Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Okta LAPSUS$ Breach: When Your Identity Provider Gets Compromised
LAPSUS$ breached an Okta support contractor, gaining access to customer tenants. The incident raised critical questions about identity provider supply chain risk.
Samsung LAPSUS$ Breach: 190GB of Source Code and the Cost of Insider Access
The LAPSUS$ group stole 190GB of Samsung source code including biometric authentication algorithms and bootloader code. The breach exposed critical device security internals.
NVIDIA LAPSUS$ Breach: Stolen Code Signing Certificates Used to Sign Malware
When LAPSUS$ breached NVIDIA, they stole code signing certificates that were immediately weaponized to sign malware. The incident demonstrated how trust mechanisms become attack vectors.
Twitch Source Code Leak: What 125GB of Exposed Data Tells Us About Internal Security
In October 2021, an anonymous hacker dumped Twitch's entire source code, internal tools, and creator payout data. The breach exposed systemic failures in access control and secret management.
Travis CI Token Leak Retrospective
Travis CI exposed secrets from public repo forks for weeks in 2021. Here is the exact defect, who was affected, and the permanent takeaways.
Kaseya VSA Ransomware: A Supply Chain Analysis
REvil chained three zero-days in Kaseya VSA to push ransomware through 1,500 MSP customers on July 2, 2021. Here is the technical anatomy.
Codecov Bash Uploader Compromise: A Retrospective
A single altered line in Codecov's Bash Uploader leaked CI secrets for 69 days across thousands of repos. Here is what actually happened and why.
SunBurst: A Supply Chain Attack Evolution Study
The SolarWinds SunBurst campaign rewrote the supply chain threat model. Five years of research reveal what changed and what defenders still miss.
Shellshock, Five Years On: The Lessons That Stuck
Five years after CVE-2014-6271, Shellshock remains the clearest case study in how one interpreter bug becomes thousands of downstream holes.
Heartbleed at Five Years: A Practitioner Retrospective
Five years after CVE-2014-0160, Heartbleed still shapes how we think about shared cryptographic libraries, disclosure ethics, and open-source funding.
ASUS Live Update and ShadowHammer: The Backdoor
Operation ShadowHammer pushed a signed backdoor to roughly half a million ASUS laptops, targeting a list of 600 specific MAC addresses.
XcodeGhost: When the Compiler Was the Attacker
XcodeGhost in 2015 infected at least 128 million iOS users through a malicious Xcode download. It is still the cleanest compiler-trust case.