Market intelligence platform Klue suffered a OAuth breach that enabled the “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.

Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group.

Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.

Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated.

“To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,” Salesforce warned yesterday.

“As a result, organizations will not be able to connect to Salesforce via this app until further notice.”

If you have any information regarding this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.

Stolen OAuth credentials used to steal Salesforce data

ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft.

The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce’s REST API for nearly 24 hours.

The activity began with reconnaissance of an organization’s Salesforce instances through the ‘/services/data/v59.0/sobjects’ endpoint before exfiltrating data using the ‘/services/data/v59.0/query’.

ReliaQuest said that for one of the organizations, the attackers slowly mapped out their Salesforce objects to identify valuable objects and then rapidly stole data once they knew what they wanted.

“The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment,” explained ReliaQuest.

“Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records. In another case, the exfiltration was observed over 6 hours.”

The researchers said the activity closely resembled previous Salesforce third-party integration data theft attacks by the ShinyHunters extortion group, but were unable to attribute the attacks to the threat actor.

However, BleepingComputer learned yesterday that ShinyHunters was not behind this attack, but rather a relatively new threat actor known as “Icarus” who had already begun emailing extortion demands to Klue customers impacted by the breach.

A ransom note shared with BleepingComputer showed that the emails were sent using the alias “mr bean” and included a Session Messenger ID to contact them.

The threat actors’ data leak site also contains a message hinting at the extortion campaign in a simple post titled “Get Ready,” stating, “big corps getting listed. be ready.”

Icarus is believed to have launched in April 2026, and initially listed two victims on its leak site, with BleepingComputer learning that at least one of these victims is connected to the Klue campaign. That company has now been removed from the data leak site, which may indicate that negotiations are underway.

Today, Huntress disclosed that it was among the organizations impacted by the Klue breach, confirming that they had received a similar extortion email as seen by BleepingComputer. However, the Session ID used in later emails was different and was instead the one listed on the Icarus data leak site, providing additional evident that they were behind the attack.

“In the initial email, the adversary suggests, ‘we advice you to write to us on Session’ (sic),” reported Huntress.

“The Session Messenger ID that they provided matched the same values included on the dark web leak site of a new extortion group dubbed ‘Icarus.’”

According to Huntress, Klue told customers that attackers first compromised the company’s backend systems and then pushed a malicious code update that stole OAuth tokens customers use to integrate the Battlecards product with third-party platforms.

The attackers reportedly used a dormant but still active credential created by Klue for a prototype integration. After gaining access to Klue’s environment, they stole customer OAuth tokens and used them to query connected Salesforce environments directly.

Klue later disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident.

Huntress said the stolen data includes CRM-related information, including business contacts, sales communications, price quotes, competitive intelligence reports, and account data.

The cybersecurity company said there was no evidence that threat intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.

Both ReliaQuest and Huntress shared IP addresses linked to the attacks, which are listed below:

138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160

Organizations using Klue integrations are advised to review Salesforce and related SaaS logs for activity originating from these addresses, revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for unusual API activity.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Musicians are accustomed to getting paid each time their creative work is used. Across vinyl/CD sales, streams, radio, cover versions, and those numerous niches like karaoke, there are agreements in place about what “use” means. Underlying this is a simple economic principle: The more something is used, the more money it makes.

Generative AI has complicated the definition of use. On the one hand, you could argue that the use of a piece of musical training data happens just once, at the point of training. On the other hand, creators would be right to complain that the creative essence of their work lives on in the structure of the model, used every time the model produces an output.

Now, companies like Sureel and SoundVerse are working to re-create the essential economic principle that motivates creativity in an era of AI. Such initiatives aim to turn the generative AI industry from one guilty of “the biggest act of copyright theft in history” into one that coexists harmoniously with hardworking artists.

