Safeguard
Topic

Supply Chain Attacks

In-depth guides and analysis on supply chain attacks from the Safeguard engineering team.

92 articles

Supply Chain Attacks

Anatomy of the Codecov Bash Uploader compromise

A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.

Jul 16, 20266 min read
Supply Chain Attacks

The elementary-data hijack: when a dbt observability tool became a credential harvester

A hijacked GitHub Actions token let attackers publish a backdoored elementary-data release that stole cloud, warehouse, and SSH credentials.

Jul 16, 20266 min read
Supply Chain Attacks

The eslint-config-prettier npm compromise: when phishing beats your SCA scanner

A phishing email spoofing npm support hijacked a maintainer's account and poisoned eslint-config-prettier, a package with roughly 30 million weekly downloads.

Jul 16, 20266 min read
Supply Chain Attacks

npm package aliasing: the dependency confusion attack surface most teams never scan

npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.

Jul 16, 20266 min read
Supply Chain Attacks

Protestware: what colors.js and faker.js taught the industry about maintainer risk

One unpaid maintainer sabotaged two packages with 20M+ weekly downloads in a single week. Here's what colors.js and faker.js reveal about single-maintainer risk.

Jul 16, 20265 min read
Supply Chain Attacks

Postmortem: The Bun-Based Stealer Inside SAP's @cap-js and mbt Packages

Four SAP npm packages shipped a Bun-executed credential stealer on April 29, 2026 — a look at how it evaded Node-centric detection and what actually stops it.

Jul 16, 20266 min read
Supply Chain Attacks

Lessons from the CircleCI 2023 secrets breach

A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.

Jul 15, 20267 min read
Supply Chain Attacks

Anatomy of a malicious npm package attack

One phished maintainer, 18 packages, and billions of weekly downloads — how npm/PyPI supply chain attacks actually unfold, and the signals that expose them.

Jul 14, 20266 min read
Supply Chain Attacks

Typosquatting and dependency confusion: a defense guide

In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.

Jul 14, 20266 min read
Supply Chain Attacks

The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning

In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.

Jul 13, 20266 min read
Supply Chain Attacks

Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks

In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.

Jul 11, 20265 min read
Supply Chain Attacks

The anatomy of a PyPI credential stealer

In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.

Jul 11, 20267 min read
Supply Chain Attacks — Supply Chain Security Blog | Safeguard