A security incident involving Salesloft’s Drift application has been traced back to unauthorized access of the company’s GitHub account. According to an investigation led by Google’s Mandiant, a threat actor known as UNC6395 gained entry to the GitHub account and maintained access from March through June 2025. The exact method used to infiltrate the account remains unclear.

The intruders downloaded content from multiple repositories, added a guest user, and established automated workflows. From there, the attackers moved into Drift’s Amazon Web Services (AWS) environment, where they acquired OAuth tokens connected to customer technology integrations. These tokens were then used to access data through Drift’s integrated services.

Reconnaissance activity was also detected within Salesloft and Drift systems during the same March–June timeframe, though no evidence suggests actions went beyond preliminary scanning.

In response, Salesloft has taken the Drift application offline, isolated its infrastructure and code, rotated credentials, and implemented stricter network segmentation between its own systems and Drift. The company is urging customers to revoke any existing API keys connected to third-party Drift integrations.

As part of ongoing remediation, Salesforce has reinstated integrations with Salesloft’s platform with the exception of the Drift app, which remains disabled indefinitely. So far, 22 organizations have confirmed they were affected by this supply chain attack.