The Icarus threat group conducted a supply chain attack by compromising Klue, a market intelligence platform that integrates with CRM systems like Salesforce. The attackers leveraged a dormant credential from an abandoned prototype integration to harvest OAuth tokens, enabling unauthorized API access to customer Salesforce and Gong data. Automated Python scripts facilitated the exfiltration of sensitive CRM data including business contacts, price quotes, and sales communications. Detection occurred within one day, and OAuth credentials were revoked promptly. Subsequently, the attackers launched an extortion campaign targeting affected organizations.

The attack resulted in unauthorized access and exfiltration of sensitive CRM data from multiple Salesforce organizations using compromised OAuth tokens. This includes business contacts, pricing information, and sales communications, potentially leading to competitive disadvantage, reputational damage, and financial loss. The attackers also initiated an extortion campaign leveraging the stolen data. No direct information on further exploitation or persistence is provided.

Klue detected the anomalous activity and revoked the compromised OAuth credentials within two days of the initial compromise. Organizations using Klue integrations should verify that no dormant or abandoned credentials exist and ensure OAuth tokens are rotated or revoked if suspicious activity is detected. Since this is a supply chain attack involving third-party integration, review and tighten access controls and monitor for unusual API activity. Patch status is not applicable as this is not a software vulnerability but a credential compromise. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.