Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Shai-Hulud self-propagating npm worm campaign
Inside Shai-Hulud, the self-propagating npm worm that hijacked publish tokens to auto-infect hundreds of packages across the JavaScript ecosystem.
lottie-player npm supply chain compromise
A phishing-driven npm token takeover pushed a crypto wallet drainer into lottie-player, hitting 94K weekly downloads before LottieFiles shipped a fix.
jQuery CDN supply chain risk analysis
jQuery loads on ~75% of websites, often via CDNs with no SRI or version pinning. The cdnjs RCE and Polyfill.io hijack show why that trust model keeps failing.
XcodeGhost iOS supply chain malware campaign
XcodeGhost hid inside Xcode itself, silently infecting 4,000+ App Store apps like WeChat. Here is how the iOS supply chain malware campaign worked.
Dependency confusion attacks against major tech companies
A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.
GitHub Actions supply chain risk report
A look at the tj-actions/changed-files compromise and the broader trend of GitHub Actions supply chain attacks — and what security teams should do now.
Docker Hub cryptojacking campaign analysis
Safeguard tracked a six-week Docker Hub cryptojacking campaign using 41 trojanized images, delayed payloads, and base-image laundering to evade scanners.
chalk and debug npm package compromise incident
A phished maintainer account led to a malicious npm publish of chalk, debug, and 16 related packages, exposing a crypto-clipper to billions of weekly downloads.
Western Sydney University 2025 Breach: Third-Party Cloud Misconfiguration
From June to September 2025 an attacker quietly accessed a third-party cloud system linked to Western Sydney University and exfiltrated data on 10,000 students. We unpack the supply-chain anatomy.
Salesloft Drift OAuth Breach: 700+ Salesforce Tenants Compromised
UNC6395 stole Salesloft Drift OAuth tokens to exfiltrate Salesforce data from more than 700 organisations including Cloudflare, Zscaler, and Palo Alto Networks in August 2025.
MGM Ransomware One Year Later: A Retrospective
A 2025 retrospective on the September 2023 MGM Resorts ransomware incident, what changed, what stalled, and how supply chain defenders should adjust.
Kettering Health Interlock Ransomware: A 14-Hospital System Goes Dark
On May 20, 2025, Interlock ransomware encrypted Kettering Health across 14 Ohio hospitals. The actor sat in the network for 41 days before encryption. We unpack the dwell time and the recovery.