2025 was the year the cloud attacker's playbook stopped needing exploits. Stolen keys, hijacked OAuth tokens, and poisoned dependencies did the work that zero-days used to, and they did it at scale across every major cloud and the SaaS layer on top of it.
This is a review of the cloud, SaaS, and software-supply-chain incidents that defined the year, the themes that connect them, and what they say about where to spend effort in 2026. For the timeless root-cause view across a longer span of incidents, see Lessons From 13 Cloud Breaches; for the step-by-step chains, the breach timeline.
On this page
- Overview: the shape of 2025
- The incidents that defined 2025
- Theme 1: Identity and token theft displaced exploitation
- Theme 2: The software supply chain as soft underbelly
- Theme 3: SaaS-to-SaaS trust chains
- Theme 4: Extortion crews abused native features
- Theme 5: The AI and agent attack surface arrived
- Theme 6: Secrets sprawl fueled the next breach
- By the numbers and patterns
- What this means for 2026
Overview: the shape of 2025
If you read the 2025 cloud and SaaS breaches one at a time, each looks like its own story: a ransomware crew here, a poisoned npm package there, a maximum-severity identity flaw somewhere else. Read them together and the shape of the year is clear. The largest intrusions did not exploit product vulnerabilities at all. Attackers logged in with stolen OAuth tokens, phished credentials, or forged identity tokens, and the traffic looked like legitimate authenticated activity the whole way through.
This review synthesizes eleven incidents that defined the year, grouped by the patterns that recur across them. Three of these are documented as full step-by-step kill chains on this site: the Codefinger S3 ransomware, the tj-actions/changed-files GitHub Actions compromise, and the Salesloft Drift / UNC6395 OAuth token theft. The rest are described here in plain text. For the longer arc across two decades of cloud breaches, see the breach timeline and the recurring root causes on breach lessons.
The single sentence version of 2025: identity and token theft displaced vulnerability exploitation as the primary way into the cloud, the software supply chain became the fastest path to thousands of victims at once, and the secrets scattered across repos and CI logs turned nearly every breach into a launchpad for the next one.
The incidents that defined 2025
Here are the eleven incidents this review draws on, in rough chronological order, with the initial-access vector and the single control most likely to have broken each chain earliest. As always, "one control" is a deliberate oversimplification - real defense is layered - but forcing the choice makes the priorities obvious.
| Incident | When | Root cause in one line | The one control that would have helped most |
|---|---|---|---|
| Codefinger S3 SSE-C ransomware | Jan 2025 | Stolen AWS keys encrypted S3 buckets with AWS's own SSE-C; AWS never stores the key | Short-lived credentials + key-use anomaly detection |
| tj-actions/changed-files (CVE-2025-30066) | Mar 2025 | A compromised PAT retagged a popular Action to a malicious commit that dumped CI secrets to public logs | Pin third-party actions to full commit SHAs |
| UNC6040 / ShinyHunters Salesforce vishing | 2025 (peaked mid-year) | Help-desk vishing tricked employees into authorizing a rogue Data Loader connected app | High-assurance verification before authorizing connected apps |
| SharePoint "ToolShell" (CVE-2025-53770) | Jul 2025 | Insecure deserialization at ToolPane.aspx allowed unauthenticated RCE on on-prem SharePoint | Emergency patching + isolation of internet-facing on-prem servers |
| Entra ID cross-tenant Actor token (CVE-2025-55241) | Jul 2025 | Legacy Azure AD Graph failed to validate an Actor token's tenant claim, enabling cross-tenant impersonation | Vendor-side fix (no customer control); retire legacy APIs |
| Nx "s1ngularity" supply-chain attack | Aug 2025 | A GitHub Actions injection flaw stole Nx's npm token; trojanized versions ran a malicious postinstall | Harden CI workflows against injection; scope publish tokens |
| Salesloft Drift / UNC6395 | Aug 2025 | Stolen OAuth/refresh tokens from a third-party Salesforce integration drove bulk data export | Least-privilege, revocable third-party OAuth grants |
| Oracle E-Business Suite zero-day (CVE-2025-61882) | Aug-Oct 2025 | Cl0p mass-exploited an unauthenticated RCE zero-day in Oracle EBS, then ran email extortion | Rapid zero-day patching + attack-surface reduction |
| npm debug / chalk maintainer phishing | Sep 2025 | A 2FA-reset phishing email captured a maintainer's live TOTP, enabling malicious package publishes | Phishing-resistant MFA for maintainer accounts |
| Shai-Hulud self-replicating npm worm | Sep 2025 (v2.0 Nov) | Stolen npm token plus self-replication trojanized other packages by the same maintainer | Short-lived, scoped publish tokens + provenance |
Two things stand out just from the table. First, the "one control" column is dominated by identity and pipeline hygiene, not vulnerability patching. Second, several rows are not really about a single company's security posture at all - they are about the trust that company extended to an integration, a dependency, or a maintainer somewhere else. The themes below unpack why.
