A massive supply chain attack attributed to UNC6395 began with a GitHub compromise and led to OAuth token theft. The attackers bypassed MFA to exfiltrate CRM data and embedded credentials from over 700 Salesforce and Google Workspace instances.