Music Royalties for the AI era

Sureel, a startup Warner Music Group just acquired, has partnered with the Swedish copyright agency STIM to explore the potential for music creators to get paid when their music is used to train generative AI tools. Sureel’s software labels online media, such as a music file, with instructions determined by the owner. The instructions specify whether an AI company may use the media freely in training, limit its influence in any given training set, or avoid it altogether. The software then tracks how the AI company uses the media in training and sets licensing fees accordingly.

Meanwhile, the founders of the AI music company SoundVerse “[reject] one-time royalty buyouts as insufficient and [advocate] for ongoing participation of artists in the AI lifecycle,” they wrote in a 2025 white paper. They argue that each time a generative AI system produces an output, certain pieces of training data play a greater role than others. If the system outputs music resembling jazz, the jazz in the training set has arguably contributed more than, say, the folk music. You can therefore differentially reward each piece of training data for each output.

Sureel’s Co-President Benji Rogers told me, “Attribution isn’t about re-creating the old economics. It’s about measuring, for the first time, the thing the old economics only approximated.”

Such influence attribution needs to do more than superficially measure how similar a training data point is to the AI output. The challenge is to attribute causality, or a relationship between the training data and the trained AI, Sureel CEO Tamay Aykut says.

Even if the AI industry achieved that, however, it might encourage people to create music designed to maximize training-data royalties. While all creative markets lead to new incentives (music streaming, for example, has driven songs to have shorter intros), the industry could do without another economic structure that is easily gamed, in which someone’s reverse-engineered pastiche diverts royalties away from original works of creative expression.

RELATED: Generative AI Has a Visual Plagiarism Problem

Inferring the influence of a particular piece of music on a generated piece of music, if a well-defined problem at all, may involve more advanced information theoretic principles, or modelling the actual historical role and impact of individual works. Aykut proposes that in carefully designed attribution systems, more unusual and unpolished musical works could even have more inherent value than radio standards.

Simon Gozzi, Head of Business Development at STIM, says the company is in the process of seeing how Sureel’s attribution reports could underlie licensing agreements between musicians and AI companies. Could generative AI attribution strategies not only sustain the economic logic that “popularity pays,” but also motivate musical experimentation and diversity? It’s a compelling concept when public sentiment rightly fears generative AI’s threat to cultural vibrancy, pushing power towards tech companies, deskilling creative workers, shrinking revenue in the creative sector, and filling the internet with slop. “Attribution is one of the few credible tools we have,” Rogers says.

There’s a window of opportunity to debate and establish approaches to paying for AI training data that serve a vibrant and sustainable creative sector.

The technical problem of training data attribution is both complex and ill-defined. Just as a simplistic attribution strategy based on measuring similarity might motivate people to reverse-engineer the canonical works of a genre to capture royalties, a more complex attribution strategy based on some information theory of originality might be easily gamed or fail to reward human cultural production.

For creative workers, there’s good reason to fear that even with the best intentions, AI attribution will only compound the baroque and opaque arms races that they are already weary of navigating. Some voices within the music AI sector are also skeptical. Drew Silverstein, president of SourceAudio, says, “Attribution would seem to be the obvious answer, but it’s flawed in AI, so we have to look at other models.” He advocates simple negotiated agreements with an agreed or annually recurring price at the point of training.

Meanwhile, the copyright lawsuits that have dominated the generative AI revolution are beginning to give way to an increasing number of privately negotiated agreements, such as those between Universal, Warner, and major AI companies to work together on training models with copyright consent. Although little is certain, these agreements may have considerable influence over the industry norms that arise.

Right now, there’s a window of opportunity to debate and establish approaches that pay for AI training data while also sustaining a vibrant creative sector. Sophisticated engineering solutions will have a role to play, but they need to take into account the cultural complexity of the challenge, and enable fairness and transparency through good design.

