Hudson Rock found that a recent Lumma stealer infection on a Context.ai third‑party employee—triggered by downloading Roblox “auto‑farm” scripts—likely provided the initial access that enabled the Vercel breach. Compromised Google Workspace, Supabase, Datadog, Authkit, and Vercel admin credentials were reportedly used or sold by ShinyHunters, underscoring that rapid detection and revocation of infostealer‑exposed credentials could have prevented the supply‑chain escalation. #Lumma #ShinyHunters
Keypoints
- Hudson Rock traces the Vercel breach to a Lumma stealer infection of a Context.ai vendor employee.
- Browser history shows the user downloaded Roblox “auto‑farm” scripts, a known vector for Lumma deployments.
- Harvested credentials included Google Workspace, Supabase, Datadog, Authkit, and Vercel administrative access.
- ShinyHunters likely leveraged the compromised access to pivot into Vercel and advertise the stolen data.
- Immediate detection and revocation of exposed credentials—and performing the provided 60‑second OAuth Client ID audit—could have prevented the supply‑chain escalation.