Vercel Breached via Context.ai OAuth Attack: 580 Records, $2M Ransom

ShinyHunters — the threat group behind the Snowflake breach (165 million records, 2024) and the Ticketmaster breach (560 million records, 2023) — claimed a breach of Vercel in April 2026 via a compromised OAuth integration with Context.ai, an AI-powered developer tool. The attack chain: Lumma Stealer malware compromised a Context.ai employee's credentials, which were then used to access a Context.ai OAuth application connected to a Vercel employee account. From that Vercel account access, ShinyHunters exfiltrated approximately 580 employee records and an undisclosed number of API keys. A $2 million ransom demand was issued. Vercel confirmed a security incident but has not publicly disclosed scope or whether the ransom was paid.

For developers using Vercel: if you have API keys, environment variables, or project tokens stored in Vercel dashboard and you have not rotated them since April 19-20, treat them as potentially compromised. The attack did not involve npm package tampering, so application code deployed on Vercel is not directly affected — but credentials stored in the platform may be exposed.

The Attack Chain: How Lumma Stealer Reached Vercel

The attack follows a pattern that has become the dominant corporate breach vector in 2025-2026: credential theft via infostealer malware, followed by OAuth abuse to traverse from a third-party vendor into the primary target.

Step 1 — Lumma Stealer infection: A Context.ai employee's device was infected with Lumma Stealer, an infostealer malware sold as a service on Russian-language cybercrime forums. Lumma Stealer harvests browser-stored credentials, session cookies, and saved passwords — including OAuth tokens cached in development environments. The infection vector was not disclosed; common delivery paths are phishing emails, malicious npm packages, or trojanised software installers.

Step 2 — Context.ai OAuth credential theft: Lumma extracted the OAuth credentials for Context.ai's application registration with Vercel. Context.ai is an AI-powered codebase analysis tool that integrates with developer platforms via OAuth — it needs read access to repositories and platform APIs to function. The stolen OAuth credentials were valid application-level credentials, not just a browser session cookie.

Step 3 — Vercel employee account access: The Context.ai OAuth credentials were used to access a Vercel employee account with elevated platform permissions. Enterprise OAuth applications can inherit significant access levels — in this case, enough to reach internal employee records and API key storage.

Step 4 — Data exfiltration: 580 employee records (names, emails, internal identifiers) and an unspecified number of API keys were exfiltrated. ShinyHunters posted proof-of-access screenshots with partial data samples to establish credibility for the ransom demand.

Why ShinyHunters Targets Developer Infrastructure

ShinyHunters has a consistent targeting strategy that differs from ransomware groups. Rather than encrypting infrastructure for operational disruption, they exfiltrate high-value credential data from platforms that hold secrets for other organisations. Vercel is an especially valuable target for this reason: Vercel projects contain environment variables for thousands of production applications — AWS credentials, database connection strings, Stripe API keys, Anthropic API keys, GitHub tokens.

The Snowflake breach used the same logic: Snowflake customers stored data in Snowflake; compromise Snowflake employee access, exfiltrate customer data. Vercel customers store secrets in Vercel; compromise Vercel employee access, potentially reach customer secrets.

The 580 employee records are not the primary value. They are proof of access and negotiating leverage. The undisclosed API keys are the actual target — each one is a potential entry point into a downstream customer environment.

Crypto Developer Exposure

The immediate scramble after the ShinyHunters claim was concentrated in the crypto developer community. Vercel is widely used for deploying DeFi front-ends, crypto wallet interfaces, and Web3 application dashboards. These applications frequently store:

• RPC provider API keys (Alchemy, Infura, QuickNode)
• Wallet connection service credentials (WalletConnect, Dynamic)
• Backend API keys for blockchain indexers
• Signing keys for server-side transaction construction (though these should never be in environment variables — many projects do this incorrectly)

A crypto application front-end with a compromised RPC API key can be used for transaction manipulation, DNS poisoning to redirect users to malicious endpoints, or simply billing fraud at scale. The risk profile is higher than a standard web application because even read-only RPC access can be used to front-run transactions or monitor wallet activity.

Three major DeFi protocols rotated their Vercel project credentials within 24 hours of the ShinyHunters claim as a precaution.

