Rapid Response Status Page

All Systems Operational

Rapid Response Operational
90 days ago
99.45 % uptime
Today
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.
Sep 18, 2025
Resolved - This incident has been resolved.
Sep 18, 13:12 UTC
Update - Dear Customers,

Following our recent update regarding the NPM Supply Chain Trio - Qix, CrowdStrike, Shai-Hulud, we have continued our threat-focused hunting efforts, specifically reviewing IOC hits and related TTPs.

Axon reports have been published for Team Axon customers. These reports include:

- A consolidated list of IOCs
- Hunting queries
- TP results for relevant environments

Any findings requiring your attention are highlighted in your Axon report.

We will continue to closely monitor developments related to the NPM Supply Chain Trio - Qix, CrowdStrike, Shai-Hulud, and provide updates as necessary. If you have any questions or need further assistance, please do not hesitate to reach out.

Best regards,
Team Axon

Sep 18, 13:12 UTC
Identified - Dear Customers,

Team Axon is closely tracking multiple ongoing NPM supply chain compromises that have impacted widely used packages and present a significant risk across enterprise environments. These incidents highlight the growing threat of dependency hijacking and malicious package injection.

Qix Compromise: Attackers phished the account of a maintainer (Qix), allowing them to publish malicious versions of highly popular packages such as chalk and debug. The injected payload was designed to hijack cryptocurrency transactions in browser contexts.

CrowdStrike Compromise: Malicious versions of several NPM packages, including eslint-config-prettier, were distributed after attacker access. These carried the Scavenger malware, capable of exfiltrating browser data, authentication tokens, and other sensitive information.

Shai-Hulud Worm: A self-propagating campaign compromised more than 180 NPM packages. This worm steals secrets and tokens (e.g., GitHub, AWS, NPM) and republishes new infected package versions under compromised maintainer accounts, enabling rapid spread.

These compromises expose organizations to:
- Theft of source code, tokens, and credentials stored in build pipelines.
- Execution of malicious code during package installation or runtime.
- Propagation of malicious dependencies downstream, impacting customers and partners.
- Increased phishing and credential-stuffing risks tied to stolen data.


Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.

For further assistance, please reach out to us.

Sincerely,
Team Axon

IOCs

Shai-Hulud:
Hashes
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db

URL
hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7


CrowdStrike:
Domains
npnjs[.]com
firebase[.]su
dieorsuffer[.]com
smartscreen-api[.]com

Hashes
32d0dbdfef0e5520ba96a2673244267e204b94a49716ea13bf635fa9af6f66bf
c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441
5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9

URLs
https[:]//firebase[.]su/c/k2
https[:]//dieorsuffer[.]com/c/k2
https[:]//smartscreen-api[.]com/c/k2

Sep 18, 10:04 UTC
Sep 17, 2025

No incidents reported.

Sep 16, 2025

No incidents reported.

Sep 15, 2025

No incidents reported.

Sep 14, 2025

No incidents reported.

Sep 13, 2025

No incidents reported.

Sep 12, 2025

No incidents reported.

Sep 11, 2025

No incidents reported.

Sep 10, 2025

No incidents reported.

Sep 9, 2025

No incidents reported.

Sep 8, 2025

No incidents reported.

Sep 7, 2025

No incidents reported.

Sep 6, 2025

No incidents reported.

Sep 5, 2025

No incidents reported.

Sep 4, 2025
Resolved - Dear Customers,

Following our recent update regarding the Salesloft Drift OAuth Token Compromise, we have continued our threat-focused hunting efforts, specifically reviewing IOC hits and related TTPs.

Axon reports have been published for Team Axon customers. These reports include:

- A consolidated list of IOCs
- Hunting queries
- TP results for relevant environments

Any findings requiring your attention are highlighted in your Axon report.

We will continue to closely monitor developments related to the Salesloft Drift OAuth Token Compromise and provide updates as necessary. If you have any questions or need further assistance, please do not hesitate to reach out.

Best regards,
Team Axon

Sep 4, 15:52 UTC
Identified - Dear Customers,

Team Axon is aware of a significant ongoing security incident involving the compromise of OAuth tokens issued to the Salesloft Drift application. These tokens have been abused by a threat actor (tracked as UNC6395) to access Salesforce instances and other integrated systems without directly breaching Salesforce itself.

This activity has enabled attackers to execute structured SOQL queries, enumerate and exfiltrate sensitive data (including customer records, credentials, and access tokens), and, in some cases, delete Salesforce jobs to obscure traces. Evidence suggests that additional connected integrations (e.g., Google Workspace via Drift Email, and others) may also be impacted.

In certain integrations, such as Google → Drift Email, attackers were able to abuse OAuth tokens to authenticate and access the integration account, allowing them to query emails, extract information, and potentially access additional data.

Early threat intelligence confirms that this campaign is widespread and actively exploited in the wild, with high-profile organizations already affected. The breadth of Drift integrations (nearly 60 third-party platforms) significantly increases the potential exposure across enterprise environments.

Recommendations:

- Revoke OAuth tokens associated with Drift and related integrations.
- Disable or remove the Drift application from Salesforce until security assurances are provided.
- Rotate exposed credentials, especially API keys, AWS access tokens, Snowflake tokens, and any secrets stored in Salesforce fields.
- Make sure Salesforce logs are being ingested into the Hunters platform.
- Review connected integrations to Drift (Slack, Pardot, Zoom, etc.) and revoke any unnecessary permissions.

Affected organizations are at heightened risk of targeted phishing campaigns stemming from the exposure of customer and employee data. Teams must remain on high alert, closely monitor for suspicious activity, and reinforce phishing awareness among users

Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.

For further assistance, please reach out to us.

Sincerely,
Team Axon



Current IOCs:

- IP Addresses:
208.68.36.90
44.215.108.109
154.41.95.2
176.65.149.100
179.43.159.198
185.130.47.58
185.207.107.130
185.220.101.133
185.220.101.143
185.220.101.164
185.220.101.167
185.220.101.169
185.220.101.180
185.220.101.185
185.220.101.33
192.42.116.179
192.42.116.20
194.15.36.117
195.47.238.178
195.47.238.83

- Potentially Related User Agents:
Salesforce-Multi-Org-Fetcher/1.0
Salesforce-CLI/1.0

Sep 4, 10:49 UTC