The attack that surfaced on BreachForums in April 2026 with a $2 million price tag for Vercel source code did not begin at Vercel. It began in February 2026, when a Context AI employee downloaded Roblox auto-farm scripts. What followed was a Lumma Stealer infection, credential theft, OAuth token compromise, and a supply-chain pivot through a Chrome extension that held legitimate read access to corporate Google Drives. OX Security published the full chain on April 201.
The April 20 Disclosure: OX Security Maps the Full Chain
OX Security’s April 20 writeup1 reconstructed the path: Lumma Stealer on a Context AI employee’s machine exfiltrated Google Workspace credentials and a Drive OAuth token. The attacker used that foothold to compromise Context AI’s extension distribution environment and pivot into a Vercel employee’s Google Workspace, from which they reached environment variables for a subset of Vercel customers.
The specific attack mechanism matters for both attribution and remediation. Current disclosures describe OAuth token abuse via a compromised extension environment; whether a malicious build of the Context AI Chrome extension was actually delivered to the Vercel employee’s browser, or whether the attacker simply used tokens already granted to the extension’s client ID, is a distinction the public record does not yet resolve cleanly.
From Roblox Scripts to Vercel: The Lumma Stealer Pivot
Hudson Rock identified the Context AI employee2 as a potential patient zero, infected with Lumma Stealer in February 2026 after searching for Roblox auto-farm scripts and game exploit executors. This is not an exotic vector. Lumma Stealer has been distributed through fake game cracks and exploit tools for years; the standard payload harvests browser-stored session tokens and OAuth refresh tokens before the user notices anything is wrong.
The OAuth token in question came from the Context AI Chrome extension (ID: omddlmnhcofjbnbflmjginpjjblphbgk), which Google removed from the Chrome Web Store on March 27, 20263. The extension had requested full Google Drive read access. By the time Google pulled it, tokens were already in circulation. OAuth grants survive extension removal; any refresh token already issued and held by the attacker remains valid until the user or a Workspace admin explicitly revokes it.
Context AI also separately disclosed a March 2026 AWS breach in which attackers likely compromised OAuth tokens for some consumer users, according to The Hacker News4. The two incidents may be related; the timeline overlap is notable, and the company’s AI Office Suite has been deprecated since the incident.
Vercel’s Expanding Scope: April 23 Adds Prior Compromises
Vercel’s initial April 20 statement described a “limited subset” of customers with non-sensitive environment variables exposed. CEO Guillermo Rauch confirmed that Next.js, Turbopack, and other open-source projects were unaffected and no npm packages were compromised3. The actor was described as “sophisticated,” which is the standard post-incident framing for attackers who did not need a zero-day.
Three days later, Vercel’s April 23 update2 expanded the scope. After applying new compromise indicators to their log analysis, they identified an additional set of compromised customer accounts tied to the Context AI chain. They also surfaced prior compromises, independent of that chain, likely from social engineering or malware. That second finding is the more uncomfortable one: it means the log review conducted immediately after the initial disclosure was incomplete, and that credential abuse may have been occurring before anyone was looking.
“Non-sensitive environment variables” warrants scrutiny. Environment variables in Vercel projects frequently contain API keys, database connection strings, and third-party service credentials. Whether a variable is labelled sensitive is often a configuration choice made by the application developer, not a technical constraint on what can be done with it once exfiltrated.
The OAuth Gap: Why Chrome Extensions Are the New Supply Chain
The structural problem this incident exposes is not specific to Vercel or Context AI. Enterprise security teams currently treat browser extensions as user-side risk: an IT policy problem, a browser management question, something that sits below the threshold of third-party infrastructure review. The average npm package receives more scrutiny before landing in a CI pipeline than the average Chrome extension gets before being installed on a developer laptop with access to a corporate Google Workspace.
The gap is partly Google’s architecture and partly organizational habit. When a Chrome extension requests Google Drive OAuth scopes, it receives a refresh token tied to the user’s Google identity, not to their device or session. That token is stored in the browser, accessible to the extension, and valid until explicitly revoked. An attacker who compromises the extension developer’s distribution environment inherits a path to every token that extension has ever been granted across every user who installed it.
This is CI/CD-equivalent trust in a different packaging. A compromised extension update reaches every installed browser within hours. A compromised OAuth token from a prior install base is usable immediately. The difference from a compromised npm package in a build pipeline is mostly presentation: one looks like infrastructure, one looks like a browser toolbar. Security reviews treat them accordingly.
