A sophisticated supply-chain attack affecting over 700 organizations has been traced to a compromise of Salesloft’s GitHub account, beginning in March 2025.
On September 6, 2025, Salesloft confirmed that an investigation by Mandiant revealed threat actors used this access to steal OAuth authentication tokens from its Drift chat platform, resulting in widespread data theft.
The investigation, initiated on August 28, determined that unauthorized access to Salesloft’s GitHub account occurred from March through June 2025.
During this period, attackers downloaded content from private repositories, added a guest user, and conducted reconnaissance on Salesloft and Drift application environments.
Although the Salesloft platform itself was not breached, attackers pivoted to Drift’s AWS environment and obtained OAuth tokens for customer technology integrations.
Technical Details
The threat actor, identified as UNC6395, exploited these tokens from August 8 to August 18, accessing and exfiltrating data from customers’ integrated applications, notably Salesforce instances.
Stolen data included business contact information such as names, email addresses, job titles, and support case content.
The breach impacted a range of high-profile companies, including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud.
Response and Mitigation
Following the attack, Salesloft engaged Mandiant and took actions to contain the threat. The Drift platform was taken offline, infrastructure isolated, and all impacted credentials rotated.
Mandiant verified that the incident is contained, and technical segmentation between the Salesloft and Drift environments prevented lateral movement by attackers.
Salesloft has shifted focus to a forensic quality assurance review and advised partners to revoke existing API keys for Drift integrations.
A list of Indicators of Compromise (IOCs) including malicious IP addresses and user-agent strings has been published to assist customers in identifying suspicious activity.
Indicators of Compromise
- Malicious IP Addresses: IPs not on Drift’s official whitelist should be considered suspicious. Confirmed malicious IPs include:
- 154.41.95.2
- 176.65.149.100
- 179.43.159.198
- 185.130.47.58
- … [list continues]
- Malicious User-Agent Strings: Associated strings include:
python-requests/2.32.4Salesforce-Multi-Org-Fetcher/1.0Python/3.11 aiohttp/3.12.15
Claims of responsibility by “Scattered LAPSUS$ Hunters 4.0” remain unverified by investigators.
