Cloud development platform Vercel has expanded its breach investigation after discovering that more customer accounts were compromised than initially reported following a security incident involving third-party AI tools.

Key Points

• Vercel confirmed that attackers gained unauthorized access to internal environments and non-sensitive environment variables through a compromised employee Google Workspace account.
• Security researchers at Hudson Rock linked the initial entry point to a Context.ai account infected with Lumma Stealer malware in February 2026.
• The company identified additional compromised accounts, some of which were linked to separate social engineering or malware incidents predating the primary breach.
• A dark web actor attempted to sell stolen Vercel data while falsely claiming affiliation with the hacking group ShinyHunters.
• CEO Guillermo Rauch stated that threat actors are actively distributing malware to harvest authentication tokens and access keys for various cloud service providers.

Why it Matters

This incident highlights the significant security risks posed by employees using third-party AI tools that can serve as vectors for credential theft. It underscores the necessity for businesses to implement stricter access controls and monitor for malware that targets session tokens and environment variables.