It started with a Lumma Stealer infection at a small AI startup. It ended with attackers inside Vercel’s internal environments, allegedly holding source code and API tokens for GitHub and NPM. One of April’s biggest breaches is another example of how modern software supply chains amplify single points of failure.
Executive Summary
In April 2026, attackers leveraged a commodity infostealer infection at Context.ai, a small AI vendor, to breach Vercel’s internal environments through a stolen OAuth session token. The attack chain illustrates how a single compromised endpoint at a third-party vendor can cascade into full access to a downstream organization’s deployment systems, source code, and API credentials.
The initial infection went undetected for six weeks, during which the stolen token provided persistent, MFA-bypassing access across connected services. The alleged attacker later appeared on underground forums claiming to sell internal deployment access, source code repositories, and API tokens for GitHub and NPM, along with 580 employee records as proof of access.
This incident underscores three critical gaps in modern enterprise security: insufficient OAuth token lifecycle management, limited real-time visibility into vendor endpoint posture, and overreliance on point-in-time vendor risk assessments. Security teams should prioritize OAuth permission audits, session anomaly detection, continuous vendor security validation, and secrets management for high-value API tokens.
The Anatomy of a Supply Chain Attack
Supply chain attacks succeed because they exploit trust relationships that organizations cannot fully audit. The Vercel incident is a textbook example: an attack that navigated from a small AI vendor’s employee endpoint all the way to critical developer infrastructure, using OAuth as the connective tissue.
Chain of Compromise
Stage 1: Context.ai, February 2026
A Context.ai employee’s workstation was compromised with Lumma Stealer, a commodity infostealer widely available as malware-as-a-service. Lumma’s primary function is credential harvesting: it extracts saved passwords, session cookies, and authentication tokens from browsers and applications. The infection went undetected for approximately six weeks.
Stage 2: OAuth Application / Harvested Session Token
Lumma Stealer harvested an active session token associated with a Google Workspace OAuth application that Context.ai had integrated into its workflow. OAuth tokens are particularly dangerous when stolen because they provide authenticated access to connected services without requiring a password, and they frequently bypass multi-factor authentication entirely if the session is still active.
Stage 3: Vercel Employee / Google Workspace Account
Using the harvested OAuth credentials, the threat actor accessed a Vercel employee’s Google Workspace account. The OAuth application served as a bridge: the trust relationship between Context.ai and Vercel’s employee, mediated through a shared Google Workspace OAuth application, became the attack vector.
Stage 4: Vercel Internal Environments
Using the employee’s account as a foothold, the attacker escalated privileges into Vercel’s internal environments, enumerating internal deployment systems, CI/CD configurations, and sensitive credential stores. Vercel has stated that core systems including the Next.js open-source project remain unaffected.
Stage 5: Underground Forums
The alleged attacker appeared on underground forums attempting to sell the stolen data, claiming to offer internal deployment access, source code repositories, and critical API tokens for platforms including GitHub and NPM. A roster of 580 employee records was included as proof of access.
Understanding Lumma Stealer’s Role
Lumma Stealer (also known as LummaC2) is a commodity infostealer available through Malware-as-a-Service forums for a few hundred dollars per month. It gives even low-sophistication threat actors access to powerful credential harvesting capabilities.
What makes Lumma particularly dangerous in supply chain contexts is its ability to extract OAuth tokens, browser session cookies, and cryptocurrency wallet files, assets that bypass traditional authentication controls. An attacker with a stolen OAuth session token does not need to know your password, does not need to bypass your MFA, and does not need to phish you directly. They simply continue the session you already authenticated.
Why OAuth Is the Weak Link
OAuth 2.0 was designed to delegate authentication, allowing applications to act on behalf of users without sharing passwords. But the security model assumes that session tokens are kept secret. When Lumma Stealer exfiltrates a token from a victim’s browser or application store, it can be replayed from anywhere in the world. Many OAuth implementations lack granular revocation capabilities, geographic anomaly detection, or device fingerprinting, meaning the attacker’s session is indistinguishable from the legitimate user’s.
The Six-Week Detection Gap
The initial Lumma Stealer infection at Context.ai occurred in February 2026, about six weeks before the Vercel breach became apparent. Commodity infostealers are designed to operate quietly, exfiltrating credentials without triggering behavioral alerts or creating the kind of lateral movement noise that EDR systems typically flag.
In a supply chain context, that six-week window is particularly damaging because the organization at risk (Vercel) had no visibility into the vendor’s (Context.ai’s) endpoint posture. Standard vendor risk management processes — questionnaires, SOC 2 reports, penetration test attestations — provide no real-time signal about whether a vendor employee’s laptop is currently compromised.
Lessons for Security Teams
1. Audit and restrict OAuth application permissions aggressively. Maintain an inventory of every OAuth application that has been granted access to your Google Workspace, Microsoft 365, or other identity platforms. Apply the principle of least privilege and consider time-limiting OAuth authorizations.
2. Implement OAuth token anomaly detection. Monitor for OAuth session usage from unexpected geographic locations, device fingerprints, or IP ranges. A session authenticated from Minnesota and suddenly used from Eastern Europe should trigger an immediate alert and automated revocation.
3. Extend vendor risk assessments to include endpoint security practices. Consider requiring vendors with deep OAuth access to demonstrate active EDR deployment, infostealer detection capabilities, and incident response procedures on a continuous basis, not just at onboarding.
4. Treat API tokens as high-value secrets with dedicated protection. API tokens for platforms like GitHub and NPM can enable malicious code injection into software builds and package repositories if compromised. Store them in dedicated secrets management solutions, rotate them regularly, and monitor for anomalous usage patterns.