The startup Context AI, specializing in training artificial intelligence agents, found itself at the center of a large-scale security incident affecting the infrastructure of the popular hosting platform Vercel. As confirmed by TechCrunch, it was the problematic compliance company Delve that had previously conducted security certification for Context AI. Representatives of Context AI officially acknowledged their past cooperation with Delve but stated that they completely ceased using their services after media publications in March. Currently, the startup is undergoing re-certification, for which an independent auditing firm, Insight Assurance, was engaged, and the compliance program itself was migrated to the Vanta platform.
Technical details of the incident demonstrate a classic compromise chain through third-party software and user inattention. The breach of Vercel's internal systems occurred after one of the company's employees downloaded an application developed by the Context AI team and carelessly connected it to their corporate account in the Google ecosystem. The attackers used the acquired access to the employee's account, which allowed them to penetrate Vercel's closed infrastructure and gain access to some client data. Initially, the connection between Context AI and Delve in the context of this attack was publicly disclosed by Gergely Orosz, author of the engineering newsletter The Pragmatic Engineer, and subsequently confirmed by the incident participants themselves.
The current scandal is just another episode in a series of problems plaguing the startup Delve over the past month. The crisis began after an anonymous whistleblower publicly accused the company of falsifying client data and using so-called "assembly line" auditors in compliance and certification processes. Although Delve's management vehemently rejected these accusations, the company's reputation suffered significantly, leading the prestigious accelerator Y Combinator, of which the startup is an alumnus, to decide to sever all ties with it. The situation was exacerbated by additional accusations of appropriating another's open-source tool without proper attribution and licensing.
The presence of a security certificate is not in itself a guarantee against breaches, as such documents only confirm the existence of risk mitigation policies; however, Delve's clients face real attacks disturbingly often. Soon after the initial revelations, hackers attacked the startup LiteLLM, injecting malicious software into its open-source code, after which the project also ceased using Delve's services. Another former client, the code-writing platform Lovable, stopped cooperating with Delve back in late 2025, but recently admitted to its own data breach.
Amidst a rapid client exodus and loss of industry trust, new controversial details continue to emerge around the compliance startup. An anonymous whistleblower, operating under the pseudonym DeepDelver, published a new statement claiming that Delve denies its clients refunds. Meanwhile, according to documents provided to journalists, from April 15 to 19, the company organized an offsite corporate event in Hawaii for its team of more than 20 people. TechCrunch confirmed the authenticity of financial receipts indirectly proving the trip, but could not verify the informant's other claims, while Delve's representatives declined to comment after the publication.
Sources
Replies (0)
No replies in this topic yet.