Theme 1: Identity and token theft displaced vulnerability exploitation
The year's largest cloud and SaaS intrusions did not exploit product vulnerabilities. Attackers logged in with stolen OAuth tokens, phished credentials, or forged identity tokens. Detection is hard because this traffic looks like legitimate authenticated activity, and it often bypasses MFA and conditional access entirely.
The clearest example is Salesloft Drift / UNC6395. In August 2025, attackers used stolen OAuth tokens from the Salesloft Drift chatbot integration to mass-export data from hundreds of downstream Salesforce tenants, then mined the exports for embedded cloud credentials. UNC6395 had gained access to Salesloft's GitHub between March and June 2025, then pivoted into Drift's AWS environment and stole the OAuth and refresh tokens tied to customer Salesforce integrations. This was a third-party SaaS-to-SaaS trust chain, not a flaw in Salesforce itself. More than 700 organizations were affected, including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, PagerDuty, and Tanium; the actor harvested AWS keys, passwords, and Snowflake tokens. Tokens were revoked and Drift was pulled from AppExchange on August 20, 2025.
The UNC6040 / ShinyHunters campaign is the same theme delivered by phone. Financially motivated actors called help desks impersonating IT support and tricked employees into authorizing a malicious Data Loader connected app, which granted API access to the Salesforce org and enabled bulk CRM exfiltration for extortion. There was no technical vulnerability - the victim approved a rogue connected app. Google confirmed its own corporate Salesforce instance was hit in June 2025, and tracks the activity as UNC6040/UNC6240 operating under the ShinyHunters brand, with broader reporting citing major consumer brands and airlines.
The most alarming pure-identity failure was Microsoft's Entra ID cross-tenant Actor token flaw (CVE-2025-55241), a CVSS 10.0 issue disclosed by Dirk-jan Mollema on July 14, 2025. The legacy Azure AD Graph API failed to validate that an unsigned "Actor" token's tenant claim matched the tenant being accessed, so an attacker could forge Actor tokens in their own tenant and impersonate any user, including Global Admins, in any other Entra tenant. The impersonation bypassed MFA and conditional access with minimal logging. Microsoft globally mitigated it by July 17, 2025 and reported no evidence of in-the-wild exploitation before the fix.
The through-line: when the attacker holds a valid token or a validly issued (or forged) identity assertion, your login screen and your MFA prompt are already behind them. The controls that matter are phishing-resistant factors, high-assurance verification before authorizing connected apps, short-lived and narrowly scoped tokens, and telemetry that can flag anomalous use of otherwise-valid identity material. See IAM and zero trust for the deeper treatment, and non-human identity for the token and service-account side.
Theme 2: The software supply chain became the soft underbelly
Attackers repeatedly compromised a single upstream dependency, maintainer account, or CI/CD action to reach thousands of downstream victims at once. The recurring prize was the secrets that live in build pipelines: cloud keys, npm and GitHub tokens, and PATs exposed in workflow logs.
The defining case is tj-actions/changed-files (CVE-2025-30066) in March 2025. A hugely popular GitHub Action was backdoored to dump CI/CD secrets into publicly readable workflow logs. A compromised PAT - traced back through the reviewdog/action-setup chain (CVE-2025-30154) - was used to inject a malicious commit and retroactively repoint multiple version tags to it, and the payload dumped Runner Worker process memory into the logs. Reporting put the blast radius at more than 23,000 repositories, exposing access keys, GitHub PATs, npm tokens, and private RSA keys. CISA issued an alert and the issue was patched in v46.0.1.
Two npm-ecosystem incidents extend the pattern to maintainer accounts. In September 2025, a maintainer was phished via a convincing 2FA-reset email from a fake domain (npmjs.help) that captured username, password, and a live TOTP code, letting attackers publish malicious versions of debug, chalk, and sixteen other packages - eighteen packages carrying collectively billions of weekly downloads - with a browser-side crypto-clipper that swapped wallet addresses. Phishable TOTP MFA was the weak link. The community caught it within roughly two hours and clean versions were restored.
