Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

Shai-Hulud self-propagating npm worm campaign

Inside Shai-Hulud, the self-propagating npm worm that hijacked publish tokens to auto-infect hundreds of packages across the JavaScript ecosystem.

Nov 6, 20257 min read
Incident Analysis

lottie-player npm supply chain compromise

A phishing-driven npm token takeover pushed a crypto wallet drainer into lottie-player, hitting 94K weekly downloads before LottieFiles shipped a fix.

Nov 6, 20257 min read
Incident Analysis

jQuery CDN supply chain risk analysis

jQuery loads on ~75% of websites, often via CDNs with no SRI or version pinning. The cdnjs RCE and Polyfill.io hijack show why that trust model keeps failing.

Nov 6, 20258 min read
Incident Analysis

XcodeGhost iOS supply chain malware campaign

XcodeGhost hid inside Xcode itself, silently infecting 4,000+ App Store apps like WeChat. Here is how the iOS supply chain malware campaign worked.

Nov 6, 20258 min read
Incident Analysis

Dependency confusion attacks against major tech companies

A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.

Nov 5, 20257 min read
Incident Analysis

GitHub Actions supply chain risk report

A look at the tj-actions/changed-files compromise and the broader trend of GitHub Actions supply chain attacks — and what security teams should do now.

Nov 5, 20257 min read
Incident Analysis

Docker Hub cryptojacking campaign analysis

Safeguard tracked a six-week Docker Hub cryptojacking campaign using 41 trojanized images, delayed payloads, and base-image laundering to evade scanners.

Nov 5, 20257 min read
Incident Analysis

chalk and debug npm package compromise incident

A phished maintainer account led to a malicious npm publish of chalk, debug, and 16 related packages, exposing a crypto-clipper to billions of weekly downloads.

Nov 5, 20257 min read
Incident Analysis

Western Sydney University 2025 Breach: Third-Party Cloud Misconfiguration

From June to September 2025 an attacker quietly accessed a third-party cloud system linked to Western Sydney University and exfiltrated data on 10,000 students. We unpack the supply-chain anatomy.

Nov 4, 20257 min read
Incident Analysis

Salesloft Drift OAuth Breach: 700+ Salesforce Tenants Compromised

UNC6395 stole Salesloft Drift OAuth tokens to exfiltrate Salesforce data from more than 700 organisations including Cloudflare, Zscaler, and Palo Alto Networks in August 2025.

Sep 8, 20256 min read
Incident Analysis

MGM Ransomware One Year Later: A Retrospective

A 2025 retrospective on the September 2023 MGM Resorts ransomware incident, what changed, what stalled, and how supply chain defenders should adjust.

Jul 11, 20254 min read
Incident Analysis

Kettering Health Interlock Ransomware: A 14-Hospital System Goes Dark

On May 20, 2025, Interlock ransomware encrypted Kettering Health across 14 Ohio hospitals. The actor sat in the network for 41 days before encryption. We unpack the dwell time and the recovery.

Jul 8, 20257 min read
Incident Analysis (Page 5) — Supply Chain Security Blog | Safeguard