In March 2025, an unidentified actor logged into Salesloft’s GitHub account. They didn’t deploy malware. They didn’t exploit a vulnerability. They downloaded source code, added a guest user, and configured workflows. Five months later, that quiet reconnaissance ended with stolen OAuth tokens being used to siphon data from more than 700 Salesforce tenants — Cloudflare, Google, Palo Alto Networks, Zscaler, Proofpoint, Tanium, PagerDuty, CyberArk — over a ten-day window in August. Mandiant attributed the campaign to a threat cluster it tracks as UNC6395; Cloudforce One labels the same activity GRUB1.
The Salesloft–Drift incident is now the canonical example of what supply chain compromise looks like in 2026: not a poisoned binary download, but a developer credential that quietly unlocks a build environment, then a deployment pipeline, then every customer the vendor sells to. SolarWinds taught defenders to inspect software updates. The current generation of campaigns has moved upstream — into the GitHub repos, CI runners, OAuth grants, and OIDC trust relationships that produce those updates in the first place. This article walks through how that shift happened, what the attack chain actually looks like end-to-end, the named campaigns reshaping the defender playbook, and where the realistic mitigations sit.
Why the Build Pipeline Became the High-Value Target
Modern SaaS is assembled, not authored. A typical product ships dozens of npm or PyPI dependencies, a handful of GitHub Actions, half a dozen OAuth integrations, and a deployment surface that fans out across AWS, GCP, Snowflake, and Salesforce. Each link in that chain is a credential boundary, and each credential boundary is implicitly trusted at runtime. Compromise any one of them and the attacker inherits the trust the rest of the chain extends.
The economics are stark. Group-IB’s High-Tech Crime Trends Report 2026 recorded 297 supply chain attacks claimed by threat groups in 2025 — a 93% year-over-year increase. ReversingLabs measured open-source malware detections up 73% in the same period. The third-party share of all breaches roughly doubled, from 15% to 30%. Average dwell time for a supply chain breach now sits at 267 days, with mean cost per incident at $4.91 million.
Build pipelines reward attackers for one specific reason: the blast radius is multiplicative. A single compromised maintainer credential, npm token, or GitHub Actions secret cascades into every downstream tenant that consumes the artifact. Obsidian’s incident researchers measured the Salesloft–Drift blast radius at roughly 10× the impact of comparable direct-attack campaigns against Salesforce.
How the New Playbook Actually Runs
The campaigns of the last twelve months are not architecturally identical, but they cluster around a common five-phase pattern. The phases blur — reconnaissance and credential harvesting often overlap, and persistence is sometimes established before any exfiltration — but the shape is consistent enough to plan defenses against.
Phase 1: Initial Access via Developer Identity
The entry point is almost never the production application. It is a developer’s GitHub account, an npm maintainer’s email, a CI/CD service token, or an OAuth application integrated into the dev environment. UNC6395’s confirmed entry into Salesloft was a GitHub account compromise in March 2025; the access vector to that account itself remains unconfirmed publicly. The September 2025 hijack of debug and chalk on npm — packages with combined downloads above 2.6 billion per week — was driven by a phishing campaign using the lookalike domain npmjs.help to harvest 2FA reset codes from maintainers. The April 2026 Vercel breach traced back to a Lumma Stealer infection on a Context.ai employee’s workstation, which exposed a Google Workspace OAuth grant Vercel had authorized.
Common to all of these: the credential that opened the door belonged to a human developer or a machine identity that the developer owned, not a privileged ops account. Identity-based access has become the new perimeter, and developers carry disproportionate blast radius on their laptops.
Phase 2: Reconnaissance Inside the Build Environment
Once inside, attackers tend to wait. UNC6395 spent roughly four months — March through June 2025 — inside Salesloft’s GitHub tenant before pivoting to Drift’s AWS environment. They downloaded repository contents, added a guest user, and configured Actions workflows. This is the quiet phase that traditional perimeter monitoring is structurally bad at detecting: a legitimate developer credential reading legitimate repository data is exactly what a build pipeline does all day.
What the attackers learn here determines the rest of the attack: where the production secrets live, which OAuth applications hold customer-scoped tokens, what the deployment topology looks like, and which artifacts have the largest distribution surface.
Phase 3: Pipeline Pivot and Artifact Tampering
The pivot from reconnaissance to active compromise typically takes one of three forms:
The first is artifact poisoning. The TeamPCP campaign of late February through March 2026 demonstrated this at scale. After compromising the CI/CD publishing credentials of Aqua Security’s vulnerability scanner Trivy, the actors used those credentials to publish malicious versions 1.82.7 and 1.82.8 of the LiteLLM Python package — a widely-used LLM proxy with roughly 3.4 million daily PyPI downloads. The packages sat live for between 40 minutes and three hours before removal; in a continuously running CI ecosystem, that window was sufficient. The associated CVE is CVE-2026-33634. On March 21, 2026, the same group used stolen GitHub Personal Access Tokens to force-push malicious commits across all 35 version tags of the checkmarx/kics-github-action repository — corrupting a tool whose entire purpose is to scan CI pipelines for malicious changes.