The Nx "s1ngularity" attack in August 2025 showed the same goal reached through CI. A GitHub Actions injection vulnerability was exploited to steal Nx's npm publishing token and push trojanized versions of nx and several @nx/* packages with a malicious postinstall hook (telemetry.js). It stole GitHub and npm tokens, SSH keys, and crypto wallets, leaking roughly 2,349 distinct secrets into more than 1,400 public "s1ngularity-repository" GitHub repos.
The controls live in your CI/CD pipeline: pin third-party actions to full commit SHAs rather than mutable tags, scope and shorten the lifetime of publish tokens, harden workflows against injection, and treat every dependency and maintainer whose code runs in your build as part of your attack surface.
Theme 3: SaaS-to-SaaS trust chains turned one breach into hundreds
Deeply interconnected SaaS integrations - chatbots, sales tooling, CRM connectors - meant a compromise of one third-party app cascaded into every tenant that trusted it. The blast radius was defined by OAuth grants and connected-app permissions, not by any single company's own security posture.
Both Salesforce incidents are also SaaS-to-SaaS stories. In Salesloft Drift / UNC6395, the compromised link was a SaaS integration vendor whose stolen OAuth tokens unlocked more than 700 downstream Salesforce tenants at once. In the UNC6040 / ShinyHunters campaign, the malicious link was a rogue connected app that victims themselves authorized after a vishing call, granting the attacker API access to the org. In neither case did the affected companies have a vulnerability in the traditional sense - they had a trust relationship that an attacker turned into an export pipe.
This is the argument for treating connected apps and OAuth grants as a first-class part of your attack surface. The right questions are inventory questions: which third-party apps hold tokens into your SaaS tenants, what scopes do those tokens carry, when were they last used, and who can revoke them. That is squarely the domain of SaaS security posture management, and it is where the least-privilege discipline you already apply to IAM roles needs to extend next.
Theme 4: Ransomware and extortion crews abused native features
Rather than dropping encryptors, financially motivated actors leaned on legitimate functionality. This "living off the cloud" approach evades traditional anti-malware and complicates forensics and recovery, because nothing on disk looks like malware.
The signature case is the Codefinger S3 ransomware in January 2025. A ransomware crew used stolen AWS keys to encrypt victims' S3 buckets with AWS's own server-side encryption with customer-provided keys (SSE-C), holding data hostage without exploiting any AWS vulnerability. The compromised keys carried s3:GetObject and s3:PutObject permissions; the attacker supplied an AES-256 SSE-C key that AWS never stores - only an HMAC is logged - making recovery impossible without paying. Halcyon reported at least two confirmed victim organizations. What made it notable was the weaponization of a native cloud feature rather than malware, paired with a 7-day deletion timer to pressure payment.
The Oracle E-Business Suite campaign is the enterprise-platform version of the same extortion playbook. The Cl0p crew mass-exploited an unauthenticated remote code execution zero-day, CVE-2025-61882 (CVSS 9.8), to steal enterprise data, then launched a high-volume email extortion campaign. Exploitation activity was seen as early as August 9, 2025 (possibly July), before Oracle's October 4, 2025 patch. Google and Mandiant began tracking mass extortion from September 29, 2025. Reported victims include Harvard, the University of Pennsylvania, Logitech, GlobalLogic, and The Washington Post, with more than 900 exposed EBS instances observed.
The defensive takeaway for the Codefinger side is that native features need native guardrails: watch for anomalous key use, restrict who can call SSE-C write operations, and keep versioning and immutable backups so a single overwrite is not the end. For the Oracle EBS side it is the older discipline of rapid zero-day patching and reducing the internet-facing footprint of enterprise platforms. See detection engineering for building the signals that catch feature-abuse early.
Theme 5: The AI and agent attack surface arrived
2025 saw the first supply-chain malware that deliberately searched for and weaponized locally installed AI CLI assistants to expand credential theft, and AI-adjacent SaaS integrations became a breach conduit. Attackers began treating developer AI tooling and its permissions as a new class of asset to abuse.
