Detecting the Klue supply chain attack in Salesforce instances
ID: 8c5b7fbf-20da-5c84-a471-cf8fe4656431
STIX ID: report--8c5b7fbf-20da-5c84-a471-cf8fe4656431
Feed Name: Datadog Security Labs
Threat Score
On June 11–13, 2026, a threat actor calling itself "Icarus" exploited a dormant OAuth credential in Klue's Battlecards integration to harvest Salesforce and Gong tokens, run automated REST API queries across customer orgs to exfiltrate CRM data (contacts, opportunities, quotes, communications), and later initiate extortion; the report provides a timeline, detection queries and log fields for Salesforce/Datadog, and confirmed IOCs (four IPs and three user‑agent strings).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
