Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

The Vercel Breach: A Forgotten OAuth Grant Became a SaaS Supply-Chain Pivot (May 2026)

An infostealer infection at AI startup Context.ai let attackers reuse a Vercel employee's months-old Google Workspace OAuth grant to bypass MFA and exfiltrate customer environment variables. Disclosed April 2026, the fallout deepened through May.

May 12, 202612 min read
Incident Analysis

Cleo MFT CVE-2024-50623 Supply Chain Postmortem

Cleo's managed file transfer products became the next MOVEit. A postmortem on CVE-2024-50623, the Cl0p exploitation, and the file-transfer software risk class.

Apr 15, 20265 min read
Incident Analysis

Okta 2023 Customer Support Breach: Implications for Identity Supply Chain

The Okta customer support breach of October 2023 exposed HAR files containing session tokens for major customers. The structural lessons run deeper than the incident.

Apr 3, 20265 min read
Incident Analysis

Okta Cross-Tenant Impersonation 2024

Okta's cross-tenant impersonation advisory and related social-engineering campaigns exposed how identity providers get targeted. Lessons for defenders.

Mar 26, 20268 min read
Incident Analysis

MSI Graphics Driver Supply Chain Breach 2023: Lessons

The MSI breach exposed Intel BootGuard private keys and OEM signing infrastructure. A look at firmware-level supply chain risk and the gaps that remain.

Mar 24, 20265 min read
Incident Analysis

Hugging Face Token Exposure 2024 Analysis

Researchers found thousands of valid Hugging Face API tokens in public code and models. Analysis of the 2024 exposures and what they mean for ML supply chain.

Mar 21, 20268 min read
Incident Analysis

PyPI Trusted Publishing Token Leaks in 2025

Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.

Mar 19, 20268 min read
Incident Analysis

Docker Hub Exposed Secrets at Scale 2024

Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 data shows and how to stop shipping secrets.

Mar 17, 20268 min read
Incident Analysis

CrowdStrike Falcon Outage: Post-Mortem Lessons

The CrowdStrike Falcon outage of July 2024 bricked 8.5 million Windows hosts. A content validator bug and no staged rollout were the confirmed root cause.

Mar 15, 20267 min read
Incident Analysis

tj-actions Compromise: One Year Retrospective

A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?

Mar 12, 20268 min read
Incident Analysis

Snowflake Customer Breaches 2024: Root Cause

The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.

Mar 8, 20267 min read
Incident Analysis

Confluence Zero-Day Lessons: What CVE-2023-22515 Showed About SaaS-Adjacent On-Prem Risk

The Confluence broken access control zero-day from October 2023 hit thousands of self-hosted instances. A 2026 look at the exploit, the response, and the durable lessons.

Mar 5, 20265 min read
Incident Analysis — Supply Chain Security Blog | Safeguard