Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
npm typosquatting attacks
npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.
The SolarWinds Orion supply chain attack explained
How SUNBURST hid inside a signed SolarWinds Orion update, hit 18,000 organizations, and reshaped supply chain security.
The Codecov Bash uploader breach
How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.
3CX DesktopApp supply chain compromise
How North Korea-linked hackers turned a signed, trusted 3CX VoIP installer into malware — and the double supply chain attack that made it possible.
The XZ Utils backdoor CVE-2024-3094 explained
CVE-2024-3094 hid a remote-access backdoor inside xz-utils via a years-long social engineering campaign. Here's the timeline, impact, and fix.
event-stream npm package backdoor incident
How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.
ua-parser-js npm hijack incident
In 2021, a hijacked npm account pushed cryptomining and password-stealing malware into ua-parser-js for 4 hours. Here's what happened and how to catch it faster.
colors.js and faker.js protestware sabotage
In 2022, maintainer Marak Squires turned colors.js and faker.js into protestware, breaking 19,000+ npm projects and coining a new supply chain threat term.
node-ipc protestware targeting Russia/Belarus IPs
In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
SHA1-Hulud second-wave npm supply chain incident
Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.
Mini Shai-Hulud hits TanStack npm packages
TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.