Today’s roundup

• Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
• Blind Eagle’s Five Clusters Target Colombia Using RATs, Phishing Lures, and Dynamic DNS Infra
• Citrix Patches Three NetScaler Zero Days as One Sees Active Exploitation
• New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over Devices
• China Linked Silk Typhoon Targeted Diplomats by Hijacking Web Traffic
• The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309)

Summary

Recent cybersecurity events revealed critical vulnerabilities and targeted attacks affecting major platforms and governmental entities.
The Salesloft OAuth breach exposed over 5,000 Salesforce customer OAuth and refresh tokens through the Drift AI chat agent, with the attack attributed to threat actor UNC6395.
Blind Eagle’s five activity clusters, operating from May 2024 to July 2025, targeted Colombian government institutions via RATs, phishing lures, and dynamic DNS infrastructure to gain persistent footholds.
Citrix issued critical patches for three NetScaler zero‑day vulnerabilities as active exploitation was observed, urging immediate remediation for all NetScaler deployments.
A new phishing campaign leveraged the legitimate ConnectWise ScreenConnect remote‑management tool to drop malicious payloads and take over enterprise devices, exploiting impersonation and credential reuse tactics.
The China‑linked APT group Silk Typhoon hijacked web traffic through captive‑portal redirects and delivered a PlugX backdoor, aiming at diplomats worldwide, and exploiting legitimate TLS certificates to evade detection.
The CrushFTP CVE‑2025‑54309 vulnerability, a race condition in DMZ proxy handling, enabled remote attackers to gain administrator access via HTTPS, with over 30,000 vulnerable instances in the wild.