Back to Intelligence

Vercel Breach Analysis: Third-Party AI Supply Chain Attack via Compromised Context.ai

SA
Security Arsenal Team
April 21, 2026
6 min read

Vercel recently disclosed a security breach stemming from a compromised third-party AI tool, Context.ai. This incident highlights a critical and rapidly expanding attack vector: the software supply chain via AI integrations. Attackers did not exploit a zero-day in Vercel's infrastructure; instead, they compromised a tool used by an employee, hijacked the associated OAuth token, and leveraged that trust to access internal Vercel environments.

For defenders, this serves as a stark warning. Your perimeter is no longer defined by your firewall or VPN, but by the ecosystem of SaaS applications your employees authorize. When an AI tool or third-party service is breached, your organization becomes a downstream casualty. Immediate action is required to audit OAuth permissions and verify the integrity of third-party access.

Technical Analysis

  • Affected Products/Platforms: Google Workspace (OAuth token theft), Vercel (Internal Environments), Context.ai (Third-party AI service).
  • Attack Vector: Supply Chain Compromise / OAuth Token Theft.
  • Attack Chain:
    1. Initial Compromise: Attackers breach Context.ai (specific mechanism undisclosed, but resulted in account exposure).
    2. Token Access: The attackers leveraged their access to Context.ai to obtain the authentication tokens (OAuth session) of a Vercel employee who had linked their Google Workspace account to the service.
    3. Lateral Movement: Using the stolen Google Workspace session, the attackers authenticated as the employee.
    4. Objectives: Access to limited internal Vercel systems and non-sensitive data.
  • Exploitation Status: Confirmed Active Exploitation. This is not theoretical; Vercel has confirmed the breach occurred via this mechanism.
  • Risk Assessment: High. While non-sensitive data was accessed in this instance, the methodology—hijacking third-party SaaS tokens to bypass MFA and access internal resources—represents a significant failure in Zero Trust architecture implementation regarding external vendors.

Detection & Response

Detecting this type of attack requires visibility into SaaS-to-SaaS interactions (OAuth logs) and monitoring for anomalous network traffic to third-party AI vendors.

SIGMA Rules

The following rules target the network activity associated with accessing the compromised third-party service and suspicious process spawning often associated with account takeover follow-on activities.

YAML
---
title: Potential Connection to Compromised AI Vendor Context.ai
id: 3c8f7d21-9a4e-4f1b-b8c0-1e2d3a4b5c6f
status: experimental
description: Detects network connections to Context.ai domains, which may be associated with a compromised third-party tool or unauthorized data exfiltration. 
references:
  - https://securityaffairs.com/191031/data-breach/third-party-ai-hack-triggers-vercel-breach-internal-environments-accessed.html
author: Security Arsenal
date: 2025/02/03
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'context.ai'
      - 'ctx.ai'
  condition: selection
falsepositives:
  - Legitimate use of Context.ai by authorized personnel
level: medium
---
title: Suspicious PowerShell Spawn from Browser Process
id: 5e1f9b88-7d2e-4a5c-9f1a-2b3c4d5e6f7a
status: experimental
description: Detects PowerShell or CMD spawned by a browser process. This may indicate an attacker who has gained session access via OAuth attempting to move laterally or execute commands on the endpoint.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/02/03
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative troubleshooting or DevOps workflows
level: high

KQL (Microsoft Sentinel)

This query hunts for devices communicating with the Context.ai environment or similar high-risk AI vendors that have not been whitelisted, indicating potential shadow IT or unauthorized usage.

KQL — Microsoft Sentinel / Defender
// Hunt for connections to Context.ai or related AI SaaS endpoints
let RiskDomains = dynamic(["context.ai", "ctx.ai"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (RiskDomains)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| summarize Count = count() by DeviceName, InitiatingProcessAccountName, RemoteUrl
| order by Count desc

Velociraptor VQL

This artifact hunts for browser history entries connecting to Context.ai, identifying users who may have utilized the compromised service.

VQL — Velociraptor
-- Hunt for browser history related to Context.ai
SELECT 
  Timestamp, 
  URL, 
  Title, 
  Username,
  BrowserType
FROM chrome_history(urlContains='context.ai')
-- Note: Adjust to firefox_history() or brave_history() based on environment standards

Remediation Script (PowerShell)

This script assists in the immediate containment of an endpoint potentially affected by OAuth token theft. It clears browser cache and sessions (where tokens often reside) and checks for suspicious scheduled tasks established for persistence.

PowerShell
# Incident Response Script: Clean Browser Sessions and Check for Persistence
# Run as Administrator

Write-Host "[+] Initiating containment for potential OAuth token theft..." -ForegroundColor Cyan

# 1. Clear Chrome Cache (Token storage)
$chromePaths = @(
    "$env:LOCALAPPDATA\Google\Chrome\User Data",
    "$env:APPDATA\Google\Chrome\User Data"
)

Write-Host "[*] Stopping Chrome processes..."
Stop-Process -Name chrome -ErrorAction SilentlyContinue

foreach ($path in $chromePaths) {
    if (Test-Path $path) {
        Write-Host "[*] Clearing cache at $path..."
        Get-ChildItem -Path "$path\*\Cache" -Recurse -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse
        Get-ChildItem -Path "$path\*\Code Cache" -Recurse -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse
        Get-ChildItem -Path "$path\*\Local Storage" -Recurse -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse
    }
}

Write-Host "[*] Clearing Edge Cache..."
Stop-Process -Name msedge -ErrorAction SilentlyContinue
$edgePaths = @(
    "$env:LOCALAPPDATA\Microsoft\Edge\User Data",
    "$env:APPDATA\Microsoft\Edge\User Data"
)
foreach ($path in $edgePaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path "$path\*\Cache" -Recurse -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse
        Get-ChildItem -Path "$path\*\Code Cache" -Recurse -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse
    }
}

# 2. Hunt for Suspicious Scheduled Tasks (Persistence)
Write-Host "[*] Checking for suspicious scheduled tasks created in the last 24 hours..."
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-1) }

if ($suspiciousTasks) {
    Write-Host "[!] Warning: Found recently created tasks:" -ForegroundColor Yellow
    $suspiciousTasks | Select-Object TaskName, Date, Author, Action | Format-Table
} else {
    Write-Host "[+] No suspicious tasks found." -ForegroundColor Green
}

Write-Host "[+] Remediation script completed. Please force-password reset the associated user account in Google Workspace." -ForegroundColor Green

Remediation

  1. Revoke Third-Party Access: Immediately access the Google Workspace Admin Console. Navigate to Security > API controls > Domain-wide delegation or Apps > Web and mobile apps to audit and revoke tokens for Context.ai and any other non-approved AI/SaaS tools.
  2. User Account Compromise Response: Treat the affected employee's Google Workspace account as fully compromised. Force a password reset, revoke all existing session tokens, and require re-registration of MFA factors.
  3. Rotate Internal Secrets: Even though Vercel reported "non-sensitive" data, attackers accessed internal environments. Rotate all API keys, database credentials, and deployment secrets that were accessible within the breached Vercel environment scope.
  4. Vendor Risk Assessment: Review the security posture of all third-party AI tools integrated with your corporate identity providers (IdP). Block access to Context.ai via IdP allow-list policies until a full post-mortem is published.
  5. Implement "App Governance": Deploy policies that require admin approval for any new OAuth application grant. Employees should not be able to blindly authorize third-party apps to read/write data or access scopes.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirsupply-chainoauth-abusevercel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action