All news with #token leakage tag

FBI Alerts on UNC6040 and UNC6395 Targeting Salesforce

⚠️ The FBI released IoCs linking two threat clusters, UNC6040 and UNC6395, to a series of data theft and extortion attacks that targeted organizations' Salesforce environments. UNC6395 exploited compromised OAuth tokens tied to the Salesloft Drift app after a March–June 2025 GitHub breach, prompting Salesloft to isolate Drift and take its AI chatbot offline. UNC6040, active since October 2024, used vishing, a modified Data Loader and custom Python scripts to hijack instances and exfiltrate bulk data, while extortion activity has been associated with actors using the ShinyHunters brand.

Token Management Risks in the Third-Party Supply Chain

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.

Malicious Browser Extensions Target Meta Advertisers

🔒 Researchers disclosed two coordinated campaigns that distribute fake browser extensions via malvertising and counterfeit sites to steal credentials, session tokens, and hijack Meta business accounts. Bitdefender documented ads pushing a fake "Meta Verified" add‑on named SocialMetrics Pro that harvests Facebook session cookies and exfiltrates them to a Telegram bot while also querying ipinfo[.]io for IP data. Cybereason described a separate campaign using counterfeit sites promoting a bogus Madgicx Plus platform and multiple rogue Chrome extensions that request broad site access, capture Google identity data, then pivot to Facebook to facilitate account takeover.

Cursor autorun flaw lets repos execute arbitrary code

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.

Threat Actor Reveals Tradecraft After Installing Agent

🔎Huntress analysts discovered a threat actor inadvertently exposing their workflows after installing the vendor's security agent on their own machine. The agent logged three months of activity, revealing heavy use of AI text and spreadsheet generators, automation platforms like Make.com, proxy services and Telegram Bot APIs to streamline operations. Investigators linked the infrastructure to thousands of compromised identities while many attempts were blocked by existing detections.

Majority of Organizations Hit by Third‑Party Incidents

🔒 A recent survey by SecurityScorecard found 71% of organizations experienced at least one material third‑party cybersecurity incident in the past year, with 5% reporting ten or more. Rising third‑party involvement — echoed in the 2025 Verizon Data Breach Investigations Report — and sprawling supplier ecosystems expand attackers’ avenues. Experts warn SaaS platforms, open‑source packages, and CI/CD pipelines are increasingly exploited, often via abused OAuth, stolen credentials, or over‑permissioned integrations.

GhostAction GitHub Supply Chain Attack Exposes 3,325 Secrets

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

Qualys, Tenable Confirm Access in Salesloft Drift Attack

🔐 Tenable and Qualys reported limited unauthorized access to parts of their Salesforce records after attackers stole OAuth tokens from the Salesloft Drift integration. The incidents exposed support-case subject lines, initial descriptions and basic business contact details, but neither vendor's products or core services were affected. Both firms disabled the Salesloft Drift app, revoked or rotated credentials, and said they are working with Salesforce and investigators to contain the impact.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

CRM Supply-Chain Breach via Salesloft Drift Impacts Vendors

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

Why XSS Still Matters: MSRC on a 25-Year Threat Landscape

🛡️ MSRC reports that Cross-Site Scripting (XSS) remains a persistent threat across legacy portals and modern single-page applications, with hundreds of cases triaged in the past year. Between July 2024 and July 2025, MSRC mitigated over 970 XSS cases and awarded more than $900,000 in bounties, spanning low-impact self-XSS to zero-click critical exploits. The post describes MSRC’s severity matrix that combines data classification and exploit conditions, outlines servicing scope and exclusion criteria, and publishes a practical submission checklist. Developers and researchers are encouraged to adopt context-aware encoding, Content Security Policy (CSP), and secure-by-default frameworks to reduce exposure.

