Composio May 2026 Security Incident
We've identified a security incident involving unauthorized access to certain internal Composio systems. We are actively investigating and have engaged external incident response experts to assist with investigation and remediation.
This is a space which we can keep updating as we find more information. For now, this bulletin has:
Updates
Who is impacted
What we know so far
Recommendations
Things we've done so far
Product Updates
Updates
We are still investigating and figuring out what has been affected, as we have more findings we will share them here :
Date | Update |
|---|---|
May 21, 11:45 AM PST | No updates published. |
May 21, 3:50 PM PST | Further clarified the list of compromised toolkits |
May 21, 8:41 PM PST | Clarity on internal vs external users, with additional product follow up and completed security work |
May 22, 2:00 PM PST | Added Indicators of Compromise (IOCs) |
Who is impacted
We have identified a small percentage of users whose GitHub tokens were compromised, we are in the process of reaching out to them. As a precautionary measure, we have revoked all user GitHub tokens and contacted the affected users with recommendations for token revocation and abuse detection.
A small number of additional users were affected via specific API keys, and we have contacted them directly.
We are continuing to investigate for any further signs of compromise and will update this bulletin as we learn more.
Below is the full list of leaked connections, about 0.3% of total active connections. The attack reached beyond GitHub but stayed fairly contained across other apps. We revoke every affected connection immediately.
Update the list to mention which is internal connections vs external ones, internal connections are composio test accounts.
Connector | Count (0.3% of Total Connections) |
|---|---|
GitHub | 5001 |
Gmail | 12 |
Strava | 5 (1 internal) |
Jira | 2 (1 internal) |
Google Drive | 1 (internal only) |
Google Sheets | 1 (internal only) |
Google Slides | 1 (internal only) |
HubSpot | 1 |
Instantly | 1 (internal only) |
Linear | 1 |
1 (internal only) | |
Metabase | 1 (internal only) |
Notion | 1 |
PostHog | 1 (internal only) |
Render | 1 (internal only) |
Sentry | 1 (internal only) |
Slack | 1 |
Slackbot | 1 (internal only) |
Telegram | 1 (internal only) |
Vercel | 1 (internal only) |
Workday | 1 (internal only) |
Bitbucket | 1 (internal only) |
You.com | 1 (internal only) |
Microsoft Excel | 1 (internal only) |
Gong | 1 (internal only) |
Google Calendar | 1 |
What we know so far
The attacker probed our systems extensively, brute-forcing many combinations of exploits using LLM generated attack patterns until they gained a foothold in an internal agentic tool used to monitor our infrastructure and report connector failures. From that initial foothold, they abused the tool to obtain elevated access to the automated remediation systems that fix errors in our connectors. They then registered malicious tool definitions inside our sandboxed execution environment, chaining each step to escalate privileges further, until they were ultimately able to execute arbitrary code within our tool-execution sandbox.
The attacker moved at exceptional speed as we tracked them across our systems, demonstrating deep knowledge of our API surface and internal architecture. Their sophistication is consistent with a highly skilled actor, likely augmented by advanced AI systems.
We have thoroughly verified that our supply chain remains safe, including our Python and TypeScript SDKs and our CLI binary. As a precaution, we have paused all new releases until our investigation is complete.
Recommendations
We are currently following up with affected customers with tactical recommendations, but high level we would recommend re-authing your accounts and doubling check your Github usage over the last 8 hrs.
If you are particularly concern about a specific app, we are happy to run a revocation job for you for that app. Please reach out to us for the same.
Things we have done so far
Since detecting the attacker we have been constantly taking mitigations to curtail malicious actors. Many of these changes have been
Rolled various credentials, including encryption keys
Taking down auxiliary environments and background services temporality to minimize attack surface outside the core api path
Revocation of all confirmed leaked credentials via public revocation endpoints
Obfuscated internal routes and setup various honeypot routes to trap automated attacks
Spend 1-1 time with affected customers helping them manage comms and any custom things they need including custom revocation they wanted.
Product Updates
Over the next week, expect various product related changed to harder our security posture.
Moving towards a Zero Trust Proxy KMS solution where customers can self custody their encryption keys
Moving forwards making api-key visible only at creation time and not making them readable after
Allowing for IP whitelist blocks from customers to restrict access to specific inbound IPs
Indicators of Compromise (IOCs)
During our investigation we identified the following IP addresses associated with attacker activity. We are publishing them so customers can search their own logs for the affected windows and identify any connected accounts or downstream systems that may warrant additional review.
20.45.50.174
31.222.254.190
31.222.254.194
31.222.254.248
45.13.235.133
45.13.235.187
86.48.9.13
185.81.124.66
185.81.124.142
185.81.124.143
185.81.124.145
185.81.124.146
185.81.124.149
185.81.124.151
185.81.124.152
185.81.124.166
185.81.124.222
185.81.124.233
185.81.126.168
185.81.126.169
185.81.126.235
185.81.127.96
217.216.123.44
217.216.123.67
We will continue to update this page as our investigation progresses and new information becomes available.
