216.73.216.133

Detecting the Klue supply chain attack in Salesforce instances

· Published 22/06/2026 22:21

Export JSON

Essential information

Published
22/06/2026 22:21
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
crm data theft extortion campaign klue compromise oauth abuse salesforce supply chain attack
Related entities
3 indicators, 3 observables, 1 intrusion sets (apt), 13 techniques (mitre)

Description

On June 11, 2026, the Icarus threat group compromised Klue's backend systems, a market intelligence platform used by hundreds of enterprises to sync competitive battlecard data with CRM environments. The attackers exploited a dormant credential from an abandoned prototype integration to harvest OAuth tokens for and Gong. Through automated API calls using Python scripts, the group exfiltrated CRM data including business contacts, price quotes, and sales communications from multiple customer organizations. Klue detected the anomalous activity on June 12 and revoked OAuth credentials on June 13. The attackers subsequently launched an extortion campaign starting June 16, demanding victims contact them via Session Messenger within 48 hours.

External references