CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromise of Third-Party AI Tool via Infostealer Leads to Vercel Breach and OAuth Token Theft Chain

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Vercel remains under assessment following a sophisticated attack chain that began with the compromise of third-party AI tool vendor Context.ai via an infostealer. The breach was enabled by an OAuth token tied to a Vercel employee’s Google Workspace account, granting access to non-sensitive environment variables and internal systems. Context.ai acknowledged the theft of OAuth tokens, including those used in consumer-facing integrations. Vercel, collaborating with Mandiant, has notified affected customers and issued advisories emphasizing MFA enforcement, credential rotation, and review of non-sensitive environment variables. A threat actor allegedly linked to ShinyHunters attempted to extort Vercel for $2 million. The incident highlights systemic risks from shadow AI integrations and OAuth sprawl. Context.ai’s breach originated from an infostealer infection on an employee’s system after searching for gaming cheats, leading to the theft of OAuth tokens. The compromised Vercel employee account had broad permissions, including access to internal dashboards, API keys, and GitHub tokens. Broader industry trends show attackers increasingly exploiting OAuth connections at scale, with campaigns like Scattered Lapsus$ Hunters targeting major enterprises via OAuth-driven supply chain attacks and phishing. Security experts recommend default-deny policies for OAuth integrations and routine audits to mitigate these risks.

Timeline

  1. 21.04.2026 00:01 3 articles · 9d ago

    Third-party AI Vendor Compromise via Infostealer Enables Vercel Breach via OAuth Token Theft

    Context.ai, an AI tool vendor, was compromised by an infostealer delivered through a gaming cheat script. Attackers used the breach to steal OAuth tokens, including one belonging to a Vercel employee who had granted "Allow All" permissions to Context.ai. The compromised token enabled unauthorized access to Vercel’s environments and environment variables, leading to a breach with potential downstream customer credential compromise. Vercel is collaborating with Mandiant and has notified affected customers. This article adds that the Vercel employee connected a deprecated consumer-grade "AI Office Suite" product from Context.ai to their Google Workspace tenant as a self-service trial, which was lightly used and forgotten. The Context.ai breach was allegedly caused by an infostealer infection on an employee’s system after searching for Roblox cheats. The compromised token granted access to the Vercel employee’s Google Workspace account, which had broad permissions including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens. The article also contextualizes the breach within broader industry trends, noting that attackers are exploiting OAuth integrations at scale. Notable campaigns include Scattered Lapsus$ Hunters targeting Salesforce and Google Workspace tenants via OAuth-driven supply chain attacks in 2025, impacting over 1,000 organizations. OAuth-focused phishing has seen a 37x increase in device code phishing attacks this year, with more than a dozen criminal Phishing-as-a-Service (PhaaS) kits in circulation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Supply chain compromise of axios npm package delivers cross-platform RATs via malicious dependency

A North Korea-nexus threat actor (UNC1069) compromised the npm account of axios maintainer Jason Saayman via a two-week social engineering campaign and published malicious axios versions v1.14.1 and v0.30.4 containing the plain-crypto-js dependency to deliver cross-platform RATs with full unilateral control capabilities, bypassing 2FA. The attack’s blast radius has expanded beyond developer ecosystems after OpenAI revealed that a GitHub Actions workflow used for macOS app signing downloaded the malicious axios library, prompting OpenAI to revoke its macOS app certificate as a precaution despite no evidence of compromise. This incident underscores the escalating risks of supply chain compromises, with Google warning that hundreds of thousands of stolen secrets from the axios and Trivy attacks could fuel further software supply chain attacks, SaaS compromises, ransomware, and cryptocurrency theft. The campaign reflects an industrialized social engineering model targeting high-value individuals and open source maintainers, leveraging AI-enhanced trust-building and matured attacker tooling. Additional supply chain attacks in March 2026, such as the compromise of Trivy by TeamPCP (UNC6780), have compounded the threat landscape, exposing organizations like the European Commission and Mercor to downstream risks.

Open in new tab

Widespread OAuth Device Code Phishing Campaign Targets Microsoft 365 via EvilTokens PhaaS

Since mid-February 2026, a large-scale device code phishing campaign has targeted Microsoft 365 across at least 340 organizations in over 10 countries, escalating 37.5x in early April. The campaign abuses OAuth device authorization flows via the EvilTokens PhaaS platform and at least 10 additional phishing kits (VENOM, DOCUPOLL, SHAREFILE, etc.), granting persistent access tokens even after password resets. Attacks incorporate anti-bot evasion, multi-hop redirect chains via vendor services, and SaaS-themed lures, while mitigation focuses on disabling device code flows and monitoring anomalous authentications. Credential exposures like the Figure breach (967,200 email records) enable follow-on campaigns—credential stuffing, AI-generated phishing, and help desk social engineering—that bypass legacy MFA through real-time phishing relays and social engineering. Legacy MFA and even FIDO2 passkeys are structurally unable to prevent these attacks, which rely on human judgment at critical control points. Phishing-resistant authentication requires cryptographic origin binding, hardware-bound keys, and live biometric verification to close relay and delegation vectors.

Open in new tab

Tag poisoning in Trivy GitHub Actions repositories delivers cloud-native infostealer payload

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab