Between June 11 and June 24, 2026, a multi-stage supply chain attack targeted Klue, a competitive intelligence SaaS provider. A threat actor, identified as the new extortion group Icarus, exploited a legacy service account credential to gain access to Klue's backend. The attackers then deployed malicious code to harvest Salesforce OAuth tokens from Klue's customers. This allowed the threat actor to impersonate Klue and exfiltrate sensitive CRM data from nearly 200 downstream organizations, including a significant number of cybersecurity companies. The incident underscores the severe risks of interconnected SaaS platforms and the potential for a single compromised credential to have a cascading impact across an entire ecosystem. Klue has since contained the breach and engaged CrowdStrike for forensic investigation.
The attack began on June 11, 2026, when the Icarus group used a legacy credential for an abandoned but active integration service account to access Klue's systems. This initial foothold allowed them to push a malicious code update. This update was specifically designed to intercept and collect OAuth tokens that Klue's customers use to integrate the platform with third-party services, primarily Salesforce. Armed with these tokens, Icarus could make authorized API calls to the Salesforce environments of affected customers, exfiltrating valuable business contact and sales data. Klue detected anomalous activity on June 12, removed the malicious code on June 13, and Salesforce disabled the vulnerable integration on June 17. The list of victims includes high-profile tech and cybersecurity firms such as Huntress, Recorded Future, Tanium, Jamf, HackerOne, and Snyk. The situation was further complicated when Klue reported that a second, unidentified party hacked the Icarus group and began its own extortion campaign using the stolen data.
The attack chain demonstrates a sophisticated understanding of modern SaaS integration architecture.
T1078.004 - Cloud Accounts. The failure to decommission credentials for an abandoned service represents a critical security hygiene failure.T1505.002 - Server Software Component: Web Shell at a conceptual level, as they modified server-side application logic to perform malicious actions.T1528 - Steal Application Access Token.T1530 - Data from Cloud Storage Object and T1020 - Automated Exfiltration.The use of stolen OAuth tokens for data exfiltration is particularly insidious. It allows attackers to bypass traditional network-based security controls and makes their activity appear as legitimate application traffic, blending in with normal API calls between integrated services.
The business impact of this breach is substantial and multi-faceted:
No specific file hashes, IP addresses, or domains were mentioned in the source articles.
Security teams may want to hunt for the following patterns to detect similar supply chain attacks targeting SaaS integrations:
log_sourceApiTotalUsage events showing unusual spikes in API calls from a specific connected app, especially outside of business hours.log_sourcecommand_line_pattern"grant_type": "refresh_token"network_traffic_patternDetecting this type of attack requires a shift from perimeter-focused security to application and identity-centric monitoring.
Detection Strategies:
Response Actions:
Preventing similar supply chain attacks requires a proactive, defense-in-depth approach to SaaS security.
Immediate Actions:
Full access (full)). This is a form of D3FEND Application Configuration Hardening (D3-ACH).Strategic Improvements:
LastPass identified as an additional victim in the Klue supply chain attack, expanding the list of affected cybersecurity firms.
Implement strict lifecycle management for all accounts, especially service accounts, ensuring they are deactivated and credentials rotated or removed when no longer needed.
Enforce MFA on all user and service accounts to prevent unauthorized access even if credentials are compromised.
Regularly audit and monitor SaaS application logs, focusing on authentication events, permission changes, and API usage to detect anomalous activity.
Regularly review and apply the principle of least privilege to the permissions and scopes granted to third-party SaaS integrations.
Attackers exploit a legacy credential to gain initial access to Klue's backend systems.
Klue detects anomalous network activity related to the breach.
Klue removes the malicious token-stealing code and disables the compromised access.
The 'Icarus' group begins sending extortion emails to affected Klue customers.
Salesforce disables the Klue Battlecards integration as a precautionary measure.
Icarus lists Klue on its dark web leak site, threatening to publish stolen data.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.