Klue: SaaS supply chain compromise through long-lived OAuth tokens

The report describes a June 12, 2026 SaaS supply-chain compromise of Klue where attackers obtained legacy service-account credentials and deployed token-theft code to collect long-lived OAuth tokens, enabling access to customer Salesforce instances and automated REST API exfiltration. The incident is linked to prior Salesloft/Drift abuses, mentions actors (UNC6395, ShinyHunters) and a newly identified actor named Icarus, lists IOCs (IPs, domains, Salesforce REST paths, user-agents, extortion phrases), and recommends revoking tokens, rotating service credentials, and tightening controls.