Supply Chain Attacks
In-depth guides and analysis on supply chain attacks from the Safeguard engineering team.
92 articles
node-ipc Protestware: When a Maintainer Weaponized the Supply Chain
The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files on systems with Russian or Belarusian IP addresses. A watershed moment for supply chain trust.
Software Supply Chain Attacks 2021: A Complete Timeline
2021 was the year software supply chain attacks went mainstream. From SolarWinds aftermath to Log4Shell, here's every major incident and what they tell us about the threat landscape.
Pegasus Spyware and NSO Group: The Supply Chain of Surveillance
The Pegasus Project revealed NSO Group's spyware targeting journalists, activists, and politicians through zero-click exploits. This is what a weaponized supply chain looks like.
Typosquatting Attacks on npm and PyPI Explained
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
Dependency Confusion Attacks Explained
Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.
Accellion FTA Breach: How a Legacy File Transfer Tool Became a Supply Chain Nightmare
The Accellion FTA breach hit over 100 organizations through a 20-year-old file transfer appliance. Here's what went wrong and why legacy software is a ticking time bomb.
Codecov Bash Uploader Compromise: A Supply Chain Attack on CI/CD
Attackers modified Codecov's bash uploader script to steal environment variables from CI pipelines. Thousands of repositories were exposed for two months.
SolarWinds SUNBURST: Lessons for Supply Chain Security
The SolarWinds attack compromised 18,000 organizations through a single tampered update. Six months later, here's what the industry should have learned.