The Vercel breach started with someone installing Roblox cheats

On 20 April, Vercel told customers that an attacker had stolen source code, API keys, database credentials and environment variables from “hundreds of users across many organisations.” Vercel hosts a significant slice of the modern web, including the tooling behind Next.js. The breach didn’t start with a zero-day, or a phishing campaign against Vercel, or a rogue insider. It started with someone searching for Roblox cheats.

That’s worth sitting with for a moment. A person downloaded game exploits onto a computer. Two months later, customer credentials from a major web platform were sitting on a criminal forum with a $2 million price tag.

The chain, step by step

In February 2026, an employee at a company called Context.ai went looking for Roblox “auto-farm” scripts and game executors. These are cheat tools that let a player automate gameplay. They are also, as Hudson Rock’s analyst put it, “notorious vectors for Lumma stealer deployments.” The employee downloaded one. It was malware.

Lumma is an infostealer. It doesn’t make headlines the day it lands. It quietly scrapes everything the browser remembers: saved passwords, session cookies, OAuth tokens, any credentials cached by the operating system. Then it sends the lot to the attacker.

Context.ai builds an AI assistant. Customers install it and connect it to their Google Workspace so the assistant can read their mail, calendar and documents on their behalf. One of those customers was an employee at Vercel.

When the infostealer ran on the Context.ai employee’s machine, it took the tokens that Context.ai held for its own customers. Including the Google Workspace token granted by the Vercel employee.

The attacker used that token to sign in to the Vercel employee’s Google account. From there they pivoted into Vercel’s internal systems. They spent weeks quietly enumerating environment variables, access keys, source code and customer databases. Vercel’s CEO Guillermo Rauch later said the attacker “moved with surprising velocity and in-depth understanding of Vercel.”

On 20 April, Vercel disclosed the breach. A threat actor using the ShinyHunters persona claimed responsibility and listed the stolen data for $2 million.

So the chain is:

1. Employee installs a Roblox cheat on a machine with work access.
2. The cheat is malware. Browser credentials and session tokens go to the attacker.
3. Those credentials include OAuth tokens for customers of Context.ai’s AI product.
4. One of those customers is a Vercel employee. The attacker uses the token to log into their Google account.
5. From the Google account, the attacker moves into Vercel. Source code, keys and customer data are taken.

Five steps, two months, one download.

Two things broke

The press is calling this a supply chain attack. It is. But supply chain is the shape of the attack, not the cause. Two underlying failures made it possible, and both of them are things a small or mid-sized business can actually address.

The first: a home computer had work access

If the machine that downloaded the Roblox cheat couldn’t touch company credentials, this story ends at step one. A kid’s gaming rig, or an employee’s personal laptop being used for work after hours, should not be the thing that holds a live session cookie for the company’s Google admin console.

This is what the Essential Eight is for. Application control stops unapproved software from running. User application hardening blocks the browser behaviours that Lumma relies on. Restricting administrative privileges stops an infostealer from scooping up the whole credential store. None of these controls are exotic. They are the ones we insist on with every client, and the ones we decline to onboard a client who won’t implement.

The Vercel story is the clearest argument for those controls we’ve seen in a year. The infection point was a personal download. The blast radius was commercial.

The second: an AI tool had the keys to Google Workspace

Context.ai is an AI productivity product. To be useful, it asks customers to grant OAuth access to their Google Workspace. That’s a standard pattern. The problem isn’t the pattern. The problem is how fast it’s being adopted, how little review those approvals are getting, and how rarely anyone asks what happens when the vendor itself is breached.

Every AI product that wants to read your mail, your calendar, your documents or your codebase is asking for a long-lived key. That key is only as safe as the vendor’s weakest endpoint. In this case, the weakest endpoint was one employee’s personal browsing habits.

This is where the “move fast” culture collides with the reality of business IT. AI vendors are being stood up, funded and connected to enterprise systems on timelines that don’t leave room for basic operational maturity. Context.ai isn’t a shonky outfit. They’re a venture-funded startup doing what the market is asking them to do. And their single infected laptop became a gateway to Vercel’s customer list.

Business owners connecting AI tools to Microsoft 365 or Google Workspace should be asking three questions before they click Allow:

• What exactly does this product need, and why does it need that much?
• If this vendor is breached tomorrow, what of ours walks out the door?
• Who at our end approves these grants, and is anyone reviewing the list quarterly?

The third question is the one that almost nobody can answer. OAuth grants accumulate silently. Products that were trialled and abandoned often still hold tokens. Run a review today and the list will surprise you.

For business owners, two things to do this week.

1. Find out where the separation is, or isn’t. If staff log into work systems from personal devices, or family members use the same machine, ask your IT provider how a credential theft on that machine would be contained. If the answer is “it wouldn’t,” that’s the conversation to have before the next breach, not after.

2. Audit your OAuth grants. In Microsoft 365, the admin centre lists every third-party app that has been granted access to your tenant (Entra admin centre: Applications → Enterprise applications). In Google Workspace, it’s under Security → Access and data control → API controls → App access control. Walk the list. Revoke anything you don’t recognise, anything trialled and abandoned, and anything where the risk of the vendor being breached outweighs the value of the tool.

The lesson we keep having to relearn

Every time one of these supply chain breaches lands, the coverage focuses on the final victim. Vercel this month. SolarWinds in 2020. Kaseya in 2021. The story is always “major vendor hacked.” The cause is always smaller than that.

In this case, the cause was a single employee choosing to install game cheats on a computer that could reach customer data. Every control that would have stopped it, application control on the endpoint, separation of personal and work devices, quarterly review of what third-party apps can do to your tenant, is boring. None of it is interesting. All of it would have worked.

We’re not anti-AI. We’re using it ourselves, carefully. But the rush to connect every new AI product to the heart of the business is outpacing the governance the industry applied to every previous wave of vendor integration. Slow down. Ask what each tool actually needs. Revoke what you’re not using.

If you’d like a hand working through your OAuth grants or putting Essential Eight controls in place so that a compromised laptop doesn’t become a compromised business, get in touch. That conversation is on us.

Sources

• Vercel’s security breach started with malware disguised as Roblox cheats, CyberScoop, 20 April 2026.
• App host Vercel says it was hacked and customer data stolen, TechCrunch, 20 April 2026.
• Vercel Breach Linked to Infostealer Infection at Context.ai, InfoStealers.com, April 2026.
• Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials, The Hacker News, 20 April 2026.