Stolen OAuth tokens from a compromised Klue integration enabled the Icarus group to gain mass access to Salesforce customer accounts through automated API queries.
Malicious npm packages can overwrite Claude Code’s configuration file, steal OAuth tokens from the network, and use them to access all connected enterprise services while audit logs show clean Anthropic IP addresses.