Vercel & Context AI Breach: SaaS Supply Chain Attack and Google Workspace Takeover

Vercel, a prominent web infrastructure provider, recently disclosed a security breach stemming from a compromise at Context.ai, a third-party AI tool. The attacker leveraged the initial access at Context.ai to hijack a Vercel employee's Google Workspace account, subsequently gaining unauthorized access to internal Vercel systems. This incident highlights a critical and expanding attack surface: the trusted supply chain of SaaS and AI integrations.

For defenders, this is not just another phishing story. It is a supply-chain attack where a trusted third-party tool became the bridge for account takeover (ATO) and lateral movement into a core infrastructure provider. The exposure of customer credentials—though described as "limited"—demands immediate incident response actions to verify data integrity and audit the scope of third-party permissions.

Technical Analysis

Affected Products & Platforms:

• Vercel: Internal systems and customer data repositories.
• Google Workspace: The identity provider (IdP) for the compromised employee.
• Context.ai: Third-party AI platform (the initial attack vector).

Attack Chain Breakdown:

1. Initial Access: Context.ai was compromised. While the specific vulnerability (CVE) in Context.ai has not been publicly detailed in this report, the breach allowed unauthorized access to its systems.
2. Identity Compromise: The attacker utilized access within Context.ai to compromise the linked account of a Vercel employee. This likely involved session hijacking or OAuth token theft, given the seamless transition to the Google Workspace account.
3. Lateral Movement: With control of the employee's Google Workspace account, the attacker authenticated into internal Vercel systems.
4. Exfiltration/Impact: Internal systems were accessed, leading to the exposure of specific customer credentials.

Exploitation Status: Confirmed Active Exploitation.

The attack vector bypasses traditional email security filters, as the trust is established via a legitimate third-party application (Context.ai) that likely had OAuth scopes granted by the victim. This type of "SaaS-to-SaaS" attack is notoriously difficult to detect without proper Cloud Access Security Broker (CASB) or Identity Threat Detection and Response (ITDR) logging.

Detection & Response

Detecting this type of supply-chain compromise requires correlating identity logs with network activity and endpoint behavior. We must look for anomalous access to Google Workspace, specifically focusing on "impossible travel" scenarios or access from unapproved third-party app contexts, and suspicious processes attempting to access browser session data on endpoints.

SIGMA Rules

---
title: Potential Google Workspace Account Takeover via Risky Third-Party App
id: 8c4d2e10-1a5f-4b9c-9e2d-3f4a5b6c7d8e
status: experimental
description: Detects successful sign-ins to Google Workspace originating from a risky IP address or via a specific third-party application context that may indicate a supply chain compromise. Note: Requires Cloud App Security or Syslog ingestion of GWS logs.
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.valid_accounts
  - attack.t1078
logsource:
  product: google_workspace
  category: login
detection:
  selection:
    event_type: login
    login_status: success
  filter_risk:
    is_suspicious|contains: 'true'
  filter_context:
    app_name|contains:
      - 'Context'
      - 'unknown'
  condition: selection and (filter_risk or filter_context)
falsepositives:
  - Legitimate login from new location by employee
  - Administrative testing of third-party tools
level: high
---
title: Suspicious Process Accessing Browser Credential Databases
description: Detects processes attempting to access Chrome or Edge user data folders, a common behavior in session hijacking and token theft following a supply chain compromise.
references:
  - https://attack.mitre.org/techniques/T1555/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\'
      - '\Microsoft\Edge\User Data\Default\'
      - '\Local Storage\leveldb'
  filter_legit:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
  condition: selection and not filter_legit
falsepositives:
  - Backup software accessing profile
  - Browser sync utilities
level: high

KQL (Microsoft Sentinel)

This hunt query checks for successful Google Workspace logins with specific risk indicators or from contexts that do not match your corporate footprint.

SigninLogs
| where ResultType == 0
| where AppDisplayName contains "Context" or RiskDetail == "riskDetail"
| project TimeGenerated, UserPrincipalName, AppDisplayName, DeviceDetail, Location, RiskLevelDuringSignIn, RiskDetail
| order by TimeGenerated desc

Velociraptor VQL

This artifact hunts for suspicious browser extensions on Windows endpoints. Since the vector was a web tool (Context.ai), malicious extensions are a common persistence mechanism used by attackers to maintain access to SaaS sessions.

-- Hunt for suspicious browser extensions in Chrome/Edge
SELECT FullPath, Mtime, Size,
       read_file(filename = FullPath + "\\manifest.") AS Manifest
FROM glob(globs="/*/*/Local/Google/Chrome/User Data/*/Extensions/*/manifest.")
WHERE Manifest =~ "permissions.*\*" 
   OR Manifest =~ "background"
LIMIT 50

Remediation Script

Use this PowerShell script to audit installed Chrome extensions on a target endpoint to identify any unauthorized add-ons that may be facilitating persistence or credential theft.

# Audit Chrome Extensions for Persistence Mechanisms
$ChromePaths = @(
    "$env:LOCALAPPDATA\Google\Chrome\User Data",
    "$env:APPDATA\Google\Chrome\User Data"
)

foreach ($Path in $ChromePaths) {
    if (Test-Path $Path) {
        $Extensions = Get-ChildItem -Path "$Path\*\Extensions" -ErrorAction SilentlyContinue
        foreach ($ExtFolder in $Extensions) {
            Get-ChildItem -Path $ExtFolder.FullName -Directory | ForEach-Object {
                $ManifestPath = "$($_.FullName)\manifest."
                if (Test-Path $ManifestPath) {
                    $Manifest = Get-Content $ManifestPath | ConvertFrom-Json
                    [PSCustomObject]@{
                        ExtensionID = $_.Name
                        Name = $Manifest.name
                        Version = $Manifest.version
                        Path = $_.FullName
                    }
                }
            }
        }
    }
}

Remediation

1. Revoke Third-Party Access: Immediately audit your Google Workspace "Apps with access to your account" or organizational API Console. Revoke all tokens associated with Context.ai until a security review is complete.
2. Credential Rotation: Force a password reset for the compromised employee and any other users who had access to the internal Vercel systems mentioned in the breach.
3. Session Termination: Terminate all active sessions for the affected user across Vercel and Google Workspace to disconnect the attacker immediately.
4. Review Access Logs: Conduct a retroactive hunt (minimum 30 days) on Google Workspace and Vercel audit logs to identify any data exfiltration or configuration changes made during the compromise window.
5. Update Supply Chain Policy: Update your vendor risk assessment policy to require immediate notification of breaches for any tool granted OAuth scopes that touch email or source code repositories.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub