Context.ai OAuth Token Compromise
Context.ai OAuth tokens were compromised, allowing attackers to conduct supply chain attacks through trusted SaaS integrations. Details on scope, timeline, and remediation steps are not provided in the source text.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on scope of OAuth token misuse and number of affected organizations using Context.ai integrations
- Ecosystems
- Attack vectors
- Affected entities
- Context.aiOAuth tokens compromised; SaaS vendor
Context.ai, a SaaS vendor, experienced a compromise of OAuth tokens that were leveraged by attackers to perform supply chain attacks. The compromised tokens enabled unauthorized access through trusted integrations, potentially affecting any organization that relies on Context.ai for workflow or build automation.
The source indicates this is a supply chain attack vector via SaaS integration compromise, but the publicly available summary does not specify the incident date, number of affected tokens, scope of downstream impact, or technical remediation details.
Organizations using Context.ai integrations should assess their exposure and implement risk mitigation measures. The full technical details and remediation guidance are referenced in the source blog post.
Remediation
- Review and audit all OAuth token usage and permissions associated with Context.ai integrations
- Revoke compromised OAuth tokens immediately
- Rotate credentials and review access logs for unauthorized activity
- Implement additional authentication controls and monitoring on SaaS integrations
- Follow guidance published by Context.ai and Wiz on remediation steps
Sources
Cite this entry
"Context.ai OAuth Token Compromise." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 20, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/context-ai-oauth-token-compromise-1h8o51
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets
On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.
OtherAccount takeoverMalicious commit - activecritical
Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem
A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.
npmOtherCompromised packageAccount takeover - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
npmOtherAccount takeoverCompromised packageMalicious maintainer - activecritical
Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope
The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).
npmOtherCompromised packageBuild-system compromiseAccount takeover