Klue integration OAuth token compromise

Confirmed
Discovered Jun 18, 2026

Defender-focused assessment of Klue integration service.

0
Affected Packages
5
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
OAuth
June 12, 2026
integration service
Salesforce
Klue

Analysis

Executive Summary

Klue identified unauthorized activity on June 12, 2026. A compromised legacy credential associated with an integration service let an attacker obtain OAuth tokens for third-party platforms including Salesforce and access data in connected customer environments. Klue reported no evidence that content stored in Klue itself was affected, and revoked credentials and tokens, removed unauthorized code, and disabled potentially affected integrations. [1]

The public evidence supports a high-confidence incident, but does not support filling every missing artifact, actor, victim, or infrastructure field. Unknown values below remain explicit. [1]

Key Facts

Analysis table
FactValue
Affected artifactKlue integration service
Ecosystemsaas-integration
Malicious versions/referenceKlue integration service version unknown
Disclosure2026-06-18
Immediate actionPreserve evidence, disable the affected path, revoke exposed identities, and audit downstream use

Evidence Assessment

Analysis table
AssessmentClaim
ConfirmedKlue identified unauthorized activity on June 12, 2026. A compromised legacy credential associated with an integration service let an attacker obtain OAuth tokens for third-party platforms including Salesforce and access data in connected customer environments. Klue reported no evidence that content stored in Klue itself was affected, and revoked credentials and tokens, removed unauthorized code, and disabled potentially affected integrations. [1]
UnclearExact full victim scope, complete exposure window, and any indicators not listed in iocs.json.
Not observedNo additional attacker infrastructure is asserted beyond the source-backed values.

Impact Determination

Analysis table
ClassificationCriteriaRequired actionClosure gate
Confirmed compromiseMatching deployment/artifact plus unauthorized downstream activityIsolate, preserve, revoke, investigateNo persistence or unauthorized follow-on activity; affected identities rotated
ExposedMatching vendor/update/browser path without confirmed executionCollect deployment and access historyComplete inventory and negative evidence review
Not observedVerified clean deployment outside the evidenced window/pathDocument evidenceIndependent validation recorded

Minimum Evidence To Collect

  • Collect deployment/update and administrative audit logs from the affected control plane; they establish who changed or delivered the artifact.
  • Collect endpoint, application, proxy, and identity-provider telemetry from affected systems; they resolve execution and downstream access.
  • Preserve suspect files, bundles, caches, and configuration with hashes and UTC timestamps before remediation.
  • Record credential and session revocation evidence because exposed tokens or user signing context may remain useful after containment.

Timeline

  • 2026-06-18: Public source disclosure or reporting. [1]
  • Other exact timestamps not stated in the supplied sources remain unknown; incident teams should build a UTC timeline from their own logs.

What Happened

Klue identified unauthorized activity on June 12, 2026. A compromised legacy credential associated with an integration service let an attacker obtain OAuth tokens for third-party platforms including Salesforce and access data in connected customer environments. Klue reported no evidence that content stored in Klue itself was affected, and revoked credentials and tokens, removed unauthorized code, and disabled potentially affected integrations. [1]

Initial Access and Execution Trigger

Treat the vendor, deployment, update, or RMM control plane as an exposure boundary. Collect administrative audit logs, credential/token use, package or deployment history, target host inventories, and downstream access records; distinguish legitimate tool use from unauthorized deployment. [1]

Payload Behavior, Credentials, and Data

The source-backed impact is limited to the facts stated above. The machine-readable profile does not add unsupported malware infrastructure or hashes. [1]

Defense Evasion, Exfiltration, and Command and Control

Use only the source-backed selectors in iocs.json. Where those arrays are empty, hunt from deployment, identity, browser, and host telemetry instead of treating vendor or reporting domains as attacker infrastructure.

Affected Assets and Blast Radius

Prioritize systems that consumed Klue integration service, their administrative identities, and connected downstream data or funds. Scope should be evidence-driven rather than assuming every customer was compromised.

Indicators of Compromise

See iocs.json. Confirmed selectors include: Klue, Salesforce, OAuth, integration service, June 12, 2026. Empty IOC categories are intentionally omitted from this prose.

