ShinyHunters Abuses Salesforce OAuth to Hit Hundreds
Attackers, whose tactics align with the data extortion group ShinyHunters, conducted a year-long campaign targeting corporate Salesforce environments. This operation, from mid-2025 to mid-2026, bypassed traditional platform vulnerabilities by using trusted relationships and misconfigurations within organizations' Salesforce ecosystems. Microsoft security researchers mapped three intrusion paths observed across tenants in retail, education, and manufacturing.
The campaign succeeded because access came from seemingly legitimate sources-approved connected applications, trusted third-party integrations, or misconfigured guest access. This approach allowed the malicious activity to blend into normal operational traffic, making detection difficult for standard sign-in and authentication monitoring systems. Organizations like Google, Chanel, Pandora, Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, Tanium, Huntress, and Recorded Future have been implicated as victims or targets.
The attack vectors demonstrate an understanding of SaaS security gaps and the trust relationships in modern cloud environments. By using social engineering through vishing, supply chain compromises of third-party vendors, and overlooked guest permissions, ShinyHunters affiliates gained persistent access and exfiltrated sensitive data from potentially hundreds, if not thousands, of organizations. Microsoft collaborated with Salesforce to deploy enhanced detection and governance tools to address these threats.
How ShinyHunters Compromised Salesforce Environments
The ShinyHunters campaign against Salesforce environments used three primary methods: social engineering through vishing, exploitation of compromised third-party vendor tokens, and abuse of misconfigured guest access. Each path leveraged existing trust or overlooked configurations within target organizations. The activity has been tracked under various identifiers, including UNC6040, UNC6240, UNC6395, GRUB1, Storm-3138, and Icarus.
The three intrusion paths observed are:
- Vishing Calls for Malicious App Consent: Starting in mid-2025, threat actors used voice phishing (vishing) by impersonating IT support personnel. They guided employees through the Salesforce OAuth consent screen, coercing them into authorizing attacker-controlled connected applications. These malicious apps were often disguised as legitimate tools, such as Salesforce Data Loader. Once authorized, they could make API calls on behalf of the user, granting attackers persistent access to enumerate data, access CRM records, and search for credentials to other SaaS platforms. Google reported one of its corporate Salesforce instances was affected in June 2025, leading to the exfiltration of largely public business contact data.
- Stolen OAuth Tokens from Trusted Vendors: This method involved compromising third-party vendors whose applications already held OAuth access to their customers' Salesforce organizations. Attackers stole connection secrets or tokens and used them to query and export data from numerous downstream instances simultaneously. Traffic from these approved integrations appeared normal, bypassing typical sign-in alerts. Notable incidents include the August 2025 Salesloft Drift compromise, where OAuth and refresh tokens tied to the Drift AI chat integration were stolen, potentially exposing over 700 organizations. Similarly, the November 2025 Gainsight incident saw Salesforce disable Gainsight-published apps due to unusual API activity, affecting over 200 Salesforce instances. Most recently, the June 2026 Klue compromise involved attackers exploiting a legacy credential to push a code update that harvested customer OAuth tokens, impacting Salesforce and Gong data belonging to Klue customers, including Huntress and Recorded Future.
- Misconfigured Guest Access to Salesforce Sites: This path exploited overly permissive guest-user permissions on Salesforce Aura endpoints, which are central to Experience Cloud sites. Where guest-user permissions were misconfigured, attackers could access Aura functionality without authentication. Using tooling like AuraInspector, they used cursor-based pagination to extract records beyond the standard 2,000-record query limit, exceeding the intended exposure of the guest role. This method involved abusing an incorrectly provisioned default, not a specific vulnerability exploit.
To counter these threats, Microsoft and Salesforce implemented new detection and governance features. Defender for Cloud Apps now offers enhanced telemetry for Salesforce instances. For customers using Salesforce Shield Event Monitoring, the updated Salesforce connector onboards the Real-Time Event Monitoring framework. These improvements provide near-real-time detection, attributing activity to specific app identities, granted OAuth scopes, and offering more granular session and API context. Posture and governance features for connected OAuth apps now visualize highly privileged applications, identify inactive apps retaining live permissions, and assign a risk score (0 to 100) per application for improved alert and policy management.
How Attackers Compromised the AsyncAPI npm Supply Chain
On July 14, 2026, threat actors executed a supply chain attack against the AsyncAPI project, compromising its npm packages through a misconfigured GitHub Actions workflow. The attack published four malicious npm packages, across five versions, under the @asyncapi namespace. These packages accumulate over 140,000 daily downloads, posing a significant risk to downstream users.