The Nx "s1ngularity" attack is the standout here. Beyond stealing tokens and keys, its malicious postinstall hook invoked locally installed AI CLI tools to help hunt for secrets, using flags like --dangerously-skip-permissions. This is, as far as the reporting goes, the first supply-chain attack to turn a developer's own AI assistant into a search tool for its own credential theft. It is a preview of a broader problem: AI CLIs run with real filesystem and credential access, and an attacker who can invoke them inherits that reach.
The AI-adjacent angle also shows up in Salesloft Drift, where the breached component was a chatbot integration - an AI-facing SaaS app whose OAuth tokens became the conduit into hundreds of Salesforce tenants. The lesson is not that AI tooling is uniquely dangerous, but that it is now part of the same permission and token graph as everything else. Scope what your AI CLIs and AI integrations can touch, and do not exempt them from the least-privilege and connected-app review you apply everywhere else. The evolving tactics are tracked in threat research.
Theme 6: Secrets sprawl turned every breach into a launchpad
Long-lived credentials scattered across repos, CI logs, support tickets, and CRM records meant an initial foothold routinely yielded cloud keys and tokens for lateral movement. Self-replicating malware and credential-harvesting worms industrialized the collection and re-exposure of these secrets, in several cases dumping them back into public GitHub repositories.
The Shai-Hulud worm is the purest expression of this theme, and the first true self-propagating worm in the npm ecosystem. Beginning with @ctrl/tinycolor and around 40 packages in September 2025, it stole cloud credentials with TruffleHog, published the stolen secrets to public GitHub repos, and re-infected other packages owned by each compromised maintainer. Using a stolen npm token, the malware trojanized and republished a maintainer's other packages and planted malicious GitHub Actions workflows for persistence and exfiltration. It spread to somewhere between 180 and 500-plus packages and harvested AWS, GCP, and Azure credentials along with npm and GitHub tokens. The November "Shai-Hulud 2.0" variant widened to tens of thousands of repos and began spreading toward Maven, exposing thousands of secrets.
The same dynamic runs through the other breaches. The Nx attack leaked roughly 2,349 secrets into more than 1,400 public repos. In Salesloft Drift, the attacker's second act after mass export was mining those exports for embedded AWS keys, passwords, and Snowflake tokens - one breach becoming the seed of the next. When a foothold reliably yields the credentials for the following move, the way to break the chain is to make the secrets it finds worthless: short-lived credentials instead of long-lived keys, disciplined secret scanning across code and CI, and rotation that assumes exposure rather than hoping against it.
By the numbers and patterns
A few figures capture the scale of the year, drawn directly from the incidents above:
- 700+ organizations affected by the Salesloft Drift / UNC6395 OAuth token theft, including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, PagerDuty, and Tanium.
- 23,000+ repositories affected by the tj-actions/changed-files compromise, patched in v46.0.1.
- ~2,349 distinct secrets leaked into 1,400+ public GitHub repos by the Nx "s1ngularity" attack; the Shai-Hulud worm spread across 180-500+ packages before its 2.0 variant widened to tens of thousands of repos.
- 18 npm packages carrying collectively billions of weekly downloads compromised in the debug / chalk maintainer phishing incident, caught within about two hours.
- CVSS 10.0 for the Entra ID cross-tenant Actor token flaw, mitigated globally within three days of disclosure and with no reported in-the-wild exploitation before the fix.
- 900+ exposed Oracle E-Business Suite instances observed during the Cl0p CVE-2025-61882 campaign; 4,600+ compromise attempts across 300+ organizations reported for the on-prem SharePoint "ToolShell" chain (CVE-2025-53770), where SharePoint Online was not affected and Microsoft shipped an out-of-band fix on July 19, 2025.
The patterns behind the numbers are consistent. The intrusions with the largest reach were supply-chain and SaaS-integration compromises, where one upstream failure fanned out to hundreds or thousands of victims. The intrusions that best evaded detection were the identity and token abuses, which never tripped a vulnerability signature because there was no vulnerability. And the incidents that were caught fast - the two-hour npm catch, the three-day Entra mitigation - were caught because someone had visibility and was watching. Two items here carry a hedge: the SharePoint "ToolShell" case is included as cloud-adjacent because it is on-prem SharePoint rather than pure cloud, and its scale figures come from third-party reporting rather than a single authoritative count.
What this means for 2026
Compress 2025 into a to-do list and it is short, unglamorous, and mostly about identity and dependencies rather than exploits:
- Treat tokens as credentials and shorten their lives. OAuth tokens, access keys, and refresh tokens were the way in for Codefinger, Salesloft Drift, and the npm publishes. Scope them narrowly, expire them quickly, and prefer short-lived credentials over long-lived static keys. See non-human identity.