Making AI training pay off

It remains to be seen whether monolithic generative models such as Suno actually have as much credibility as first touted. In many creative applications of AI, there’s a renewed focus on smaller customized models that are tailored for specific human creative expressive needs such as IRCAM’s RAVE model or Jen’s Style Filters. Meanwhile, more mainstream “end user” creative applications may be shifting towards a focus on fan engagement. OpenAI’s sudden dropping of Sora, despite being in negotiations with Disney and Suno’s recent emphasis on building fan engagement experiences that draw directly on the work of artists, following its deal with Universal, both point to teething troubles in the creative AI sector.

A move to smaller, more targeted models and applications would give more room for creator alliances. For example, collectives of musicians might band together to provide the training data for a smaller custom model, for which revenue splits might be egalitarian or based on other principles of fairness.

The same may possibly be true of hybrid model architectures and structured training regimes where different data sources are used at different points in the training process, as well as retrieval augmented generation, which mixes context-specific information with training data to improve results. An approach that produces worse results but enables fairer or more transparent paths of attribution may be more successful if it brings creators on board with more lucrative royalty flows and even clear credits.

Also, no matter how sophisticated an attribution algorithm is, it will always be grounded in human decisions, ranging from the wise and the fair to the arbitrary and corrupt. Ask a music industry insider to explain how the percentage split between recording and songwriting royalties is determined, and you’re in for a long answer. At best, the machinery of training data attribution will enable open and informed discussion about what makes our creative and cultural sectors fair and vibrant. At worst, it will conceal already opaque private agreements in complex black boxes.

This is where national policies are vital. Attribution must be “multi-layered and auditable, open to expert and regulatory scrutiny,” Rogers says. Crafting such policies will take expertise from computer science, musicology, law, and economics. AI-competitive governments will be able to boost their cultural and creative sectors by supporting institutions that fulfil this purpose.

Even the most neoliberal economies look beyond markets to sustain cultural expression, whether through public arts funding or measures like local music quotas for radio. As the economic impact of generative AI in the creative sector takes form, taxation, redistribution, and active support of cultural infrastructures may still be the most effective way to support positive social outcomes. Taxing big AI and redistributing that revenue back to the creative workers that contributed to the industry’s wealth is, after all, another “AI attribution strategy.”

There was a particularly tense moment aboard the International Space Station earlier this month, with NASA directing their astronauts to secure themselves in the Dragon capsule and prepare for a potential return to Earth while their Russian counterparts engaged in what we now know to have been some impromptu demolition work on their side of the orbiting complex.

Despite objections from their American partners, Roscosmos had given their cosmonauts the go-ahead to drill and cut into the walls of the Zvezda module — one of the core components of the ISS which has been in orbit since 2000 — to try and identify and ultimately repair persistent leaks that have been venting the Station’s atmosphere out into space for several years. We may never know the exact nature of the behind-the-scenes communication that went on between the two space agencies, but in the end the Russians abandoned their plan and NASA’s personnel were told to resume their normal duties.

But where do things go from here? Although it’s true the International Space Station is entering its final years, the mission isn’t over yet, and that means the two countries need to continue to work together if they hope to get any science done in the time they have left.

At this point there hasn’t been any official word from either agency, but sources that wish to remain anonymous have been dropping hints, and that’s got the rumors swirling. With the understanding that anything is still possible, at this point it looks like Russia is going to abandon any further attempts to repair the leak and instead seal off the crippled compartment of the Zvevzda module. This won’t solve all the problems, and in fact will create some new ones. But if that’s what it will take to keep the peace with NASA until Station operations wind down, it’s apparently a bargain they’re willing to make.

A Fortunate Fissure

It probably goes without saying that the best kind of leak on a space station is no leak. Having breathable air is rather important when you’re trying to live and work in space, and while the life support systems on the International Space Station are robust enough to compensate for the steady loss of atmosphere they’ve been experiencing up to this point, there’s always a possibility that the rate of loss could increase and put that balance in jeopardy.

