The “Klue” supply chain attack, regarded as one of the most significant cybersecurity incidents of 2026, has resulted in the compromise of data belonging to leading cybersecurity and technology companies through a third-party platform.
The threat actor known as “Icarus” reportedly gained access to the infrastructure of “Klue”, a market intelligence and competitive enablement platform and abused integrations established between the platform and various Software-as-a-Service (SaaS) applications used by its customers. The attack has been confirmed to have resulted in unauthorized access to data stored within the Salesforce environments of multiple organizations, further highlighting the scale and potential impact of the incident.
According to available information, the attack began on June 11–12 with the compromise of a legacy credential associated with an integration account that had remained active for an extended period. Leveraging this access, the threat actor deployed a malicious code update designed to harvest OAuth tokens associated with customer integrations between “Klue” and services such as Salesforce, HubSpot, Gong, SharePoint, Zoom, Slack and Google Drive. This stage proved to be a critical factor in facilitating the subsequent phases of the attack.
Using the stolen OAuth tokens, the attackers were able to connect directly to customer Salesforce environments and conduct large-scale data exports through automated scripts. As a result, the threat actor did not need to compromise each victim organization individually. Instead, the attackers exploited the trust relationships already established with the “Klue” platform, enabling simultaneous access to the data of multiple organizations and underscoring the far-reaching risks associated with supply chain attacks.
Organizations confirmed as affected by the incident include HackerOne, Huntress, Recorded Future, Snyk, LastPass, Tanium, Jamf, OneTrust, BeyondTrust, Gong, Pendo, Sprout Social, Blackbaud, Deel, Camunda, Cresta, Lucanet, Link11, Tines and several others. Information published in open sources indicates that the number of affected organizations is approaching twenty.
Investigations indicate that the compromised data primarily consisted of business information stored within Customer Relationship Management (CRM) systems. This includes customer contact information, contract details, commercial proposals, sales activities, renewal schedules and other corporate records. CRM data belonging to cybersecurity companies is of particular strategic value to threat actors, as it can provide intelligence regarding potential targets, deployed security solutions and the overall security posture of organizations.
The incident once again demonstrates that organizational risk extends beyond internal infrastructures. Third-party SaaS platforms, integration services and long-lived OAuth tokens have become increasingly attractive targets for cybercriminals seeking to gain simultaneous access to multiple organizations. Similar to the large-scale Snowflake-related incidents and other major breaches observed in recent years, the “Klue” incident highlights the growing threat posed by supply chain attacks and reinforces the importance of strengthening security controls across interconnected digital ecosystems.
References:
© 2011-2026 All rights reserved