Salesloft Takes Drift Offline After OAuth Token Theft

🔒 Salesloft said it will temporarily take its Drift chatbot service offline after a supply-chain compromise led to the mass theft of OAuth and refresh tokens tied to the Drift AI chat agent. The outage is intended to allow a comprehensive security review and build additional resiliency; Drift chatbot functionality and access will be unavailable during the process. Salesloft is working with cybersecurity partners Mandiant and Coalition while investigators, including Google Threat Intelligence Group, attribute the campaign to UNC6395 and report that more than 700 organizations may be affected.

Cloudflare Response to Salesloft Drift Salesforce Breach

🔒 Cloudflare confirmed that it and some customers were impacted by the Salesloft/Drift breach which exposed Salesforce support case text. The company found 104 Cloudflare API tokens in the exfiltrated data, rotated them, and observed no suspicious activity tied to those tokens. No Cloudflare infrastructure was compromised; affected customers were notified and advised to rotate any credentials shared in support tickets and to harden third-party integrations.

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.

Google: Salesloft Drift OAuth Breach Impacts Integrations

🔐 Google and Mandiant warn Salesloft Drift customers that OAuth tokens tied to the Drift platform should be treated as potentially compromised. Stolen tokens for the Drift Email integration were used to access email from a small number of Google Workspace accounts on August 9, 2025; Google stressed this is not a compromise of Workspace or Alphabet. Google revoked affected tokens, disabled the Workspace–Drift integration, and is urging customers to review, revoke, and rotate credentials across all Drift-connected integrations while investigations continue.

Malicious Nx npm Packages in 's1ngularity' Supply Chain

🔒 The maintainers of nx warned of a supply-chain compromise that allowed attackers to publish malicious versions of the npm package and several supporting plugins that gathered credentials. Rogue postinstall scripts scanned file systems, harvested GitHub, cloud and AI credentials, and exfiltrated them as Base64 to public GitHub repositories named 's1ngularity-repository' under victim accounts. Security firms reported 2,349 distinct secrets leaked; maintainers rotated tokens, removed the malicious versions, and urged immediate credential rotation and system cleanup.

Salesloft OAuth Breach via Drift AI Exposes Salesforce Data

🔒 A campaign tied to threat actor UNC6395 exploited compromised OAuth and refresh tokens associated with the Drift chat integration to exfiltrate data from Salesforce instances connected via Salesloft. Observed between Aug 8 and Aug 18, 2025, the actor executed targeted queries to retrieve Cases, Accounts, Users and Opportunities and hunted for credentials such as AWS access keys and Snowflake tokens. Salesloft and Salesforce invalidated tokens, removed Drift from AppExchange, and advised affected customers to re-authenticate integrations and rotate credentials.

Widespread Data Theft via Salesloft Drift Targets Salesforce

🔒 GTIG warns of a widespread data-theft campaign by UNC6395 that abused compromised OAuth tokens for the Salesloft Drift connected app to export data from multiple Salesforce customer instances between Aug. 8 and Aug. 18, 2025. The actor executed SOQL queries against objects including Accounts, Cases, Users, and Opportunities to harvest credentials and secrets—observed items include AWS access keys, Snowflake tokens, and passwords. Salesloft and Salesforce revoked tokens and removed the Drift app from the AppExchange; impacted organizations should search for exposed secrets, rotate credentials, review Event Monitoring logs, and tighten connected-app scopes and IP restrictions.

Unexpected parcel scams: brushing, quishing, and more

📦 Delivery scams now include evolved brushing and QR-based "quishing" campaigns that use unsolicited packages or printed postcards to trick recipients into visiting malicious sites, paying fake fees, or installing malware. Scammers may include QR codes, phone numbers, or counterfeit tracking cards to extract payment data, one-time codes, or to prompt app installs. Never scan printed QR codes or call numbers on unexpected parcels; verify shipments via official courier channels and avoid connecting unknown USB devices. Enable two-factor authentication and report suspicious packages to the courier and police.

Implementing Defense-in-Depth for AWS CodeBuild Pipelines

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.