The initial breach stemmed from a "pwn request" vulnerability in a GitHub Actions workflow within the asyncapi/generator repository. This workflow, configured with pull_request_target, was designed to trigger on pull requests but erroneously checked out the pull request's code instead of the base branch. This allowed an attacker to submit PR #2155 containing obfuscated JavaScript. The pull_request_target configuration provided the attacker-controlled code full access to secrets in the context of the base repository.
The malicious payload, hidden by whitespace, scanned the GitHub Actions runner's environment for secrets and exfiltrated them to a dead-drop URL on rentry.co. This vulnerability had been identified months earlier, with a proof-of-concept PR opened on April 29 and a proposed fix submitted on May 17, 2026, which remained unmerged for 58 days prior to the attack. Following successful credential exfiltration at 05:16 UTC, the attackers used a stolen Personal Access Token (PAT) belonging to asyncapi-bot to push a malicious commit directly to the next branch of asyncapi/generator at 06:58 UTC. This triggered the release workflow, publishing the initial three compromised packages to npm at 07:10 UTC. Subsequently, the attackers targeted the asyncapi/spec-json-schemas repository, publishing two additional malicious versions of @asyncapi/specs.
All five compromised versions contain the same multi-stage payload, injected into legitimate source files and padded with whitespace to obscure its presence. The payload's characteristics share similarities with the Miasma malware framework, particularly its javascript-obfuscator configuration with a custom base64 alphabet. The Stage 3 runtime self-identifies as "M-RED-TEAM v6.4", featuring a command framework with Trojan capabilities such as Dirlist, GetFile, and PutFile, and establishing persistence via systemd user services on Linux. This malware supports communication with command and control infrastructure over multiple channels, including HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network. The payload is designed for credential theft, targeting browser saved passwords and cookies (Chrome, Brave, Firefox, Edge), SSH keys, npm and GitHub tokens, AWS credentials, macOS Keychain, and cryptocurrency wallets. The malware also accepts remote commands for file operations, directory listing, and data exfiltration, showing a fully functional remote access Trojan. The identified indicators of compromise include specific SHA1 hashes for malicious files, C2 server IPs (85.137.53.71), Ethereum fallback C2 contracts (0x12c37A86a0Ed0beBe5d1d6a43E42f07860eAc710), and IPFS payload delivery addresses.
Organizations should immediately investigate developer workstations, CI/CD environments, and repositories for these packages and assume potential exposure of various credentials, rotating them as a precautionary measure.
| Package | Version | Malicious File | SHA1 Hash (if applicable) |
|---|---|---|---|
| @asyncapi/generator | 3.3.1 | validator.js | 22bf76fe317ea6769bd38619bd440e42d119bd6b |
| @asyncapi/generator-helpers | 1.1.1 | utils.js | a7e18d96efd3cdb127ef4cdcad9e3ad26c482bf2 |
| @asyncapi/generator-components | 0.7.1 | ErrorHandling.js | 9890950adcbc2478e7a080234f053214adbad44e |
| @asyncapi/specs | 6.11.2 | index.js | c70e105e212ff3c1daa04bb2a62507717f296b0b |
| @asyncapi/specs | 6.11.2-alpha.1 | index.js | c70e105e212ff3c1daa04bb2a62507717f296b0b (same as 6.11.2, likely injected into same file) |
| Stage 2 Payload | N/A | sync.js | c8cb3f6d5b90c46686d2bf531dc1a5786e27edc5 |
Scope of the Insider Ransomware Negotiation Betrayal
A federal court sentenced Angelo Martino, a 41-year-old former ransomware negotiator at DigitalMint, to 70 months in prison for his role in a conspiracy to extort millions from victims by colluding with the BlackCat/ALPHV ransomware gang. This insider threat spanned seven months in 2023, during which Martino systematically betrayed five DigitalMint clients. He facilitated the payment of over $75 million in ransoms by providing confidential information directly to the attackers.
From April to September 2023, Martino used an intermediary chat channel, hidden from his employer, to relay sensitive client data to BlackCat/ALPHV negotiators. This information included clients' cyber-insurance policy limits and internal discussions regarding ransom negotiations, effectively telling the attackers how much they could demand. In one instance, Martino secretly informed the ransomware gang that a client was willing to pay an additional $2 million, beyond the amount he communicated to DigitalMint, which the client ultimately paid due to his actions.
The betrayal escalated in May 2023 when Martino joined BlackCat as an affiliate, sharing this access with fellow DigitalMint negotiator Kevin Martin and Sygnia incident response manager Ryan Goldberg. The trio, who had been conspiring since the previous year, then directly deployed BlackCat ransomware against additional victims. Their direct attacks included extorting $1.2 million from a medical device company. In April 2026, Martin and Goldberg each received four-year prison sentences for their involvement. Authorities also seized approximately $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat. This breach of trust and criminal conspiracy occurred while both DigitalMint and Sygnia claimed ignorance of their employees' actions, firing them only after the Department of Justice revealed the crimes.