- Inventory and govern your connected apps and SaaS integrations. The blast radius in both Salesforce campaigns was defined by OAuth grants, not by any product flaw. Know which third-party apps hold tokens into your tenants, with what scopes, and who can revoke them. This is the core of SaaS security posture management.
- Harden the build pipeline as production. Pin third-party actions to full commit SHAs, scope publish tokens, guard workflows against injection, and add provenance. tj-actions, Nx, and Shai-Hulud all turned CI into a secret-leaking machine. See CI/CD.
- Make phishing-resistant MFA the default for maintainers and admins. Phishable TOTP was the single weak link in the debug / chalk compromise; push and SMS remain fatigue-able. FIDO2 and passkeys defeat both replay and fatigue.
- Kill secrets sprawl so a foothold yields nothing. Scan code, CI logs, and exports for embedded credentials, rotate on the assumption of exposure, and stop shipping long-lived keys that a worm or a mined export can reuse.
- Instrument identity, not just infrastructure. When forged and stolen tokens are indistinguishable from legitimate ones at the network layer, logs of who authenticated, from where, and to what are the only way to find them. Build detections on that telemetry with detection engineering.
- Do not forget the boring zero-days. Oracle EBS and SharePoint show that unauthenticated RCE in internet-facing enterprise platforms still pays, and still demands rapid patching and attack-surface reduction.
None of this is novel research. The breaches of 2025 fell to fundamentals that were skipped, scoped too broadly, or turned off for convenience: an unrotated key, a broad OAuth grant, a mutable action tag, a phishable second factor. For the full step-by-step walkthroughs of the three kill chains that anchor this year - Codefinger S3, tj-actions/changed-files, and Salesloft Drift / UNC6395 - and how they sit alongside two decades of prior breaches, see the breach timeline and the synthesized root causes on breach lessons.
Where next
Walk the full step-by-step chains on the breach timeline, read the cross-incident synthesis in Lessons From 13 Cloud Breaches, and go deeper on the controls that keep recurring: IAM and least privilege, non-human identity, CI/CD and supply-chain security, and detection engineering.
Quick answers
What was the biggest cloud security story of 2025?
There was no single story, but one clear shift: identity and token theft displaced vulnerability exploitation as the primary way into the cloud. The year's largest intrusions - the Salesloft Drift / UNC6395 OAuth theft affecting 700+ organizations, the ShinyHunters Salesforce vishing campaign, and the CVSS 10.0 Entra ID cross-tenant Actor token flaw - did not exploit product vulnerabilities at all. Attackers logged in with stolen or forged identity material, and the traffic looked like legitimate authenticated activity.
Were the 2025 npm and GitHub Actions attacks connected?
They were separate incidents but shared one goal: harvesting the secrets that live in build pipelines. The tj-actions/changed-files compromise (CVE-2025-30066) dumped CI secrets from 23,000+ repositories into public logs, the debug/chalk phishing published crypto-clipper malware into 18 packages, the Nx s1ngularity attack leaked ~2,349 secrets into 1,400+ repos, and the Shai-Hulud worm self-replicated across 180-500+ packages. Together they made the software supply chain the fastest path to thousands of victims at once.
How did the Codefinger S3 ransomware work without any AWS vulnerability?
Codefinger used stolen AWS access keys with s3:GetObject and s3:PutObject permissions to encrypt victims' S3 buckets with AWS's own server-side encryption with customer-provided keys (SSE-C). Because AWS never stores the customer-supplied AES-256 key - only an HMAC is logged - recovery was impossible without paying, and a 7-day deletion timer added pressure. It weaponized a native cloud feature rather than malware. The full walkthrough is on the Codefinger S3 kill chain page.
What should security teams prioritize for 2026 based on 2025's breaches?
Treat OAuth tokens and access keys as credentials and shorten their lifetimes; inventory and govern connected SaaS apps and their OAuth scopes; harden the CI/CD pipeline by pinning actions to commit SHAs and scoping publish tokens; make phishing-resistant MFA the default for maintainers and admins; eliminate secrets sprawl so a foothold yields nothing reusable; instrument identity so stolen and forged tokens can be detected; and keep patching internet-facing enterprise platforms, since Oracle EBS and SharePoint zero-days still paid off.