The second is OAuth token theft from the build environment. This is the Salesloft model: the attacker reaches the AWS environment hosting Drift’s customer integrations and exfiltrates the OAuth access and refresh tokens stored there. The attacker now holds keys to every customer tenant the vendor was authorized into, with no further compromise required. Mapped to MITRE ATT&CK, this is T1199 (Trusted Relationship) for initial access and T1528 (Steal Application Access Token) for credential access.
The third is propagation worms. The Shai-Hulud campaign, first identified in August 2025 and named after the sandworms of Dune, automated the entire chain. Compromised packages harvested npm tokens, GitHub tokens, and browser cookies on developer machines, then used those credentials to publish trojanized versions of any package the maintainer had access to. Wave one compromised more than 180 packages, starting with @ctrl/tinycolor (over 2 million weekly downloads). Wave two — Shai-Hulud 2.0 in November 2025 — reached close to 800 packages and approximately 25,000 GitHub repositories, including projects connected to Zapier, ENS Domains, PostHog, Postman, and Posthog. Later variants triggered during the npm preinstall phase, widening exposure to any CI pipeline that ran npm install.
Phase 4: Credential Harvesting and Lateral Movement
Once the attacker is operating through legitimate-looking pipelines and tokens, the goal is almost always credentials. UNC6395 ran systematic Salesforce Object Query Language (SOQL) queries against Salesforce Cases, Accounts, Users, and Opportunities objects, then ran the exfiltrated records through credential-discovery tooling. Google Threat Intelligence Group’s advisory specifically noted the actor searching extracted text for AKIA (AWS access key prefix), password, secret, and Snowflake-related token patterns — work consistent with running TruffleHog or equivalent regex-based scanners over the stolen data dumps. This maps to MITRE T1552 (Unsecured Credentials).
The LiteLLM payload was tuned for the same outcome at deeper depth: a three-stage backdoor harvesting AWS, GCP, and Azure tokens, SSH keys, and Kubernetes credentials, with a Kubernetes DaemonSet for persistence. The campaign also integrated a destructive component observed on March 23, 2026 — privileged DaemonSets designed to brick clusters or recursively delete files on non-containerized hosts. Smash-and-grab now sometimes includes the smash.
Phase 5: Cascade
This is the phase that defines the new playbook. A single vendor compromise produces hundreds of downstream breaches because the trust relationship is engineered to allow exactly that. Salesloft–Drift cascaded into 700+ tenants. The August 2025 s1ngularity compromise of Nx — a popular JavaScript build system — used locally installed AI assistants (Claude Code, Gemini CLI, Amazon Q) to enumerate secrets on infected developer machines and then dumped findings to public GitHub repositories named s1ngularity-repository under the victims’ own accounts. The September 2025 axios compromise (versions 1.14.1 and 0.30.4, with weekly downloads in the 70–100 million range) injected a malicious [email protected] dependency carrying a cross-platform RAT; downstream exposure was significant enough that OpenAI revoked its macOS signing certificate on March 31, 2026 as a precaution.
Why “APT Playbook” Is the Right Frame
Calling this an APT playbook is deliberate, but worth qualifying. Attribution remains messy. UNC6395 is currently assessed by AppOmni as a likely Chinese threat cluster, while other analysts including Illumio’s references describe the operators as financially motivated. The September 2025 axios compromise has been linked to actors aligned with the DPRK’s Lazarus cluster, which has been weaponizing npm as a revenue channel. The Vercel breach traces to commodity Lumma Stealer, not a state actor at all.
What is consistent across all of these — regardless of whether the operator is a nation-state, a criminal collective, or an opportunist — is the technique set. Long dwell time inside developer infrastructure. Patient credential harvesting from build environments rather than production. Living off the land via legitimate CI tools, OAuth grants, and package managers. Operational discipline around log deletion (UNC6395 deleted query jobs but, fortunately for investigators, not the underlying audit logs). This is APT-style tradecraft applied to an attack surface that didn’t meaningfully exist a decade ago. The playbook is the artifact, not the actor.
The FBI’s September 14, 2025 Flash Report and CISA advisory CSA-2025-250912 formalized the threat by naming UNC6395 alongside UNC6040 — a separate cluster running social-engineering attacks against Salesforce environments. The pairing is significant: federal advisories now treat “compromise the SaaS supply chain” as a category, not a single incident.
Defensive Surface Worth Defending
The mitigations that work map directly onto the phases above. They are unglamorous and largely available, but they are inconsistently deployed.