Attribution Noise: BreachForums, ShinyHunters, and the $2M Question
The BreachForums listing claiming a Vercel database access key and partial source code, priced at $2 million, remains unverified. Google’s Threat Intelligence Group assessed the ShinyHunters attribution as likely an imposter3. ShinyHunters is an established brand in the breach marketplace; impersonating known threat actors to inflate credibility and asking price is a documented pattern, and the $2M figure has the quality of a number chosen to generate headlines rather than reflect market research.
Whether the listing is genuine, inflated, or fabricated entirely does not change the verified facts: credentials were exfiltrated, OAuth tokens were abused, and Vercel customer environment variables were exposed. The headline price is a distraction from the mechanism, which is more interesting and more actionable.
What Platform Teams Should Audit Now
The vector here is specific enough to produce a concrete checklist.
Chrome extension OAuth inventory. List every third-party Chrome extension installed in managed browser profiles that holds Google Workspace OAuth grants. Extensions with https://www.googleapis.com/auth/drive.readonly have read access to everything in the user’s Drive, including shared drives. Most enterprise Workspace audits have never done this.
OAuth grant revocation for removed apps. Extension removal from the store does not revoke tokens. Use the Google Admin Console to revoke OAuth grants for apps no longer in active use or removed from the store, particularly any with Drive or Gmail scopes issued before March 2026.
Environment variable classification. Vercel’s “non-sensitive” framing should prompt teams to audit what is in preview environment variables versus production, and whether that separation is enforced by access controls or only by naming convention.
Lumma Stealer indicators. Hudson Rock’s identification of the infection vector points to a well-characterized commodity stealer. Endpoint telemetry for credential-harvesting activity on developer machines is worth reviewing against the February 2026 timeframe if your organization has engineers who used the Context AI extension.
Prior compromise review. Vercel’s April 23 disclosure found independent prior compromises when they expanded their log query scope. Applying new indicators retroactively to existing logs is not a nice-to-have once an incident of this kind is confirmed.
The attacker needed a game-exploit downloader, a Chrome extension with Drive OAuth, and patience. None of this required a Vercel vulnerability.
Frequently Asked Questions
How long do the stolen OAuth refresh tokens remain usable?
Google Workspace OAuth refresh tokens have no fixed expiry — they persist until a user or admin explicitly revokes them, or until a password change triggers revocation if the domain admin has enabled that policy. Tokens issued to the Context AI extension before Google’s March 27 store removal remain valid today if no admin-level revocation has occurred. Uninstalling the extension does not revoke its grants.
What does a Google Admin Console OAuth audit actually miss?
The Admin Console shows which apps hold OAuth scopes per user but does not reveal which specific Drive files an extension accessed. Admins can confirm that an app held drive.readonly scope, but not whether it read one file or enumerated every shared drive. File-level access history requires Google Workspace audit logs, which must be explicitly enabled, are only available in Enterprise-tier plans, and have a default retention window that may not reach back to the February 2026 infection date.
How does the extension’s Drive scope compare to what a compromised npm package gets?
An npm package executes with the secrets in its CI/CD environment — typically API keys and deploy tokens scoped to one project or pipeline. The Context AI extension’s drive.readonly scope gave it read access to every file in every shared Drive the user could see, including cross-team documents, onboarding runbooks, and internal security policies. The blast radius of a compromised extension with Workspace scopes is organizational rather than project-scoped.
Could Google close this vector under Manifest V3?
Manifest V3, enforced since 2024, already restricted web request interception but left the chrome.identity API intact because thousands of enterprise SSO extensions depend on it for authentication. Restricting that API would break those integrations. The more probable intervention is tighter Chrome Web Store review for extensions requesting Drive or Gmail scopes, but store review examines extension behavior, not what happens to tokens on the developer’s server after the OAuth client receives them.
Were Context AI consumer users caught up in this same breach?
Context AI disclosed a separate March 2026 AWS breach involving OAuth tokens for consumer users of their AI Office Suite — a different user base from the enterprise installs of the Chrome extension. Context AI deprecated the AI Office Suite entirely after both incidents, which suggests the consumer-side exposure may have been broader than the company publicly characterized. Whether the same Lumma Stealer infection seeded both breaches has not been confirmed by any disclosed source.