Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
The Vercel Breach: A Forgotten OAuth Grant Became a SaaS Supply-Chain Pivot (May 2026)
An infostealer infection at AI startup Context.ai let attackers reuse a Vercel employee's months-old Google Workspace OAuth grant to bypass MFA and exfiltrate customer environment variables. Disclosed April 2026, the fallout deepened through May.
Cleo MFT CVE-2024-50623 Supply Chain Postmortem
Cleo's managed file transfer products became the next MOVEit. A postmortem on CVE-2024-50623, the Cl0p exploitation, and the file-transfer software risk class.
Okta 2023 Customer Support Breach: Implications for Identity Supply Chain
The Okta customer support breach of October 2023 exposed HAR files containing session tokens for major customers. The structural lessons run deeper than the incident.
Okta Cross-Tenant Impersonation 2024
Okta's cross-tenant impersonation advisory and related social-engineering campaigns exposed how identity providers get targeted. Lessons for defenders.
MSI Graphics Driver Supply Chain Breach 2023: Lessons
The MSI breach exposed Intel BootGuard private keys and OEM signing infrastructure. A look at firmware-level supply chain risk and the gaps that remain.
Hugging Face Token Exposure 2024 Analysis
Researchers found thousands of valid Hugging Face API tokens in public code and models. Analysis of the 2024 exposures and what they mean for ML supply chain.
PyPI Trusted Publishing Token Leaks in 2025
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
Docker Hub Exposed Secrets at Scale 2024
Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 data shows and how to stop shipping secrets.
CrowdStrike Falcon Outage: Post-Mortem Lessons
The CrowdStrike Falcon outage of July 2024 bricked 8.5 million Windows hosts. A content validator bug and no staged rollout were the confirmed root cause.
tj-actions Compromise: One Year Retrospective
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
Snowflake Customer Breaches 2024: Root Cause
The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.
Confluence Zero-Day Lessons: What CVE-2023-22515 Showed About SaaS-Adjacent On-Prem Risk
The Confluence broken access control zero-day from October 2023 hit thousands of self-hosted instances. A 2026 look at the exploit, the response, and the durable lessons.