Throughout 2026, the cybersecurity industry has seen a new surge of software supply chain attacks, presented in many shapes and sizes. We at Huntress have been a constant advocates of the mantra: it’s not a matter of if, or even when, an incident occurs -- but how you respond.
We want to be transparent about a major supply chain attack that happened this week, which impacted us and other organizations. It supports our core values to put the community and transparency first. In this blog we will share what we know about the Klue incident, what we know about our incident, and what we know about the threat actor.
As the industry works to understand the scope/impact of this incident, we are committed to working with Klue and others to communicate what happened and how impacted partners and customers can protect themselves.
This post will continue to be updated as we have more information. Read on for our full report.—
TL;DR: A threat actor compromised and exfiltrated data from customers of Klue, a market intelligence platform. Huntress is one of those customers of Klue, as are several other cybersecurity companies. Huntress believes in radical transparency about security incidents, including when it affects our company. The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected. To be clear, Huntress found no indication of impact to Huntress products or infrastructure, and this incident was specific to CRM data.
—
Over the past week, a threat actor compromised some backend systems used by Klue, a market intelligence platform that provides services to a number of companies, including Huntress.
Klue's compromise began on June 11, when some anomalous behavior took place in a system that connects with various integrations to other software platforms. The attackers pushed a code update capable of collecting OAuth tokens Klue’s customers use to connect Klue to their own systems.
From what was shared by Klue, they became aware of the anomalous behavior the following day, and took note of unusual network connections to what were later identified to be IP addresses the threat actor was using to remotely connect to the Klue backend servers and execute commands. Klue has been forthcoming with regular updates on the situation posted to their website (a Klue account is required to read the notification).
Klue rapidly deactivated the OAuth credentials for all customers, and temporarily disabled its integrations with the following services while they investigated the incident:
-
Salesforce
-
HubSpot
-
SharePoint
-
Zoom
-
Gong
-
Chorus
-
Clari
-
Google Drive
-
Slack App
Klue staff disabled the remote access and removed the token-theft code from their servers, and issued a general alert to customers on June 13, which did not indicate which customers were impacted. But on June 16, emails began to appear in the inboxes of some Huntress staff with the subject line “top secret email” and a warning: “Your data has been downloaded…You have 48 hours to communicate with us.”
Huntress now understands that the threat actor seems to have leveraged a long-disused but still active credential to conduct the initial compromise – one that was originally created by Klue for them to prototype a third-party integration they later abandoned. The threat actor then pivoted into Klue’s infrastructure to steal the tokens used by Klue’s customers, then used those stolen credentials to query those customers’ CRM tools directly and, eventually, to exfiltrate the data.
It was, in essence, a case of the security domino effect, where one compromise led to a chain of follow-on compromises - which included Huntress, among many other Klue customers.
The conclusions detailed in this article were the result of an investigation of various service logs reviewed alongside the IOCs provided by Klue. We performed a similar investigation across logs available from other potentially impacted services, given the nature of the access facilitated by the credentials the threat actor retrieved.
We recommend the following actions to facilitate your own investigation:
|
Action Taken |
Insights | |
|
1 |
Review available logs for known IOCs |
Review the IOCs provided by Klue, and cross-reference log data from Salesforce, Klue, and other potentially affected Oauth applications configured through Klue. |
|
2 |
Request missing logs from vendors |
Some services may not have API/access logs readily available. We recommend contacting vendors to request missing logs, clarifying that they are part of an active security investigation. Note that response times will vary depending on vendor SLAs and support contracts, and may be on the order of hours. |
|
3 |
Consider revoking sessions for affected services |
As this scenario was predicated on harvested credentials, revoking service integrations may be insufficient for remediation. It is recommended that you consider revoking all active sessions for known-affected services in order to invalidate any potentially compromised sessions. A more tactical action may be feasible (e.g. individual known-compromised credentials) depending on your investigation. |
|
4 |
Review email inboxes & spam folders |
The threat actor’s emails may have been delivered, but have arrived in Spam folders. Inboxes should be reviewed for communications related to the IOC domains or similar phrasing in the email body. If identified, you may wish to remove those emails from inboxes, but it is recommended to retain them for forensic purposes. |
|
5 |
Consider engaging cyber insurance provider(s) |
If you believe you were exposed, you may wish to engage your cyber insurance provider to assist with investigation, remediation, and after-action items. These may vary significantly based on the scope of impact. |
The exfiltrated data appears to be contact information and sales-related communications (price quotes, contacts, tasks, and the like) with Huntress customers and partners, some product pricing data, and competitive market reports. None of the compromised data contained threat intelligence or the kinds of telemetry our tools collect. Credentials that belong to Huntress customers and partners, the organizations Huntress protects, and employees, were not compromised. The Huntress product was also not affected. There is no indication that the threat actor had access to payment information or PCI data.
