The three attack techniques behind ShinyHunters' 2026 campaigns

ShinyHunters and the broader SLH (Scattered Lapsus$ Hunters) collective have claimed breaches at thousands of organizations over the past twelve months across retail, technology, aviation, financial services, media, gaming, and education, in what amounts to the most sustained data theft and extortion operation in recent cybercrime history.

The confirmed victim list reads like a Fortune 500 directory: Coca-Cola, Cisco, Qantas, Coinbase, ADT, Aflac, SoundCloud, Rockstar Games, and recently Instructure — whose breach disrupted schools and universities nationwide during final exams — among dozens more named publicly and likely many more that haven't been (breaches settled quickly behind closed doors don't always make it into the public eye). ShinyHunters alone claimed over 1.5 billion stolen Salesforce records from a single campaign targeting more than 1,000 organizations, and this follows the 2024 Snowflake breach where the same group used infostealer-harvested credentials to compromise over 165 customer environments (and another billion-plus records).

SLH operates as a distributed criminal collective. Its genealogy traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, itself part of the Com, a broader community of English-speaking cybercriminals with international criminal affiliations.

Additional operating clusters, including Cordial Spider and Snarky Spider (which CrowdStrike characterizes as the new generation of Scattered Spider) run parallel campaigns against different target sectors, unified not by shared infrastructure but by a shared playbook of techniques that exploit the structural weakness in modern SaaS-first organizations. Unit 42 documented these groups moving from initial compromise to complete data exfiltration in under an hour — faster than most organizations can even begin to respond.

Not every SLH breach is browser-based — the Instructure breach (275 million individuals, ~330 school login portals defaced) began with a Salesforce tenant compromise in September 2025, but resurfaced in May 2026 after attackers exploited a vulnerability affecting Canvas's Free-For-Teacher program (it's now been confirmed that Instructure "reached a settlement" for the deletion of the data, and shut down the free account tier), while the Coinbase breach cost $180M–400M through insider bribery — but these are the exceptions that prove the rule.

The vast majority of SLH campaigns over the past year converge on three browser-based attack vectors: vishing combined with AiTM phishing, device code phishing exploiting account authorization flows, and OAuth supply chain attacks through compromised third-party integrators. Each is well-documented, each has produced confirmed victims at scale, and each is detectable or preventable through browser-layer security controls. This post examines all three.

Vector 1: Vishing combined with AiTM phishing

The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that Mandiant, CrowdStrike, and Unit 42 have all documented from the incident response side, and which Push has documented from inside the attacker's own operator panels.

An attacker impersonating IT support calls the target employee, establishes urgency — often citing a "mandatory passkey rollout" or a "security compliance update" — and directs them to a victim-branded AiTM phishing page (typically at a domain like <company>sso.com or <company>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session.

One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's infiltration of the criminal phishing panels identified over 400 linked domains across four distinct infrastructure clusters. This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.

Vector 2: Vishing combined with device code phishing

The ShinyHunters Salesforce campaign that ran through 2025 and into 2026 used device code phishing as one of its core methods, compromising over 1,000 organizations and claiming 1.5 billion stolen records — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled "DataLoader" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.

Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. 

This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.

Vector 3: OAuth supply chain attacks through compromised integrators

The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.

The Salesloft/Drift supply chain attack demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight.

Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.

The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at Vimeo (119,000 users), Rockstar Games (78.6 million records), and Zara/Inditex (197,000 people), with further downstream victims likely still emerging. The Vercel breach demonstrates this too, which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).

A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.

These attacks all happen in the browser

Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the same criminal kits now offer AiTM and device code phishing side by side, and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.

How Push can help

Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise.

For vishing + AiTM attacks, Push's behavioral phishing detection analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.

For device code phishing, Push detects the phishing pages associated with device code phishing kits — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.

For OAuth supply chain attacks, Push's detects and controls OAuth consent flows at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place.

Closing thoughts

The campaigns documented in this post are not historical — they are ongoing, with new victims surfacing weekly and the underlying criminal infrastructure still actively developing. But the defensive strategy does not require anticipating which specific group, vector, or target sector comes next, because all three converge on the same control point: the browser, where the attack begins or the integration decision is made. Organizations with browser-layer detection and OAuth governance in place have defense-in-depth against the full range of techniques these groups employ, regardless of which specific vector any given campaign uses.

Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.

Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.

Book a live demo to learn more.

Appendix: named ShinyHunters victims since May 2025

To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the Scattered Lapsus$ Hunters "brand" also aren't listed below.