What Context.ai Is and Why This Matters for Developer Tools

Context.ai is part of a category of AI-powered developer tools that need deep access to codebases and deployment platforms to function. Similar tools include Cursor (AI editor with codebase indexing), Codeium, Tabnine Enterprise, and various AI security scanning tools. All of them operate on OAuth integrations that grant significant access to repositories and CI/CD platforms.

The attack surface this creates is different from traditional supply chain attacks (which compromise packages or build tooling). OAuth-chain attacks target the access grants themselves — the question is not "can the attacker inject code?" but "can the attacker reach the platform through a trusted integration?"

This attack pattern has three predecessors in 2024-2025:

• CircleCI breach (2023): Malware on a CircleCI employee laptop led to customer secret exposure
• GitHub Copilot OAuth abuse (2024): Researchers demonstrated OAuth token harvesting via VS Code extension
• Anthropic Claude API token theft via IDE plugins (2025): Malicious VS Code extensions harvesting Claude API keys from developer environments

The Vercel-Context.ai chain extends this pattern into the AI developer tooling layer. Every OAuth grant your organisation has issued to AI development tools is a potential attack surface.

Immediate Developer Actions

If you use Vercel:

• Rotate all environment variables and API keys in your Vercel projects, regardless of whether you use Context.ai
• Review your Vercel project's OAuth integrations under Settings → Integrations and revoke any you do not actively use
• Enable Vercel's audit log if you have access (Pro/Enterprise plans) and check for anomalous access between April 15-22
• If you store RPC keys, Stripe keys, or any credential with financial exposure in Vercel environment variables, treat them as compromised and rotate immediately

If you use AI developer tools with OAuth integrations (Cursor, Context.ai, Codeium, similar):

• Review what OAuth access each tool has to your deployment platforms
• Check if any of these tools have access to production environment secrets vs development-only repositories
• Implement least-privilege OAuth scopes — AI coding tools should not need access to production deployment secrets to function

For security teams:

• Add OAuth application registrations to your regular credential rotation scope
• Monitor for anomalous OAuth token usage — legitimate AI dev tools access codebases at indexing time, not continuously at odd hours
• Evaluate whether AI dev tool OAuth grants should have access to production environment variable storage

The $2M Ransom: ShinyHunters Economics

ShinyHunters has historically not relied on ransom payment. The Ticketmaster ransom was not paid; the data was sold on hacking forums. The Snowflake-adjacent data was monetised through individual ransom demands to affected customers rather than to Snowflake directly.

The $2M demand against Vercel follows a different structure: ShinyHunters is pricing the value of not releasing the API keys publicly, not the value of the 580 employee records. If those API keys provide access to crypto infrastructure, the implied value is much higher than $2M — which means either ShinyHunters has already extracted direct value from the keys, or they are pricing below market to close quickly before Vercel forces rotation.

Vercel's silence on whether payment was made is the standard corporate response — paying a ransom creates disclosure obligations in some jurisdictions and signals willingness to pay future demands.

Key Takeaways

• Vercel breached via Context.ai OAuth chain April 19-20, 2026: Lumma Stealer → Context.ai employee credentials → Vercel employee account → 580 records + undisclosed API keys
• ShinyHunters claimed breach + $2M ransom: same group behind Snowflake (165M records) and Ticketmaster (560M records) attacks; serial credential exfiltration targeting
• No npm package compromise: deployed application code on Vercel not directly tampered; the risk is stored environment variables and API keys
• Crypto developer scramble: DeFi front-ends on Vercel store RPC provider keys, wallet service credentials — rotate all environment variables immediately
• OAuth supply chain is the attack surface: AI dev tools with broad OAuth access to deployment platforms are a high-value attack path; audit and minimise all OAuth grants
• Developer action required: rotate Vercel environment variables, revoke unused OAuth integrations, check audit logs April 15-22

For the Bitwarden CLI supply chain attack context, read Bitwarden CLI npm Supply Chain Compromise. For the CISA KEV and active exploits context, read CISA KEV: SimpleHelp, Samsung MagicINFO, D-Link CVEs — May 8 Deadline. For the Iran hackers targeting developer-adjacent infrastructure, read Pro-Iran Hackers Ababil Hit LA Metro, PLCs.