Phishing-resistant MFA on developer accounts. CISA’s September 2025 advisory specifically calls this out. The npmjs.help campaign that compromised debug and chalk would have failed against hardware tokens. Maintainer accounts of widely-used packages should be treated as privileged identities and enrolled accordingly.
OIDC-based authentication for CI/CD pipelines. Long-lived publishing credentials are the fuel for artifact poisoning. Replacing them with short-lived OIDC tokens issued per workflow run eliminates the credential that TeamPCP-style compromises depend on. Vercel’s post-incident guidance explicitly recommends this for deployment pipelines.
SLSA framework adoption and signed provenance. SLSA — Supply-chain Levels for Software Artifacts — provides graduated requirements for build integrity. SLSA Level 3 requires non-falsifiable provenance metadata, which would have made the LiteLLM and KICS force-push attacks visible at the consumer side.
SBOM coverage in machine-readable formats. CISA’s February 2025 minimum-elements update mandates SPDX or CycloneDX with hash and license fields. SBOMs do not prevent compromise; they answer the question “which of our services consumed a malicious version in the last 30 days” in minutes rather than weeks.
OAuth grant inventory. Most organizations cannot enumerate the third-party OAuth applications connected to their Google Workspace, Salesforce, and Microsoft 365 tenants. Treating each grant as a vendor relationship — with a permission review, a rotation cadence, and a removal process for unused integrations — closes the door UNC6395 walked through.
Behavioral detection on SaaS API surfaces. UNC6395 used custom User-Agent strings (sf-export/1.0.0, Salesforce-Multi-Org-Fetcher/1.0) and bulk SOQL queries from DigitalOcean and Tor exit IPs (notably 208.68.36.90). Salesforce, Google Workspace, and similar platforms expose the audit logs needed to detect this; the gap is rarely the data, it’s the analytics layered on top.
Lifecycle script discipline in package managers. The Shai-Hulud worm, axios, and the broader pattern depend on postinstall and preinstall scripts executing on developer and CI machines. Disabling lifecycle scripts by default — npm config set ignore-scripts true and equivalents — breaks a substantial fraction of the public attack chain. The January 2026 “PackageGate” disclosures from Koi (six zero-days across npm, pnpm, vlt, and Bun) showed this is necessary but not sufficient: Git-based dependencies can still execute code via repository-level configuration. Lockfile pinning, integrity verification, and a 7–14 day quarantine window before adopting new package versions close most of the residual gap.
FAQ
Is the build pipeline really a different attack surface than “software supply chain”? Yes and no. They share the same underlying trust problem — implicit trust in upstream artifacts — but the response surfaces differ. Software supply chain defenses (SBOMs, SLSA, code signing) address compromised binaries. SaaS supply chain defenses (OAuth inventory, token rotation, integration posture management) address compromised trust relationships. UNC6395 demonstrated that a sophisticated actor can chain both: compromise a build environment to steal OAuth tokens that compromise SaaS tenants.
Did Salesforce or Salesloft have a vulnerability? No, in the technical sense. Google Threat Intelligence Group, Salesforce, and Salesloft have all stated the incident did not exploit a vulnerability in either core platform. The compromise was of a developer credential at Salesloft and the OAuth tokens stored in Drift’s AWS environment. This is precisely what makes this class of attack difficult: there is nothing to patch.
Why didn’t endpoint or perimeter tools catch it? A legitimate OAuth token making API calls from a cloud IP looks like a legitimate integration making API calls from a cloud IP. Detection requires baselining the SaaS API surface itself — which IPs, user-agents, and query patterns the integration normally produces — and alerting on deviations. Most organizations have not built this layer.
Are AI coding assistants making this worse? The s1ngularity campaign weaponized Claude Code, Gemini CLI, and Amazon Q to enumerate developer secrets after initial compromise. The tools were not vulnerable; they did exactly what they were asked to do. The implication is that AI assistants with read access to a developer’s filesystem are now part of the attack surface — credentials accessible to the assistant are credentials accessible to whatever has compromised the environment.
What “Ready” Looks Like Now
The honest reading of the last twelve months is that perimeter-thinking has reached its limit. The next compromised package, OAuth grant, or GitHub Action that affects your build pipeline is already in motion somewhere. Whether you detect it inside an hour, a day, or 267 days is determined by choices you make before the incident — not after.
Two questions function as a useful diagnostic. First: can you produce, on demand, the complete list of package versions, OAuth grants, and CI secrets your production environment has consumed in the last 30 days? Second: if a vendor disclosed compromise tomorrow naming a specific build artifact or token type, how long would it take to know whether your organization was exposed? The gap between the two answers is the actual size of your supply chain risk. Closing it is unglamorous, expensive, and nobody’s favorite quarterly objective. It is also the work.
