The compromise of the Klue Battlecards application, a third-party Salesforce integration, continues to affect organizations connected to the platform.
VenariX is actively investigating the campaign and publishing newly identified impacted organizations as they are confirmed.
What Happened?
In June 2026, Klue disclosed a security incident involving its Battlecards Salesforce application. According to Klue, attackers gained access to its integration infrastructure through a compromised GitHub Personal Access Token and deployed malicious code designed to harvest customer OAuth tokens.
The stolen tokens were subsequently used to access Salesforce environments connected to the Klue Battlecards integration.
As part of its response, Salesforce disabled the Klue Battlecards integration and stated that the issue was limited to the third-party application and was not the result of a vulnerability within the Salesforce platform.
Threat Actor Attribution
The activity has been claimed by the threat actor Icarus, who publicly disclosed the incident on its data leak site on June 19, 2026.

Campaign Scope
A total of 195 organizations were reportedly impacted by this incident. However, VenariX has been able to identify 35 organizations with confirmed impact:
8×8, Inc.
ABBYY
AlertMedia, Inc.
AudienceView
BeyondTrust Corp
Blackbaud, Inc.
Camunda, Inc.
Confluent, Inc.
ControlUp Technologies Ltd.
Cresta Intelligence, Inc.
Deel, Inc.
eSentire, Inc.
Greenhouse Software, Inc.
HackerOne
Huntress
Insurity, LLC
Jamf Software, LLC
LastPass
Link11 GmbH
LogicMonitor, Inc.
LucaNet AG
NetDocuments Software, Inc.
OneTrust
Pendo.io, Inc.
Postman, Inc.
Qualtrics, LLC
Recorded Future
Saviynt, Inc.
SentinelOne, Inc.
Snyk Ltd.
Spashtop, Inc.
Sprout Social, Inc.
Tanium, Inc.
Thinkproject
Tines
Track the Campaign in VenariX
VenariX is tracking all related activity under the Klue Battlecards campaign in the VenariX platform. VenariX users can filter incidents by campaign and configure email alerts to stay informed as new impacted organizations are identified.

What Impacted Organizations Should Watch For
Organizations identified in the campaign should remain alert for phishing and spear-phishing attacks.
Based on confirmed reports, data accessed from affected Salesforce environments may include business contact information, including names, job titles, business email addresses, prospects, and customer relationship data.
Organizations that conduct business with affected entities should also remain vigilant. Threat actors can use this information to craft highly targeted phishing messages that reference legitimate business relationships, ongoing sales opportunities, suppliers, customers, and existing communications. Because the information originates from trusted business systems, these messages may appear more credible than traditional phishing attempts and may be difficult for recipients to distinguish from legitimate correspondence.