How the MemGhost Attack Implants False Memories in AI Agents
New research details an attack called MemGhost, which uses stealth memory injection via a single email to plant persistent false memories in AI agents, influencing their future actions and responses. This method does not require compromising user credentials or exploiting software vulnerabilities. Instead, it uses the AI agent's ability to process and store information from its inbox directly into its long-term memory. The researchers published their findings in a paper titled "When Claws Remember but Do Not Tell" on arXiv on July 6, 2026.
The MemGhost attack primarily targets personal AI assistants that maintain persistent memory, such as OpenClaw and Claude Code SDK agents. These agents store user preferences, contacts, and past interactions in plain text files (e.g., AGENTS.md, MEMORY.md) or vector-based memory stores, which are loaded at the start of each session. The attacker sends a seemingly ordinary email to a user whose AI agent is configured to check their inbox. Buried within this email is specially crafted text designed to instruct the agent to write a false "fact" into its persistent memory. For example, a planted lie in one test case falsely stated that a user's Zelle daily sending limit had been raised to $10,000.
The attack operates stealthily due to several AI agent design characteristics: they are built to hide behind-the-scenes tool activity, few users routinely inspect raw memory files, and background operations often provide no visible alerts. The MemGhost tool, an attacker model trained offline, automatically generates these emails to ensure the false memory is saved and the agent's reply remains quiet. In 56 fresh test cases, MemGhost achieved a full attack (planting a false memory, hiding it, and influencing later sessions) in 87.5% of background-mode runs against OpenClaw on GPT-5.4, and 71.4% against a Claude Code SDK agent on Sonnet 4.6. This effectiveness surpassed crude attempts, which were often caught or ignored. Even with specialized input filters and hardened models in place, MemGhost's messages bypassed filters over 90% of the time, and the planted instructions were followed about half the time. The attack remained hidden from explicit user queries approximately a quarter of the time on one model. This form of AI agent compromise through email is similar to the ShadowLeak attack which exploited a ChatGPT agent via Gmail, as previously discussed in PurpleOps research on AI agent email exploitation.
This research builds on earlier demonstrations of memory injection. In 2024, Johann Rehberger demonstrated SpAIware against ChatGPT, manually planting instructions in its long-term memory to leak user data across future chats. In 2025, Aim Security disclosed EchoLeak (CVE-2025-32711), a zero-click vulnerability that used a hidden-text email to make Microsoft 365 Copilot expose internal company data. While OpenAI patched the data-leak path for SpAIware and Microsoft patched EchoLeak, MemGhost introduces persistence and automation. The vulnerability also highlights risks associated with AI flaws, such as the AI impersonation flaw in ServiceNow which enabled unauthenticated impersonation, as noted in another PurpleOps analysis of AI vulnerabilities. The main problem identified is the lack of visible approval when untrusted external messages become durable, trusted context within an AI agent. Proposed solutions include provenance tagging for information, user confirmation before writing to durable memory, and full write logging. Until such internal controls are implemented, minimizing the interaction between untrusted mail and an agent's memory-write capabilities, or strictly auditing memory files after suspicious inputs, are important countermeasures.
Technical Takeaways
- The ShinyHunters campaign against Salesforce used vishing for OAuth consent, stolen OAuth tokens from compromised third-party vendors, and abuse of misconfigured guest access over a year (mid-2025 to mid-2026), affecting hundreds to thousands of organizations.
- The AsyncAPI npm supply chain was compromised via a GitHub Actions "pwn request" vulnerability. A misconfigured
pull_request_targetworkflow allowed exfiltration of a Personal Access Token, leading to the publication of five malicious npm package versions with a multi-stage M-RED-TEAM v6.4 payload. - An insider threat operation involving Angelo Martino, Kevin Martin, and Ryan Goldberg colluded with the BlackCat/ALPHV ransomware gang, facilitating over $75 million in ransom payments from five DigitalMint clients through shared confidential negotiation details. Martino received a 70-month prison sentence.
- The MemGhost attack, demonstrated in a lab setting, can inject persistent false memories into AI agents like OpenClaw and Claude Code SDK via a single email, achieving high success rates (87.5% and 71.4% respectively in background mode) by using the agent's memory processing without user notification.
- The ShinyHunters Salesforce campaign and the AsyncAPI supply chain compromise show the importance of scrutinizing third-party integrations, OAuth application permissions, and CI/CD pipeline configurations. These trusted components are increasingly becoming attack vectors.