Overview
- Vercel, in an update Thursday, said it found more customer accounts affected by the April breach and has notified those users.
- The company also identified a small set of customer accounts compromised before April in unrelated attacks that may have come from social engineering or malware.
- Investigators say attackers abused an OAuth link from a Context.ai app on a Vercel employee’s Google Workspace to reach internal systems and list environment variables that can expose service keys.
- Hudson Rock reported a Context.ai employee was infected with Lumma Stealer in February 2026, which researchers say may explain how tokens used for access were stolen.
- Vercel brought in Mandiant to run the investigation and says it has found no evidence of tampering in the software packages it publishes, while a ShinyHunters data-sale claim is disputed by a Google threat analyst.