Detecting the Klue supply chain attack in Salesforce instances

On June 11, 2026, the Icarus threat group compromised Klue's backend systems, a market intelligence platform used by hundreds of enterprises to sync competitive battlecard data with CRM environments. The attackers exploited a dormant credential from an abandoned prototype integration to harvest OAuth tokens for Salesforce and Gong. Through automated API calls using Python scripts, the group exfiltrated CRM data including business contacts, price quotes, and sales communications from multiple customer Salesforce organizations. Klue detected the anomalous activity on June 12 and revoked OAuth credentials on June 13. The attackers subsequently launched an extortion campaign starting June 16, demanding victims contact them via Session Messenger within 48 hours.

Pulse ID: 6a3999371eb0f2f2e3fb7f08
Pulse Link: https://otx.alienvault.com/pulse/6a3999371eb0f2f2e3fb7f08
Pulse Author: AlienVault
Created: 2026-06-22 20:21:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Extortion #InfoSec #OTX #OpenThreatExchange #Python #RAT #RCE #SupplyChain #bot #AlienVault