Detection and Hunting

Run scripts/hunt_klue-integration-oauth-compromise.py opens in a new tab against exported CSV, JSON, JSONL, text, log, YAML, XML, JavaScript, or HAR evidence. It answers whether source-backed incident selectors occur in the collected scope. A match is a triage lead, not proof by itself; expected false positives include documentation and legitimate product references. Escalate by preserving the matched evidence, correlating deployment and identity timestamps, and reviewing downstream activity.

Downstream Abuse Audits

Review the identities at risk—OAuth tokens for connected third-party platforms—for access after the earliest suspected exposure. Revoke active sessions/tokens first when continued misuse is plausible, then compare administrative, application, and transaction records to an approved baseline.

Remediation and Recovery Gates

  1. Preserve suspect artifacts, deployment metadata, logs, and UTC timestamps.
  2. Stop the affected integration, update, RMM, or browser delivery path.
  3. Isolate confirmed systems and disable compromised administrative identities.
  4. Revoke and rotate OAuth tokens for connected third-party platforms.
  5. Remove malicious artifacts and persistence identified by evidence.
  6. Rebuild from independently verified artifacts when execution occurred.
  7. Audit downstream access and transactions for the full evidence-backed window.
  8. Restore only after clean deployment and cache/update validation.
  9. Close only when inventory is complete, tokens/sessions are invalidated, no persistence remains, and monitoring shows no follow-on activity.

Open Questions

  • What exact deployment, build, package, or vendor identity was altered?
  • What are the first and last confirmed exposure timestamps?
  • Which customers or systems have positive execution or downstream-abuse evidence?

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 18, 2026First seenFirst seen recorded for Klue integration OAuth token compromise.klue.com
Jun 18, 2026DisclosureDisclosure recorded for Klue integration OAuth token compromise.klue.com
Jun 18, 2026DiscoveryDiscovery recorded for Klue integration OAuth token compromise.klue.com
Jun 18, 2026Klue integration OAuth token compromiseUnknownklue.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

5 IOCs
commandOAuth
commandJune 12, 2026
commandintegration service
commandSalesforce
commandKlue

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Klue integration OAuth token compromise exported-evidence scopePythonDo collected exports contain source-backed incident selectors?scripts/hunt_klue-integration-oauth-compromise.py opens in a new tabklue.com

Hunt Manifest: Klue integration OAuth token compromise exported-evidence scope

Title
Klue integration OAuth token compromise exported-evidence scope
Question
Do collected exports contain source-backed incident selectors?
Telemetry Family
Python
Repository
scripts/hunt_klue-integration-oauth-compromise.py
Show tested hunting scriptscripts/hunt_klue-integration-oauth-compromise.py
scripts/hunt_klue-integration-oauth-compromise.py opens in a new tabPython
#!/usr/bin/env python3
"""Offline incident-specific selector hunt for klue-integration-oauth-compromise."""
import json, os, sys
from pathlib import Path
SELECTORS=['Klue', 'Salesforce', 'OAuth', 'integration service', 'June 12, 2026']
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.js','.map','.har','.php','.ini','.conf'}
def scan(root):
 matches=[]
 paths=[root] if root.is_file() else root.rglob('*')
 for p in paths:
  if p.is_file() and (not p.suffix or p.suffix.lower() in TEXT_SUFFIXES):
   try:
    text=p.read_text(errors='ignore').lower()
   except OSError:
    continue
   hits=sorted(s for s in SELECTORS if s.lower() in text)
   if hits: matches.append({'path':str(p),'hits':hits})
 return matches
def main():
 root=Path(sys.argv[1] if len(sys.argv)>1 else '.'); matches=scan(root); report={'incident':'klue-integration-oauth-compromise','match_count':len(matches),'matches':matches}
 out=Path(os.environ.get('OUT','hp-klue-integration-oauth-compromise-hunt')); out.mkdir(parents=True,exist_ok=True); target=out/'report.json'; target.write_text(json.dumps(report,indent=2)); print(json.dumps({'match_count':len(matches),'report':str(target)})); return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
klue.comSecurity Researcher95%1Defender-focused assessment of Klue integration service.