Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

Change Healthcare Ransomware 2024: Deep Dive

The Change Healthcare ransomware attack knocked US healthcare payments offline for weeks. A missing MFA on a Citrix portal was the root cause United confirmed.

Mar 5, 20267 min read
Incident Analysis

XZ Utils Backdoor: One Year Retrospective

A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?

Mar 1, 20267 min read
Incident Analysis

ProxyNotShell Postmortem: What the Exchange CVEs Taught About Patch Triage

ProxyNotShell forced enterprises to triage Exchange Server patching under pressure with confusing vendor guidance. A look back at CVE-2022-41040 and CVE-2022-41082.

Feb 27, 20265 min read
Incident Analysis

Microsoft Midnight Blizzard Source Code Theft 2024

Midnight Blizzard moved from email exfiltration to Microsoft source code repositories. The pivot from stolen OAuth tokens to code access is the supply chain lesson.

Feb 25, 20268 min read
Incident Analysis

Incident Response Playbook for a Compromised Dependency

A concrete, timed playbook for the 72 hours after a critical dependency advisory — inventory, reachability, containment, remediation, and retrospective.

Feb 24, 20267 min read
Incident Analysis

Hugging Face Model Hub Supply Chain Risks in 2025

Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.

Feb 20, 20267 min read
Incident Analysis

Two Years of Item 1.05: What the Notable 8-K Filings Tell Us

From UnitedHealth to AT&T to Snowflake's downstream effects, two years of Item 1.05 filings reveal patterns in materiality, vendor incidents, and update cadence.

Feb 18, 20267 min read
Incident Analysis

Heroku OAuth Token Leak Postmortem and Lessons

A retrospective on the Heroku OAuth token incident, what the public timeline revealed about supply chain trust assumptions, and the durable lessons for platform teams.

Feb 18, 20265 min read
Incident Analysis

UA-Parser-JS October 2021: A Deep Dive on the Attack

The ua-parser-js compromise of October 2021 paired credential theft with cryptominer and password stealer payloads. A close look at what happened and why.

Feb 17, 20265 min read
Incident Analysis

How to set up centralized logging with the ELK stack

A hands-on guide to setting up ELK stack centralized logging: installing Elasticsearch, Logstash, and Kibana, shipping logs with Beats, and building SIEM-style alerts.

Feb 15, 20267 min read
Incident Analysis

debug/chalk npm Compromise Sept 2025: Deep Dive

A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.

Feb 13, 20267 min read
Incident Analysis

How to build a disaster recovery and backup strategy

A step-by-step guide to building a disaster recovery backup strategy: RTO/RPO planning, backup architecture, automation, a DR plan checklist, and testing.

Feb 9, 20267 min read
Incident Analysis (Page 2) — Supply Chain Security Blog | Safeguard