The integration between Salesforce and the Salesloft platform has been restored after an investigation by Mandiant linked an August supply chain attack to the compromise of Salesloft’s GitHub account, according to an update on the Salesloft website on Sunday.

However Salesforce said the integration will not include Drift. The company said Drift will remain disabled until further notice, according to an updated advisory from Salesforce. 

A threat group tracked as UNC6395 abused Salesloft Drift to launch a credential harvesting campaign in August, targeting hundreds of Salesforce instances using compromised OAuth tokens.   

The Mandiant investigation showed the attacker gained access to the Salesloft GitHub account between March and June 2025, according to a Saturday update by Salesloft. After gaining access, the attacker downloaded content from multiple repositories and was able to establish workflows, according to the Salesloft post. 

Between March and June, hackers conducted reconnaissance activities in the Salesloft and Drift application environments.

“The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customer’s technology integrations,” Salesloft said in the post. 

Researchers warned last month that the credential harvesting attack on Salesloft was likely a precursor to additional attacks in the future. 

Several major security companies last week confirmed they were impacted by the supply chain attack as downstream customers. Palo Alto Networks, Zscaler, Proofpoint and Cloudflare all confirmed their Salesforce instances had been compromised by the campaign. 

Editor’s note: Corrects headline and story to emphasize restoration will involve the platform, but not include the Drift application.