Unc6395 is a apt_group tracked across 2 threat clusters and 2 intelligence report mentions on ThreatCluster. First observed May 29, 2026; most recent activity June 21, 2026.
Between August 9 and August 17, 2025, the threat actor UNC6395 exploited stolen OAuth tokens from Salesloft's Drift integration to access Salesforce environments of over 700 organizations, including major tech firms.…
Researchers at Token Security disclosed a five-stage exploit chain that allowed a free Zapier account to gain write access to both public and internal NPM packages. Each stage of the chain exploited known anti-patterns,…