Vercel Breach: OAuth Supply Chain Attack Exposes Environment Variables via Compromised Third-Party App
Attackers used a Lumma Stealer infection at Context.ai to compromise OAuth tokens and access Vercel's internal systems, exposing customer environment variables.
Trend Micro Research has detailed a supply chain attack on Vercel that began with a Lumma Stealer malware infection at Context.ai in approximately February 2026. The attackers leveraged compromised OAuth tokens from Context.ai's Google Workspace to gain access to Vercel's internal systems, exposing environment variables for a limited subset of customer projects. Vercel, a widely used cloud deployment and hosting platform, disclosed the incident on April 19, 2026, with CEO Guillermo Rauch confirming the attack chain on X.
The attack chain highlights how OAuth trust relationships can bypass traditional perimeter defenses. The initial compromise occurred when a Context.ai employee was infected with Lumma Stealer, exfiltrating corporate credentials, session tokens, and OAuth tokens. The attackers then accessed Context.ai's AWS environment and used the stolen OAuth tokens to authenticate to Vercel's internal systems as Context.ai, gaining access to environment variables for teams that Context.ai had access to.
Vercel's environment variable model amplified the impact. Environment variables not explicitly marked as "sensitive" were readable with internal access, meaning that for any team whose access was compromised, non-sensitive credentials were exposed without additional controls. This design tradeoff in PaaS platforms can significantly increase the blast radius of a breach.
The incident is part of a broader 2026 convergence pattern where attackers consistently target developer-stored credentials across CI/CD, package registries, OAuth integrations, and deployment platforms. Similar attacks have targeted LiteLLM, Axios, Codecov, and CircleCI, underscoring the growing risk in modern software supply chains.
Vercel has since rotated credentials and implemented additional security controls. The company recommends that customers review their environment variable sensitivity settings and rotate any potentially exposed secrets. Context.ai has also published a security bulletin detailing the compromise.
This breach serves as a critical reminder for organizations to treat OAuth apps as third-party vendors, eliminate long-lived platform secrets, and design systems assuming provider-side compromise. The detection-to-disclosure latency, with at least one public report of leaked credentials nine days before Vercel's disclosure, highlights the need for faster incident response.