Update May 12, 2026: GTIG's May 2026 AI threat tracker extends this pattern to AI infrastructure. The TeamPCP compromise of LiteLLM, an AI gateway that connects organizations to multiple model providers, yielded cloud access keys from build environments. But because LiteLLM is an AI gateway, GTIG argues the compromise also gives attackers access to the victim's AI systems, which could be used to identify and exfiltrate data at scale or move deeper into the network. The supply chain path now runs through AI infrastructure, and the access it grants is broader than traditional integrations.
---
On 4 April 2026, Anodot reported broad outages on its Snowflake, Amazon S3, and Amazon Kinesis connectors. By 7 April, BleepingComputer was reporting that authentication tokens stolen from Anodot were being used to access data across more than a dozen of Anodot's customer environments. By 11 April, ShinyHunters had named Rockstar Games on its leak site under a 14 April deadline. The deadline expired. Partial data leaked.
This was the second major Snowflake-adjacent data-theft campaign in two years, and the entry point wasn't a compromised user or exposed credentials. A SaaS integration provider was breached, authentication tokens were taken, and those tokens were then used to access data across multiple customer environments.
From the outside, nothing appears broken. The systems involved behaved as expected. Access was granted through valid mechanisms, and activity flowed through legitimate channels. That is why this kind of incident keeps repeating without triggering the response it should.
This isn’t about Snowflake
If you look back at the 2024 incident Mandiant tracked as UNC5537, the pattern is already familiar. Attackers used stolen credentials harvested from infostealer logs to access Snowflake instances and move directly to data. None of the targeted accounts had MFA enabled. 79.7% of the credentials used had prior infostealer exposure.
What changed in 2026 is not the outcome, but the path.
In the earlier incident, attackers used credentials to get in and tokens to stay. In the Anodot incident, they started with tokens.
Direct access has been replaced by indirect access through integrations. The attacker no longer needs to interact with the environment in a way that generates obvious signals. The platform becomes the last step in the chain, not where the problem starts.
This is consistent with what we've already seen across recent supply chain incidents, where the initial compromise matters far less than how access is used afterward.
Framing this as a Snowflake issue misses the underlying shift. The same pattern is showing up across SaaS, cloud storage, and data platforms. The common factor is not the vendor. It is the way access is granted and reused across systems.
The supply chain is now operational access
Integrations used to be treated as plumbing. They move data, automate workflows, and connect systems that would otherwise remain isolated.
In practice, they now function as distributed access layers.
A single integration can hold long-lived tokens, operate across multiple environments, and execute actions on behalf of users or services. When that integration is compromised, the attacker does not need to establish a foothold. They inherit one that already exists and is already trusted.
We’ve seen a similar pattern play out in supply chain compromises where execution inside a trusted environment immediately translates into usable access, which is then reused across systems.
That access often spans:
- data platforms
- storage systems
- SaaS applications
Movement across these systems does not require new techniques. It follows the same paths used by the business every day.
At that point, lateral movement is no longer something the attacker needs to do. The architecture does it for them.
Tokens quietly removed the last layer of friction
The shift from credentials to tokens is subtle, but it changes how access behaves.
Tokens are designed for persistence and automation. They are issued once and reused without requiring repeated authentication. They operate through APIs, often without user interaction, and they tend to outlive password rotations or session resets.
In many environments, they are also poorly tracked. Login events are monitored closely. Token usage is often treated as background activity.
During the 2024 Snowflake-related intrusions, one of the attackers described the situation in a way that is difficult to ignore:
I can still run commands because I have the ‘masterToken’ for every account 🤣
Ellyel8
The important part is not the quote itself. It’s how that access was maintained. By reading publicly available documentation, the attacker understood how tokens behaved and used them to persist even after accounts were secured.
Removing the attacker did not remove the access.
That creates a situation where access can continue even after remediation steps are taken. The user account may be secured, while the token tied to an integration remains active and continues to provide the same level of access.
