Supply Chain Attacks
In-depth guides and analysis on supply chain attacks from the Safeguard engineering team.
92 articles
npm Manifest Confusion: The Hidden Vulnerability in Every Node.js Project
A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, undermining trust in the entire ecosystem.
3CX Supply Chain Attack: A Deep Dive into the North Korean Compromise
The 3CX supply chain attack was a multi-stage operation linked to North Korea's Lazarus Group. Here's the full technical breakdown.
ESLint Supply Chain Attack: Malicious npm Packages Targeting Developers
Attackers published malicious packages impersonating ESLint on npm, exploiting developer trust in the popular linting tool to steal credentials.
CircleCI Security Incident January 2023: What Happened and What We Learned
CircleCI's January 2023 breach exposed secrets for thousands of organizations. Here's how the attack unfolded and what it means for CI/CD security.
Software Supply Chain Security in 2022: The Year Everything Changed
From LastPass to Log4j's aftermath to new regulations, 2022 was the year supply chain security went from niche concern to board-level priority.
LastPass Second Breach: Encrypted Vaults Stolen Using Data from First Attack
LastPass revealed that the August breach enabled a second attack that exfiltrated encrypted customer vaults. The full scope of the damage was devastating.
The State of Software Supply Chain Attacks: Mid-2022 Report
By mid-2022, supply chain attacks had surged 742% over the previous three years. Here's the data, the trends, and what defenders need to know.
LastPass Breach: How a Compromised Developer Environment Exposed Millions
LastPass disclosed that an attacker accessed their development environment for four days. The full impact wouldn't be known for months.
Malicious GitHub Commits: The Overlooked Supply Chain Attack Vector
Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. Here's the risk.
PyPI Supply Chain Attacks: The ctx Package Compromise
The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an expired domain to take over a maintainer account — a novel and repeatable technique.
Maven Central Supply Chain Risks: Securing the Java Ecosystem
Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust model and dependency resolution create supply chain risks that Java teams must understand.
npm Supply Chain Attacks: 2022 Q1 Report
The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.