Competitive intelligence platform Klue has become the epicenter of a fresh supply chain attack that rippled out to hit prominent cybersecurity vendors, according to reporting from SecurityWeek published June 19, 2026. Threat actors leveraged compromised OAuth tokens to reach into the Salesforce CRM instances of Klue's customer base, exfiltrating data from organizations including Huntress and Recorded Future.
What Happened
The attack chain began with the compromise of Klue's Salesforce app integration. Klue provides a competitive battlecard platform that many enterprise sales and security teams connect directly to their Salesforce environments. By abusing OAuth access tokens obtained through this integration — tracked by researchers as the Icarus threat actor campaign — attackers were able to silently query and download records from downstream customer tenants without requiring direct credentials.
The breach bears hallmarks of the broader wave of OAuth-based supply chain attacks that have targeted SaaS interconnects throughout 2026. Rather than brute-forcing or phishing individual organizations, Icarus has consistently pursued the same playbook: compromise a vendor with wide CRM integrations, pivot using trusted app credentials, and exfiltrate data at scale before detection.
Impacted Organizations
SecurityWeek confirmed that Huntress, the managed detection and response (MDR) provider known for protecting SMB environments, was among the affected customers. Recorded Future, the threat intelligence giant, also had data accessed via its Salesforce connection to Klue.
Both companies were notified of the exposure and have begun their own incident response processes. Salesforce has since disabled the Klue Battlecards app integration pending investigation, effectively severing the access vector.
The full scope of affected Klue customers remains under investigation. Given Klue's position serving enterprise sales teams, the customer list likely includes dozens of additional organizations across multiple sectors.
How OAuth Supply Chain Attacks Work
This incident is a textbook example of the OAuth token abuse attack pattern that has become increasingly common:
- Initial compromise — Attacker targets a mid-tier SaaS vendor with broad integrations
- Token harvest — OAuth tokens or client credentials for downstream platforms are exfiltrated from the vendor's environment
- Silent pivot — Using valid tokens, attacker queries downstream CRM/SaaS data directly through legitimate APIs
- Data exfiltration — Records are pulled without triggering traditional login-based anomaly detection, since the access appears to originate from a trusted integration
Unlike credential-stuffing or phishing, this approach bypasses MFA entirely — the tokens are already issued and valid.
Broader Context: The Icarus Campaign
Researchers tracking the Icarus campaign have linked it to a series of Salesforce-targeting operations throughout May and June 2026. The 2026-06-18-klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks article in the CosmicBytez Labs archive covers the initial disclosure of the Icarus-Klue connection. The current wave appears to be a continuation of the same infrastructure being used to reach new downstream victims.
What Organizations Should Do
For any organization using Klue or similar competitive intelligence platforms with Salesforce integrations:
- Audit OAuth app permissions in Salesforce immediately via Setup > Connected Apps
- Review access logs in Salesforce's Event Log for unusual API queries originating from third-party app integrations in the June timeframe
- Rotate or revoke any Klue-related OAuth tokens until Salesforce re-enables the integration with remediated credentials
- Notify your IR team if Salesforce CRM contains sensitive customer, prospect, or partner data
Security vendors — who often hold sensitive threat intelligence, customer vulnerability data, and incident response records in CRM systems — should treat this as a high-priority incident review given that Huntress and Recorded Future were both affected.
Takeaway
The compromise of Huntress and Recorded Future through a shared SaaS vendor is a stark illustration of the nth-party risk problem: your security posture is only as strong as the weakest OAuth grant in your SaaS stack. As enterprise tooling becomes increasingly interconnected, adversaries are exploiting those connections with precision, targeting integrations that security teams rarely monitor as closely as direct access paths.