Indicators of Klue Compromise
Klue’s notification on the breach includes a “non-exhaustive” list of IP addresses from which the threat actor is known to have accessed sensitive information. Those IP addresses are:
138.226.246[.]94
212.86.125[.]24
213.111.148[.]90
94.154.32[.]160
The IPs belong to ISPs based in the Netherlands, France, and Ukraine; Only one of the four IP addresses has a history of threat activity; The 138.226.246[.]94 address is connected to spam campaigns from March 2026.
The threat actor has historically provided samples of the exfiltrated data on the dead-drop site gofile[.]io.
According to Klue, some of the affected companies report that data associated with Salesforce and Gong were successfully exfiltrated. Huntress’ integration with Klue involved Salesforce and Gong data.
In order to make the affirmative determination of compromise, Huntress’ security team obtained logs of queries from Salesforce and Gong and searched the logs for the telltale indicators of data retrieval.
Most (effectively all) of the malicious requests to SFDC target /services/data/v59.0/query/<STRING> and nearly all have a User-Agent of 5238 or a blank value, though there are some outliers, such as these Python User-Agent strings used in nearly 900 of the queries (cumulative count on the left-hand side):
811 "Python-urllib/3.12"
58 "Python-urllib/3.14"
Investigating our Adversary
The threat actor sent an initial email to multiple different current and former Huntress employees indicating that “your data was exfiled due to a breach happening to your partner, Klue.com (ask them).” (sic)
The threat actor provided a unique key to use with a secure communications platform called Session, and instructed the recipient to “do the right decision. xoxo” (sic)
However, 38 minutes after the first message, those same staffers received a follow-up email from the same sender that simply read “wrong session lol” and had a different key. Both messages were sent by someone who refers to themselves as mr bean. The second message was signed mb. (Possibly to mean “mr bean,” or a shorthand for “my bad.”)
These emails originated from one of three distinct mail domains:
-
house.com.au
-
robinskitchen.com.au
-
baccarat.com.au
Each of these companies is a subsidiary of “Global Retail Brands,” an Australian retailer of home goods and appliances. Huntress believes the adversary leveraged the mail server used by these companies as compromised infrastructure. (Huntress provided the Australian Cyber Security Centre with information so they could notify the company of this abuse of their own infrastructure.) The message headers contained valid SPF and DMARC values, indicating the messages were actually sent by the real mail server(s) for those domains, and weren’t forged.
In the initial email, the adversary suggests, “we advice you to write to us on Session” (sic). The Session Messenger ID that they provided matched the same values included on the dark web leak site of a new extortion group dubbed “Icarus.”
Figure 4: Information from the Icarus actor on their website
The Icarus actor states on their website that they have been active since April 28, 2026, and they currently list two previous victims. The first victim entry corresponds to an intrusion in early May of 2026, with an additional message included in the “News” section dated May 5, with the text “shawty sorry for leaking ur data. dm to resolve. <3”
This first victim entry includes buttons for “Part 1” and “Part 2” of the alleged leaked data, with external links to gofile[.]io. Gofile states within their FAQ that hosted content is stored by default for 10 days, while Premium paid accounts offer long-term storage. At the time of writing on June 17, the Gofile-hosted content referenced in the Icarus victim listing is not available.
The second victim entry is “pending” for release, however, the text description suggests the files that would be published contain specifically Salesforce data. This entry was first seen on June 16, aligning with the timeline of the current situation. When it was first published, the page included another Session Messenger ID value that matched the ID provided in the initial extortion email. We observed the page later changed to instead include the second Session Messenger ID value that was provided in the actor’s follow-up email correction.
With those matching data points we have high confidence that the Icarus actor is responsible for the Klue compromise and this supply chain attack. The latest message on their “News” section, dated June 12, states: “get ready; big corps getting listed. be ready”.
What's next
We are in direct contact with leadership at Klue and we have engaged the appropriate incident response teams. As this story unfolds, we will continue to share relevant details of this incident in full transparency -- that’s just what we do at Huntress.
Klue and the other impacted organizations were victims of a crime. Our industry sits within a fragile ecosystem where supply chain risk means that any organization can be affected by upstream effects -- that can occur without any fault of their own.
This is not the end of this story. We will continue to update this blog as we find more information that enables you to have full context: for Klue, for Huntress, for the many other organizations that will soon speak out that they have been affected -- and for the community.
