The OAuth tokens that ended up inside Vercel's Google Workspace were stolen in February 2026, not in March. That is the durable fact in Context AI's April 21 security update, which the company's own page now confirms: a Lumma Stealer infection on a Context AI employee laptop in February exposed Google Workspace, Supabase, Datadog, and Authkit credentials, and the attacker used those credentials in March to reach Context AI's AWS environment and exfiltrate customer OAuth tokens. [1] The OAuth path was not identified until Vercel's investigation in mid-April. [2]

The paper described the OAuth route as procurement's warning label yesterday. Today the warning has a number on it: eight weeks between the first compromise and the first downstream victim's disclosure.

That window is the technology story this week, not the breach itself. Vercel CEO Guillermo Rauch posted on X on April 19 that "a Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using," and he attributed the attacker's velocity to AI augmentation. [3] What he did not say, because Vercel did not yet know it, was that the tokens had been usable since February.

Trend Micro's reconstruction places the originating Lumma Stealer infection in February 2026, reportedly after the Context AI employee downloaded Roblox auto-farm scripts to a work laptop. [2] By March, the attacker was inside Context AI's AWS environment and had OAuth tokens for an unknown number of consumer customers of Context AI's AI Office Suite. One of those customers, by way of an enterprise Google Workspace account a Vercel employee had connected to the consumer app, was Vercel. [4] Context AI's own update says it detected and stopped the AWS intrusion in March but did not identify the OAuth token exfiltration until Vercel's investigation made it visible. [1]

Eight weeks is the procurement number. It is also the number that distinguishes a vendor incident from a vendor pattern. A platform whose customer-token exfiltration goes undetected for two months is doing a different job, from the buyer's seat, than a platform that catches it in two hours. The threat actor calling itself ShinyHunters is asking roughly $2 million on BreachForums for what the dwell time produced — API keys, npm and GitHub tokens, partial source code, and 580 employee records. [5]

The OAuth grant itself is the structural problem. A Vercel employee signed up for the consumer Context AI Office Suite using a Vercel enterprise Google Workspace account and granted "Allow All" permissions; Vercel's internal OAuth configuration permitted the broad grant; Google removed the relevant Chrome extension on March 27 without external notice, according to Help Net Security's reporting. [4] The token's life cycle ran from February through April 19 inside that grant.

The paper's earlier piece argued that an OAuth token granted to a third-party app sits outside most organizations' detection scope. [6] Context AI's update is the artifact that converts that argument into a calendar. CrowdStrike apparently did not flag the OAuth tokens as part of their investigation scope at Context AI; the tokens did not produce login events; they did not trigger MFA; they were used as designed. [4]

For Vercel customers, the operational answer Rauch gave on April 19 — rotate keys, treat every environment variable as potentially exposed, use the new sensitive-by-default toggle — is what Wednesday looks like. For everyone else who routes a Google Workspace OAuth grant to a small AI vendor, the question Context AI's own page now poses is the harder one: how would they know if their tokens were live for eight weeks?

-- DAVID CHEN, Beijing