said they had access to multiple employee accounts, internal deployments, customer keys, plus some GitHub and some NPM tokens. They attached a Linear screenshot as proof. Whether that claim is accurate or partly inflated is part of what the hosting firm and Mandiant are sorting out as data was exfiltrated and verified.

The indicators of compromise broke down like this. The bulletin named one app ID and asked Google Workspace administrators and Google account owners to check for it immediately. Separately, Jaime Blasco of Nudge Security surfaced a second grant embedded inside Context’s Chrome extension, and that extension itself, which Google had removed on March 27. The full list is in the bulletin and The Hacker News reporting: the main app ID is 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.

What did not get touched, per the firm: variables marked as sensitive, the framework packages, Turbopack, and any npm package the team itself publishes. On this one point the hosting provider collaborated with GitHub, Microsoft, npm, and Socket to confirm that no tampering was found on any published open source projects.

Who is behind the incident: ShinyHunters, a $2 million ransom, and an imposter theory

The sale happened on a cybercriminal forum. An alias calling itself ShinyHunters offered “Access Key/Source Code/Database from Vercel Company” for $2 million. The post also claimed this could be “the largest supply chain attack ever if done right,” a line that says more about the person selling than the data itself.

The real ShinyHunters group denied involvement when BleepingComputer reached out. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, posted on LinkedIn that the threat actor was likely “an imposter attempting to use an established name to inflate their notoriety.” The group has a documented history of going after cloud and database companies, which is why the branding was useful to the seller, and which is also what made the real group want distance from this particular mess.

It is worth being clear on one thing. This is not the Lazarus Group pulling off a cryptocurrency wallet heist tied to decentralized finance protocols, Aave markets, or Web3 infrastructure. It is a smaller, opportunistic operator targeting a web hosting company, dressed in a bigger group’s costume. Mandiant is still sorting out the actual attribution.

The data listed on that forum, if real, is more than enough to cause a ransom demand regardless of who pushed the button. None has arrived publicly so far.

Why the framework and the npm supply chain are still safe

This is the part the firm repeated in every update, because it is the part that could have made the whole story ten times worse. Next.js, Turbopack, and any npm module the team publishes were not tampered with. Multiple cybersecurity outlets reported the firm’s stated collaboration with GitHub, Microsoft, npm, and Socket to verify no tampering was found.

Cybernews researchers laid out the nightmare scenario in plain terms: if the intruder had weaponized the GitHub and NPM tokens in the dump, a malicious framework update could spread through the broader web ecosystem. The seller echoed that themselves on the forum, bragging it would “hit every developer on the planet who runs an installation.” Malware research group vx-underground looked at what actually went down and called it a “standard smash-and-grab,” meaning the operator cashed out instead of pulling the longer string.

For now, the supply chain sits untouched. The code you install tomorrow is the same code you installed last week. That assurance is worth something, but it is a narrow win.

Agentic AI and OAuth: the new lateral movement

The sharpest read on this event did not come from the hosting firm. It came from Jaime Blasco, CTO of Nudge Security. His argument went like this: attackers steal compromised OAuth tokens from small vendors, then walk straight into hundreds of downstream enterprises using credentials the platform was designed to issue. Different vendors, same story. Salesloft Drift. Gainsight. Now Context and the hosting firm. Blasco’s framing: access grants have become the new lateral movement. Agentic ai makes it worse because these platforms sit at the center of a hub of authorizations with expansive scopes, usually at young companies without mature security programs behind them.

Think about what an agentic helper does, mechanically. It reads your calendar, writes your emails, scans your Drive, and triggers automations across a handful of other SaaS apps. To do that, it needs a permanent grant into every one of those places. Every active user is a pile of live keys sitting in the vendor’s database, ready to be spent by anyone who breaks in.

A Reddit commenter summed up the ambient panic better than any press release: every cloud assistant you authorize becomes part of your supply chain, and almost nobody has a mental model for thinking about it yet. That applies to Cursor, Claude Code, every MCP server someone plugs in, and every random helper with workspace scopes.

The cybersecurity pattern of the year: seventh major dev-tool hack

One Redditor in the main r/programming thread, whose tally was not independently audited, put the count at the fourth event at the hosting firm and the seventh major dev-tool hack of the year, four months in. Their list included the Axios supply chain compromise earlier in 2026 and Anthropic’s two source-code leaks in one week. A separate commenter added two React Server Components vulnerabilities from 2025 that hit the same framework. If the count is in the right ballpark, that is roughly one serious event every seventeen days.

The cybersecurity pattern is not subtle. Intruders are hunting the vendors who hold long-lived secrets for everybody else, because hitting one such vendor lets them walk into hundreds of downstream enterprises affected by the breach. Supply chain hacks are not a rising trend anymore, they are the trend.

Every EU-headquartered customer of the hosting platform should also consider looping in their data protection officer. An event with customer logins is exactly the kind of thing that can trigger a regulatory follow-up, especially for firms subject to GDPR or UK data protection oversight.

Incident response: what every Vercel customer should do right now

The firm published a short action list. The condensed version is below, with a few additions from independent security researchers.

Rotate your keys before Monday

Treat any variable that did not sit under the sensitive flag as compromised. That means every developer secret, bearer key, database login, and signing code in your project. Cycle them, redeploy, and watch your dashboards for anything unusual over the next week. BizAlly, a Redditor in the main thread, put it well: do not rely on one checkbox as your only safety layer. Design for a leak and the checkbox becomes insurance instead of a single point of failure.

Turn on multi-factor authentication

The platform supports an authenticator app or a passkey. Passkeys are the stronger option because they cannot be phished the same way a six-digit code can. If you are an admin, push MFA across your whole team with an enforcement policy instead of an opt-in.

Audit your Google Workspace access grants

Check for the app ID published in the bulletin, plus the second grant surfaced by Nudge Security and the Context Chrome extension Google pulled on March 27. Then do what Secure Annex researcher John Tuckner suggested on X: export the full list while you are in there, spend a week asking yourself which scopes you have allowed, and whether you recognize all of the services. That could have saved the platform a very public weekend.

Every enterprise that relies on Google Workspace should run this audit. It is boring. It is also the single most impactful security task of the quarter.

Do not just delete, cycle first

Guidance is direct: deleting your projects or account is not sufficient. Compromised secrets stay compromised. Swap them, then decide what stays on the platform and what moves off. Check your activity log for suspicious deployments and refresh your Deployment Protection keys if you use them.

Latest news on the Context shutdown

Context.ai shut down its entire consumer product after the event. The enterprise arm, which sits on a separate platform deployed inside customer environments, survives. The vendor did not share how many consumer users ended up in the dump, but the stolen records potentially touch hundreds of users across many organizations according to the hosting firm’s own phrasing.

Forensics continues with Mandiant. On the product side, the platform shipped four changes as part of the response: environment variable creation now defaults to sensitive, team-wide variable management is easier to audit, the activity log supports deep-linking to filtered views, and the team invite emails got rewritten for clarity. The bulletin does not explain why team-invite clarity made the list, but forged invite emails are a plausible pivot vector once a Workspace is compromised, which may explain the move.

Across Reddit, multiple developers confirmed they received the customer notification email over the weekend. If you use the platform and you have not seen one yet, that is not a guarantee you were not affected. Assume and swap.

What Elephas does differently: assistance without the blast radius

The architectural lesson from this hack is simple. Every cloud helper that wants to be useful needs permission to read your stuff. That permission lives in a key. Keys get stolen.

Elephas sidesteps the entire problem. It is a privacy friendly AI knowledge assistant for Mac, iPhone, and iPad, and it provides built-in local LLM models that run on your device. When you use those local models, no prompt leaves the device. No workspace grant is sitting in a vendor’s AWS bucket waiting for a Lumma Stealer to scoop it up, because there is no vendor bucket.

For the times you want to hit a cloud model like GPT-5.4 or Claude Opus, Elephas runs prompts through Smart Redaction first. The feature, currently in beta, scans the prompt locally, strips sensitive names, figures, dates, and identifiers, and only then sends a redacted version to the remote API. If the provider has a similar incident next month, the material that left your Mac never had the sensitive parts to begin with.

The professionals most exposed in this new access-grant world are not the ones writing framework code. They are the lawyers summarising client contracts, the clinicians dictating case notes, the financial advisors pasting statements into a chatbot, the founders routing term sheets through a model. Every one of those prompts is a live secret reservoir if it sits on a third-party platform. Local-first thinking turns that reservoir into a puddle on your own machine.

This event is a useful signal for anyone still choosing between convenience and control. The mental model a Reddit commenter said nobody has yet is the one Elephas has been built around from day one.

The takeaway

Swap keys now. Rethink later.

A Roblox auto-farm script in February became one firm’s worst weekend in April. That is the access-grant chain working as advertised. The bar for thinking about third-party helpers has gone up for everyone, not just the developers everyone likes to blame when supply chains break. This was not vibe coding creating vulnerabilities, this was a model assistant acting as a trojan horse, and it rode in on a casual workspace signup.

The next Context is already out there, getting somebody’s access grants. The question is whether your workspace shows up in the invoice.

Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

LinkedInFollow