JumpCloud disclosed that a sophisticated nation-state actor gained unauthorized access to part of its infrastructure after a June 22 spear-phishing campaign and was detected on June 27 through anomalous activity in an internal orchestration system. The intrusion later produced unusual activity in the commands framework for a small set of customers, indicating limited customer impact and prompting JumpCloud to work directly with affected customers. Investigation identified data injection into the commands framework as the attack vector, after which JumpCloud rotated credentials, rebuilt infrastructure, force-rotated all admin API keys, engaged law enforcement and IR partners, and published campaign IOCs. The source does not name a specific country or actor, so the summary preserves that attribution limit.