# Vercel breach traced to Roblox cheats and OAuth overreach

> A four-hop supply chain attack started with a vendor employee downloading Roblox cheat malware and ended with Vercel environment variables exposed.

Published: 2026-04-22
URL: https://daniliants.com/insights/vercel-breach-roblox-cheats-oauth-supply-chain/
Tags: security, oauth, supply-chain-attack, credential-theft, malware, third-party-integrations, saas-risk, vercel

---

## Summary

Vercel suffered a breach traced back to a single employee at a third-party AI tool vendor (Context AI) who downloaded Roblox cheat scripts infected with credential-stealing malware. The stolen credentials enabled attackers to harvest OAuth tokens for Context AI customers, including a Vercel employee who had granted broad Google Workspace permissions. The breach exposed environment variables for all Vercel customers whose secrets were not explicitly marked sensitive.

## Key Insight

- **Attack chain length:** 4 hops from game cheat download to multi-billion dollar hosting platform breach, each link being a trusted integration or permission
- **The real vulnerability:** OAuth "allow all" prompts. A single click by one employee at a vendor granted attackers a path into an enterprise Google Workspace and from there into internal systems
- **Affected scope:** stolen data being sold on hacker forums for $2 million; Vercel told all customers to rotate any environment variable not explicitly marked sensitive
- **Response gap:** Context AI detected the breach internally and contained it without public disclosure, so downstream companies had no chance to act until damage was done
- **Second-order risk:** every "Sign in with Google" or OAuth connection is a potential attack vector if that third-party vendor gets compromised, not just if your own systems do
- **Remediation available now:** Google account security settings list all connected third-party apps; unused connections can be revoked at any time