Salesloft Drift supply chain attack originated from compromised GitHub account

Salesloft revealed that a supply chain attack involving its Drift-Salesforce integration began with the compromise of the Salesloft GitHub account.

Attackers tracked as UNC6395 leveraged OAuth tokens for the Salesloft Drift AI chat agent to access Salesforce instances of organizations that used the integration between Aug. 8 and Aug. 18, 2025.

Google estimated that more than 700 organizations could potentially have been affected by the attack, with Cloudflare, Palo Alto Networks, Zscaler, SpyCloud, Tanium, PagerDuty and Proofpoint being among the confirmed victims.

In an update Saturday, Salesloft said its GitHub account was accessed by the attacker in March through June 2025, allowing them to “download content from multiple repositories, add a guest user and establish workflows.”

The Salesloft and Drift application environments were also accessed within the same time period, although only limited reconnaissance was conducted, according to the update.

The attacker subsequently gained access to the AWS environment for Drift, where they managed to steal the OAuth tokens used in the attack.

The investigation, which was conducted by Google’s Mandiant, led Salesloft to temporarily take the Drift application offline, isolate Drift infrastructure and rotate all impacted credentials. Credentials for the Salesloft environment were also rotated and proactive threat hunting was conducted in the environment to confirm there were no further signs of intrusion.

“Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments. Based on the Mandiant investigation, the findings support the incident has been contained,” Salesloft said.

Integration between Salesforce and Salesloft was restored Sunday afternoon, according to a subsequent update.