There’s also a chance that the leak is a harbinger for something far more serious — a structural failure of the pressure vessel itself. Even with advanced warning, it would be an existential threat to the entire program if one of the ISS modules literally cracked open. We don’t need to go into details about the potential for tragedy should it occur without warning.

All that is to say, if your orbiting laboratory does have to spring a leak, you couldn’t ask for it to be in a better place than where it is on the ISS. After the Station started losing air back in 2019, the crew was able to narrow it down to the Transfer Chamber at the aft end of the Zvevzda module.

Known as the PrK by the Russians, this small space is a sort of vestibule that connects the inside of the module to the rear docking port, which in turn allows access to visiting spacecraft. The PrK is unique in that it traverses an unpressurized equipment bay; think of it like a tube within a tube. Cracks in the walls of the PrK have been allowing the atmosphere inside the Station to leak out into this unpressurized space even though the external hull of the module hasn’t actually been breached so far as anyone is aware.

The good news is, the easiest and most immediate way to stem the loss of air is to simply close the hatch leading into the PrK. Of course, that means abandoning the docking port on the other side of it.

Juggling Spacecraft

The Russian section of the Station has multiple docking ports which can be used to transfer crew and cargo, so while having to abandon one of them is hardly ideal, it’s a survivable scenario. It’s fair to say that this would have been a far less palatable solution a decade ago, but now it’s the sort of compromise that you’d expect when working with hardware that’s been in space for more than 20 years.

Shuffling spacecraft between the various docking ports on the ISS has become increasingly common as the fleet of vehicles that can visit the orbiting complex has grown over the years. With more cargo-carrying craft set to come online before the end of the decade, things will only get busier. Losing a docking port would add to the logistical challenge, but there’s no question it will be manageable.

Plus, it’s not as if they would have to stop using the port entirely. While sealing off the PrK passage means crew and cargo will no longer be able to pass between a visiting spacecraft and the Zvevzda module, the same isn’t true for deliveries of gasses and liquids. The plumbing that moves water, oxygen, and the propellants for the Station’s thrusters over from the Progress resupply spacecraft is all run on the outside of the structure and is linked up automatically through connectors in the docking port.

Since crew members don’t need to access the inside of the Progress vehicle to transfer these liquids over, the port can still be used for at least some resupply activities.

Get Out and Push

While crew and cargo transfers can be performed on an alternate docking port, and Zvevzda’s rear port can still support transferring water and other fluids with the PrK hatch closed, there’s still the question of reboost maneuvers.

Normally, a Progress spacecraft docked to the rear of Zvevzda would use its own thrusters to change the velocity of the entire complex. This is most commonly used to counteract atmospheric drag and keep the Station in the intended orbit, as it would otherwise slowly fall back down into the atmosphere and eventually burn up. This maneuver must be done from the  rear docking port of Zvevzda as that allows the visiting spacecraft to push along the center line of the Station.

While these reboosts could still be performed without opening the PrK hatch, there’s a question about whether or not it’s safe to continue putting so much stress on the surrounding structure. In fact, though there has been no official determination made, some believe that the repeated stress of performing the reboost maneuvers from that specific docking port could be one of the factors that lead to the cracks forming in the PrK to begin with.

If NASA and Roscosmos determine that continuing to push the entire mass of the ISS through this structure is no longer safe, their only alternative is to do it from the US side. The Space Shuttle was used to reboost the Station this way before its retirement in 2011, and more recently, a Cargo Dragon specially modified to carry additional propellant demonstrated it could fill this particular role if need be.

Space Station Déjà Vu

If you’ve been following space news for a bit now, this might all sound a bit familiar to you — that’s because this isn’t the first time Russia decided that the best course of action was to simply close the door on the PrK. Going back to at least 2024, the official procedure was for the crew to keep the hatch closed unless they were actively loading or unloading a docked vehicle.

That greatly reduced how much air was leaking out, but as long as crews were occasionally opening up the PrK and moving through it, there was a risk of something going catastrophically wrong. Should the rumors prove true, the difference this time is that the door would stay shut and the PrK would remain undisturbed for as long as the ISS remained in orbit. It’s not exactly a fix, but it’s good enough for an aging space station that’s only got a few more years on the clock.

