Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Synnovis NHS Qilin Ransomware: Pathology Supply Chain Lessons
Eighteen months after Qilin encrypted Synnovis, the pathology provider finally finished notifying NHS trusts. We unpack how a single supplier paralysed London hospitals and how defenders can prepare.
Ultralytics PyPI Compromise: Dec 2024 Post-Mortem
How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.
event-stream / flatmap-stream npm backdoor incident
How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.
ctx and colourama PyPI typosquat malware incident
The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.
The XZ Utils backdoor: anatomy of a supply chain attack
A two-year maintainer-trust takeover placed a pre-auth SSH backdoor inside xz-utils. Heres how CVE-2024-3094 was built, hidden, and caught in time.
Codecov Bash Uploader supply chain breach
A look back at the 2021 Codecov Bash Uploader breach: how a tampered CI script exfiltrated secrets for two months, and what it teaches about supply chain risk.
UAParser.js npm package compromise
A deep dive into the 2021 ua-parser-js npm compromise: how a hijacked maintainer account delivered cryptominers and credential stealers to millions.
Polyfill.io supply chain attack
How a domain sale turned a trusted CDN into a malware vector for 100,000+ sites — and what the polyfill.io incident teaches defenders about third-party script risk.
3CX desktop app supply chain compromise
A breakdown of the 3CX supply chain compromise: how Lazarus-linked attackers poisoned a signed desktop build via a nested vendor attack chain.
PHP Git server compromise incident (2021)
In 2021, attackers pushed a hidden RCE backdoor into PHP's own source repo under forged maintainer names — a supply chain near-miss worth revisiting.
Colors.js and Faker.js maintainer sabotage incident
In January 2022, colors.js and faker.js maintainer Marak Squires sabotaged his own packages, breaking thousands of builds—no compromise required.
node-ipc protestware incident
How a trusted maintainer turned node-ipc into "protestware," why transitive dependencies hid the blast radius, and what SBOM visibility could have prevented.