Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

How to set up an incident response plan

A practical guide to building an incident response plan for software supply chain security, with a ready-to-use playbook template and concrete detection steps.

Feb 9, 20268 min read
Incident Analysis

How to configure SIEM alerting rules

A step-by-step guide to configure SIEM alerting rules: from use case development through Splunk alert configuration to detection rule tuning.

Feb 9, 20268 min read
Incident Analysis

xrpl.js npm Backdoor April 2025 Incident Analysis

A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.

Feb 9, 20267 min read
Incident Analysis

How to set up endpoint detection and response (EDR)

A step-by-step guide to setting up EDR across your fleet: choosing a platform, deploying agents, tuning policies, and verifying coverage before an incident tests it for you.

Feb 6, 20267 min read
Incident Analysis

Solana web3.js npm Backdoor: Dec 2024 Post-Mortem

A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.

Feb 5, 20266 min read
Incident Analysis

Ledger Connect Kit Attack: What Devs Missed

A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.

Feb 1, 20267 min read
Incident Analysis

Rspack npm Account Takeover: 2024 Incident Analysis

Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.

Jan 28, 20267 min read
Incident Analysis

Polyfill.io CDN Supply Chain Attack: 100K+ Sites

After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.

Jan 23, 20266 min read
Incident Analysis

Codecov Bash Uploader 2021: A Supply Chain Retrospective

The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.

Jan 22, 20265 min read
Incident Analysis

Aflac and the Scattered Spider Insurance Pivot: June 2025

In June 2025 Scattered Spider pivoted from UK retail to US insurance, hitting Erie Insurance, Philadelphia Insurance, and Aflac inside a week. Aflac later confirmed 22.6 million people affected. We unpack the campaign.

Jan 22, 20267 min read
Incident Analysis

Lottie Player npm Supply Chain Attack Explained

A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.

Jan 19, 20267 min read
Incident Analysis

tj-actions/changed-files Compromise: What Happened

A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.

Jan 14, 20267 min read
Incident Analysis (Page 3) — Supply Chain Security Blog | Safeguard