Context.ai OAuth Token Compromise

On April 19, 2026 Vercel disclosed an incident in which an attacker used compromised OAuth tokens from Context.ai to access an employee’s Google Workspace and potentially downstream customer resources; Context.ai confirmed consumer OAuth tokens were likely compromised. The report frames this as a double supply‑chain OAuth compromise, provides a verified OAuth client ID IoC, investigative queries and remediation steps for Google Workspace, Entra ID, and Okta, and notes an unconfirmed report that an infostealer infection at Context.ai may have enabled the theft of OAuth credentials.