Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
How to set up an incident response plan
A practical guide to building an incident response plan for software supply chain security, with a ready-to-use playbook template and concrete detection steps.
How to configure SIEM alerting rules
A step-by-step guide to configure SIEM alerting rules: from use case development through Splunk alert configuration to detection rule tuning.
xrpl.js npm Backdoor April 2025 Incident Analysis
A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.
How to set up endpoint detection and response (EDR)
A step-by-step guide to setting up EDR across your fleet: choosing a platform, deploying agents, tuning policies, and verifying coverage before an incident tests it for you.
Solana web3.js npm Backdoor: Dec 2024 Post-Mortem
A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.
Ledger Connect Kit Attack: What Devs Missed
A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.
Rspack npm Account Takeover: 2024 Incident Analysis
Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.
Polyfill.io CDN Supply Chain Attack: 100K+ Sites
After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.
Codecov Bash Uploader 2021: A Supply Chain Retrospective
The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.
Aflac and the Scattered Spider Insurance Pivot: June 2025
In June 2025 Scattered Spider pivoted from UK retail to US insurance, hitting Erie Insurance, Philadelphia Insurance, and Aflac inside a week. Aflac later confirmed 22.6 million people affected. We unpack the campaign.
Lottie Player npm Supply Chain Attack Explained
A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.
tj-actions/changed-files Compromise: What Happened
A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.