Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

Synnovis NHS Qilin Ransomware: Pathology Supply Chain Lessons

Eighteen months after Qilin encrypted Synnovis, the pathology provider finally finished notifying NHS trusts. We unpack how a single supplier paralysed London hospitals and how defenders can prepare.

Jan 9, 20267 min read
Incident Analysis

Ultralytics PyPI Compromise: Dec 2024 Post-Mortem

How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.

Jan 9, 20267 min read
Incident Analysis

event-stream / flatmap-stream npm backdoor incident

How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.

Jan 4, 20266 min read
Incident Analysis

ctx and colourama PyPI typosquat malware incident

The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.

Dec 29, 20257 min read
Incident Analysis

The XZ Utils backdoor: anatomy of a supply chain attack

A two-year maintainer-trust takeover placed a pre-auth SSH backdoor inside xz-utils. Heres how CVE-2024-3094 was built, hidden, and caught in time.

Nov 8, 20257 min read
Incident Analysis

Codecov Bash Uploader supply chain breach

A look back at the 2021 Codecov Bash Uploader breach: how a tampered CI script exfiltrated secrets for two months, and what it teaches about supply chain risk.

Nov 8, 20257 min read
Incident Analysis

UAParser.js npm package compromise

A deep dive into the 2021 ua-parser-js npm compromise: how a hijacked maintainer account delivered cryptominers and credential stealers to millions.

Nov 8, 20257 min read
Incident Analysis

Polyfill.io supply chain attack

How a domain sale turned a trusted CDN into a malware vector for 100,000+ sites — and what the polyfill.io incident teaches defenders about third-party script risk.

Nov 8, 20257 min read
Incident Analysis

3CX desktop app supply chain compromise

A breakdown of the 3CX supply chain compromise: how Lazarus-linked attackers poisoned a signed desktop build via a nested vendor attack chain.

Nov 7, 20257 min read
Incident Analysis

PHP Git server compromise incident (2021)

In 2021, attackers pushed a hidden RCE backdoor into PHP's own source repo under forged maintainer names — a supply chain near-miss worth revisiting.

Nov 7, 20258 min read
Incident Analysis

Colors.js and Faker.js maintainer sabotage incident

In January 2022, colors.js and faker.js maintainer Marak Squires sabotaged his own packages, breaking thousands of builds—no compromise required.

Nov 7, 20257 min read
Incident Analysis

node-ipc protestware incident

How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.

Nov 7, 20257 min read
Incident Analysis (Page 4) — Supply Chain Security Blog | Safeguard