Sometime in February 2026, a Context.ai employee sat down at their laptop and went looking for a Roblox auto-farm script.
Auto-farm scripts are the grey-market add-ons kids use to grind in-game currency while they sleep. Most of them are malware in a trench coat. The site hosting this particular script was, as these sites usually are, a courier for Lumma Stealer, the Malware-as-a-Service infostealer that rents for a few hundred dollars a month on Telegram and currently tops the leaderboard of commodity credential theft.
By the time the employee got bored of the cheat, Lumma had already done its work. It scraped the browser credential store, lifted the session cookies, emptied the secrets directory, and POSTed the archive to a command-and-control server. Inside that archive were credentials for Context.ai's Google Workspace, its Supabase database, its Datadog monitoring stack, its Authkit auth layer, and the support@context.ai shared inbox.
Two months later, that haul put Vercel on the front page of every security newsletter on the internet.
The Vercel breach, in one paragraph
On April 19, Vercel identified unauthorized access to parts of its internal systems. The next day, the company published a bulletin confirming that a limited subset of customer credentials had been exposed. The attacker got in through a Google Workspace OAuth token that a Vercel employee had handed to Context.ai when they signed up for its AI Office Suite and clicked Allow All on the consent screen. That token, combined with Context.ai's own compromised Workspace environment, was enough to pivot into the Vercel employee's account, which was enough to reach some Vercel projects and read environment variables that were not flagged sensitive. Mandiant was brought in. A threat actor using the ShinyHunters handle listed the stolen data on BreachForums for two million dollars. The actual ShinyHunters crew told BleepingComputer they had nothing to do with it.
That is the incident. The interesting part is the shape.
Why this Vercel hack matters more than the headlines suggest
Vercel is not a small platform. It powers more than four million sites worldwide, handles roughly thirty billion requests a week, and hosts about 35 percent of all Next.js deployments on the internet. The Next.js frontend of nearly every crypto protocol you have heard of ships through it. Within hours of the bulletin, DeFi teams were in group chats rotating API keys and auditing build pipelines, because a compromised Vercel environment is not only a credential leak problem. It is a code supply chain problem. If an attacker can slip a line into a production bundle, every visitor to the site becomes a target. That is the nightmare scenario the crypto world has been rehearsing since the Ledger Connect Kit incident, and this week it moved from tabletop to live fire.
Vercel CEO Guillermo Rauch, writing on X, said it plainly: "We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI." Read that line twice. An AI-assisted attacker got into one of the world's most important frontend platforms by compromising an AI productivity vendor a Vercel employee had installed without telling anyone. AI is on both sides of the story. Neither side shows up in the traditional enterprise security stack.
The timeline, cleanly
February 2026. A Context.ai employee picks up Lumma Stealer after downloading Roblox game exploits. Corporate credentials for Google Workspace, Supabase, Datadog, Authkit, and the support@context.ai inbox land in a stealer log.
March 2026. Context.ai detects and blocks unauthorized access to its AWS environment. The Workspace compromise is not yet fully cleaned up.
April 19, 2026. Vercel identifies unauthorized access to internal systems.
April 20, 2026. Vercel publishes its bulletin. A BreachForums listing claiming ShinyHunters attribution goes up with a two-million-dollar price tag. Some of the actual ShinyHunters crew quietly distance themselves in messages to BleepingComputer. Crypto and DeFi teams begin coordinated secret rotation.
Ongoing. Vercel continues disclosure to the affected subset of customers. Mandiant is leading the investigation. Context.ai has published its own security update and is rotating everything that touched the compromised identities.
The OAuth app your admin console is not showing you
Google Workspace does surface third-party application grants in the admin panel. The console exists. The problem is that the average engineering team in 2026 has accumulated a long tail of AI integrations across Workspace, Microsoft 365, GitHub, and Slack, and the UX for managing those grants was designed for a company that has seven integrations total. It does not scale to a company that adds seven integrations a week.
The Context.ai OAuth client ID at the center of this chain is public and worth writing down: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. The app itself is legitimate. The tokens it holds are the issue, because those are the ones the attacker abused after harvesting them from the infected employee. Every Workspace admin can search for that client ID in their own tenant right now. A non-trivial number will find it installed on at least one account, often with Allow All scopes, and the first move after finding it is to revoke and rotate.