From an attacker’s perspective, this is a cleaner and more reliable form of persistence than anything involving malware.
That account (the one that produced the "I can still run commands" quote above) was operated by Connor Riley Moucka, who was arrested in Canada in November 2024. His trial is scheduled for 19 October 2026. The access he was bragging about persisted regardless of his arrest, because tokens don't depend on the operator who minted them.
Why this activity blends in
From a detection standpoint, there is very little here that resembles a traditional intrusion.
What the environment shows is consistent with normal operations:
- authentication events are valid
- API calls follow expected patterns
- integrations behave within their intended scope
What is missing is the context that connects those actions across systems.
Data access that looks reasonable in isolation can become suspicious when viewed alongside activity in another platform. A token used by an integration may appear benign until it starts accessing data in a way that does not match historical behavior.
Most tools are not built to assemble that picture across systems. They operate within a single domain, which means they validate individual actions but rarely question how those actions relate to each other.
That gap is where this type of attack operates.
A recurring pattern, not a one-off incident
The activity has been linked to the ShinyHunters extortion brand, which monetises stolen data at scale across multiple operationally distinct teams. The specific operators matter less than the consistency of the technique.
Resecurity's January 2026 research describes "ShinyHunters" as a collaborative alias — naming, the report notes, "is changing very frequently and intentionally, typically by the actors themselves, who wish to obscure attribution." GTIG tracks the current activity across at least three separate clusters: UNC6240 handles extortion under the brand; UNC6661 and UNC6671 ran parallel January 2026 vishing campaigns against identity providers, with distinct registrars (NICENIC and Tucows) and distinct extortion tones suggesting separate operators. The Anodot/Snowflake activity is operationally distinct again. Same brand. Different teams.
What's consistent across them is what defines the MO: target authentication, not infrastructure. Any operator with access to tokens from a widely used integration platform can reproduce the same outcome. As more organisations rely on interconnected SaaS services, the number of indirect access paths continues to grow.
We've also seen how this kind of access reuse can evolve into something more automated and self-propagating, where compromised trust relationships are used to extend reach without direct interaction.
At the same time, attackers are shifting toward methods that require less effort and produce fewer signals. Compromising a third-party provider or harvesting tokens at scale offers a higher return than attempting to break into individual environments. This is why supply chain-driven incidents are becoming more frequent. They provide reach, consistency, and a level of stealth that aligns with how modern environments are built.
The attack isn’t hidden. It’s fragmented.
Security teams are not blind to this activity. They see parts of it every day:
- An identity platform logs a successful authentication.
- A SaaS application records valid API usage.
- A data platform shows expected queries and exports.
Each system validates what it observes. None of them connect those actions.
That is where this model starts to break.
The attacker does not need to evade detection across every control. They only need each control to validate its own piece of the activity. Tokens make that easier. Integrations extend it across systems. By the time the pattern forms, it exists across domains that are rarely analyzed together.
This is why incidents like this feel contained while data is still leaving the environment.
What to do about it
The conventional countermeasures for the 2024 Snowflake campaign (enforce MFA on cloud accounts, rotate stolen credentials, network-allow-list the data warehouse) are still correct and they no longer cover this access path. Vendor-issued service tokens don't carry MFA factors. Customers can't rotate them; only the vendor can. The 2024 hardening playbook protects against 2024's MO. The 2026 MO requires a different layer.
That layer baselines what each principal – user, service principal, OAuth client – actually does over time, and triggers when the pattern shifts on multiple axes at once.
Three questions to ask of your own environment:
- For every third-party SaaS integration with cross-tenant authenticated read access, do you know what its normal API cadence and resource pattern looks like, baselined per principal?
- When was each vendor token last reviewed?
- When was each one last rotated – by the vendor?
The Vectra AI ebook Mind Your Attack Gaps covers the Authentication succeeds gap this campaign exploits. If you want a one-conversation walk-through of how the supply-chain MO maps to your specific stack, reach out to us.