Building a context layer between enterprise data stores and AI agents is bespoke work, with no standard service to automate or maintain the graphs over time. Amazon is making a direct play to change that.

Amazon on Wednesday entered the space, announcing a series of three products it’s positioning as a context intelligence stack for AI agents. The centerpiece is AWS Context, a new knowledge graph service that gets smarter through agent usage over time. AWS also announced the general availability of Amazon S3 Annotations and a preview of skill assets in AWS Glue Data Catalog.

The context layer is now a contested architectural category with no shortage of options from different vendors. AWS is entering that market with a different architectural premise: that the graph should learn from how agents use it automatically, without human re-curation.

“Your agents now get smarter without you having to rebuild anything from scratch,” said Swami Sivasubramanian, vice president of Agentic AI at AWS, during his AWS Summit NYC keynote.

“This service automatically builds a knowledge graph from all your existing data,” he said. “This service infers relationships across your data sets, business rules, and domain knowledge, and makes all of it available to your agents and your organization at runtime.”  

AWS Context builds a self-learning knowledge graph from existing data

It’s a problem AWS says it has seen repeatedly in customer deployments.

AWS Context maps relationships across existing data automatically: what tables exist, what columns mean, how sources relate and which sources are authoritative. It combines semantic search with graph-level reasoning and infers relationships across datasets, business rules and domain knowledge, making all of it available to agents at runtime.

“The knowledge graph improves itself over time as it learns which sources produce correct results and which parts get used,” Sivasubramanian said. 

Data stewards manage the graph through the AWS Management Console, reviewing inferred relationships, promoting them to production and attaching business definitions and usage rules. Every query inherits the calling user’s IAM and Lake Formation permissions, making agent data access auditable by identity through controls enterprises already rely on.

All metadata is published in Apache Iceberg format to Amazon S3 Tables, queryable via Athena, Redshift, Spark or any Iceberg-compatible engine, with no proprietary APIs. Third-party catalog connections are supported, so context from systems outside AWS can be pulled into the same graph. Agents query through agentic search APIs and MCP tools across Bedrock AgentCore, EKS or any MCP-compatible framework.

Context is more than just a single service

Context is a complicated space and AWS is layering multiple services to help enterprises build context across the data stack.

Amazon S3 Annotations. This service enables users to attach rich business context at the storage layer, directly to individual S3 objects. 

AWS Glue Data Catalog skill assets. Glue skill assets attach domain knowledge at the catalog layer, linking runbooks, query patterns and usage rules to data assets across the estate. 

AWS Context then synthesizes both into the knowledge graph that agents query at runtime, combining semantic search with graph-level reasoning across structured and unstructured sources. Each layer feeds the next.

AWS is entering a highly competitive context space

Snowflake announced its context approach earlier this month with its Horizon Context and Cortex Sense services. Microsoft is providing context via its Fabric IQ platform that provides a semantic ontology for data. Redis has developed a context platform that optimizes data for retrieval. Vector database vendor Pinecone has its Nexus context offering that compiles enterprise data into task-specific artifacts before agents ever query them.

AWS’s structural argument is straightforward: for enterprises already running S3, Glue and Lake Formation, AWS Context extends an existing identity model with no data movement required. The pitch is zero-integration friction — not just cost consolidation.

“Context makes agents more powerful and as the whole world is building agents, every agentic platform vendor needs a context capability,” Holger Mueller, VP and Principal analyst at Constellation Research, told VentureBeat.

Mueller noted that AWS is no exception. “The concern — as with all context offerings — is going to be performance, especially for transactional data,  we will see,” he said.

In the modern workplace, the line between personal convenience and professional obligation hasn’t just blurred, it has effectively vanished.

At the center of this shift is WhatsApp.