This is the shadow AI problem, and it has an updated and very expensive definition. Shadow AI used to mean engineers pasting code into ChatGPT. As of April 20, it also means AI SaaS your security team never heard of holding an OAuth token to your crown jewels.
Lumma Stealer, for people who keep seeing the word in their feed
Lumma is the current market leader in commodity credential theft. It is distributed through cracked software, fake installers, Discord phishing kits, YouTube tutorial scams, and, as we now know, Roblox cheat scripts. Builders pay a subscription, receive a customizable binary, and point it at whatever distribution channel they prefer. When the binary runs, it scrapes everything a browser knows about the user and POSTs the haul to a C2 endpoint.
The outbound request is the entire game. A desktop process that should not be on the wire talks to a host nobody inside the company has ever heard of, then cleans up and exits. An infostealer lives or dies on whether that single request is seen.
On most corporate laptops, it is not seen. EDR tools focus on process behavior on disk and in memory. Network controls, where they exist, care about the user and the destination but rarely about the process. Lumma walks through that gap every day because its interesting behavior lives in the unholy triplet of which binary, which destination, and which moment, and almost nothing in the average stack correlates those three.
Why "it was only non-sensitive env vars" is too comforting
Vercel's bulletin was careful to note that environment variables marked sensitive are encrypted at rest and there is no evidence those values were read. That is genuinely good platform design. It is also a partial answer.
The non-sensitive variables still matter, because "sensitive" is a field the user checks, and users do not check it for the hundred small config values that accumulate in a Next.js project. Internal base URLs. Feature flags that leak unreleased products. Analytics write keys. Third-party webhook secrets. Preview deployment tokens. Individually boring, collectively a map of the target good enough to plan the next step.
The structural lesson is not that Vercel's labels are wrong. It is that any control dependent on a human checkbox defaults open in aggregate. Manual classification is useful as a last line. It cannot be the first line.
What changes after this week
Three predictions. None of them contrarian.
One. Every security team audits their AI OAuth grants this week. The number of connected AI apps will be larger than leadership expects, probably by a factor of five. A handful of procurement policies are about to be rewritten. A few AI vendors that rely on "click Allow All" friction-free onboarding are about to lose their top of funnel.
Two. The definition of AI governance broadens in public. For two years, AI governance has meant what employees type into ChatGPT. As of this week, it also means what AI vendors can read out of your systems on your behalf. These are different problems with different control sets. Most of the dashboards built for the first do not handle the second.
Three. Expect more incidents with the same shape. A junior employee at a small AI vendor picks up a commodity infostealer. The infostealer lands credentials to a product that has "Allow All" Workspace scopes on a list of Fortune 500 customers. Same movie, different logos, two or three more times before the end of Q3.
Where Themisto fits, honestly
Themisto Labs runs an OS-level proxy on developer and employee devices. It sees every outbound HTTP and HTTPS request, attributes it to the process that made the request, and evaluates forward, bypass, or block against a policy you define. Not a model filter. Not a browser extension. The network layer underneath the apps.
The leg of this story we map to directly is Lumma. An infostealer POSTing an archive to an unknown C2 shows up in a Themisto policy as a process nobody approved talking to a host nobody approved, at a time that process has no business being on the wire. The rule is four lines. The visibility is immediate. If the Context.ai employee's laptop had been on a fleet with this control, the February infection does not become the April Vercel headline.
The leg we do not solve by ourselves is the Workspace OAuth inventory problem. No single product does. What we can honestly say is that every follow-on data pull from a compromised OAuth app, whether automated or manual, runs as outbound HTTPS from an endpoint somewhere. Most of the damage from an OAuth pivot happens after the initial access. That traffic lives on devices. We live on devices.
If the Vercel bulletin is on your second monitor today, the meeting worth having is not "can you guarantee no next Context.ai." Nobody can promise that. The meeting worth having is "when it happens again, what can my fleet see in the first fifteen minutes." That is a product question, and we would rather answer it with a live environment than a slide.
Thirty minutes. No decks. Real product. Honest about the limits.