IntelBroker Claims Apple Source Code Exposure Involving Internal SSO and Atlassian Plugins
Threat actor IntelBroker claimed to have breached Apple and posted code on BreachForums tied to three internal tools: AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. Reporting said the exposed material appeared related to Apple’s internal authentication and workflow environment, including integrations for Atlassian Jira and Confluence, raising concern that the leak could reveal sensitive implementation details useful for follow-on attacks. Apple had not confirmed a breach at the time of reporting, and major outlets had not independently verified the claim.
Independent analysis cited in coverage said the leak did not appear to contain the full source code for the named internal tools, but rather proprietary plugins and configuration data used to connect Apple authentication systems to internal collaboration platforms. That assessment said the exposure could still create meaningful enterprise security risk by disclosing internal architecture and access-related details, while indicating that Apple customer products and services were not affected. The claim emerged shortly after IntelBroker also alleged a breach of AMD, and later reporting noted Cisco was also claimed as a victim by the same actor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
IntelBroker is reported to claim a compromise of Cisco
SC Media reported that Cisco was claimed to have been compromised by IntelBroker, indicating another alleged victim tied to the same threat actor. The provided reference includes no further technical or confirmation details.
AHCTS analyzes leaked Apple material and says it exposes internal plugins/configs
Cybersecurity consultancy AHCTS assessed that the leaked Apple material did not contain full source code for the internal tools themselves, but proprietary internal plugins and configuration data used to integrate Apple authentication with Atlassian Jira and Confluence. The firm said the exposure posed meaningful security risk while indicating Apple customer-facing products and services were not affected.
IntelBroker claims breach of Apple and posts internal code on BreachForums
In June 2024, threat actor IntelBroker claimed to have breached Apple and released code tied to three internal tools: AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. At the time, the incident was an unverified breach claim and Apple had not publicly confirmed any compromise.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cisco claimed to be compromised by IntelBroker | brief | SC Media
scworld.com
Open sourceIntelbroker claims they hacked Apple in the same week as AMD | Tom's Hardware
tomshardware.com
Open sourceHas Apple Been Hacked? June 2024 Breach Exposes Source Code, Hacker Claims
forbes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
IntelBroker Claims AMD Network Breach and Sale of Stolen Internal Data
AMD said it is investigating claims that its internal network was breached after the threat actor **IntelBroker** advertised a large cache of alleged company data for sale on a cybercrime forum. Reported samples indicate the material may include **future product details, source code, firmware, internal communications, financial records, customer databases, and employee information**, raising concerns over intellectual property exposure, corporate espionage, and privacy risks. AMD said it is working with **law enforcement** and a third-party hosting partner to determine whether the data is authentic and to assess the scope and impact of the incident. The AMD claims fit a broader pattern of high-profile extortion and data-theft allegations tied to forum-based actors, including earlier reports in which attackers claimed to possess sensitive files from major organizations such as **GE** and even purported **DARPA**-related material, though some of those assertions remained unconfirmed. In AMD's case, public reporting indicates the stolen dataset was promoted on the dark web and may contain strategically valuable engineering and business information, making the incident significant even before full verification is complete.
May 25, 2026
Threat Actor Claims Adobe Support Breach via Third-Party BPO
A threat actor using the alias **"Mr. Raccoon"** has allegedly breached Adobe support systems through a third-party Indian BPO contractor and claims to have stolen a large cache of sensitive data. According to unverified reports and social media posts, the actor first compromised a contractor employee with a malicious email delivering a remote access trojan, then expanded access by phishing the employee’s manager. The attacker says the intrusion exposed more than **13 million support ticket records**, roughly **15,000 employee records**, internal documents, Adobe’s Microsoft SharePoint environment, and submissions from Adobe’s **HackerOne** bug bounty program. The reports further allege the actor abused overly permissive ticket export functionality that allowed bulk extraction of support data in a single request, raising concerns about phishing, identity theft, and exposure of unpublished vulnerability disclosures. The incident, if confirmed, would represent a significant third-party supply chain compromise affecting Adobe’s support operations. Adobe had not publicly confirmed or denied the claims at the time the reports were published.
Apr 9, 2026
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026