Safeguard
Topic

Threat Intelligence

In-depth guides and analysis on threat intelligence from the Safeguard engineering team.

64 articles

Threat Intelligence

2026 Mid-Year Threat Landscape: Supply-Chain Worms, Agentic AI, and Edge Zero-Days

A defender's synthesis of the first half of 2026 — self-propagating package worms, the agentic-AI access-control problem, edge-appliance zero-days, and a healthcare ransomware surge — and what to prioritize next.

Jun 24, 20265 min read
Threat Intelligence

TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline

TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.

Jun 23, 20267 min read
Threat Intelligence

Stryker Wiper Attack: When Hacktivists Used Intune to Brick 200,000 Medtech Devices

An Iran-aligned group used a compromised admin account and Microsoft Intune to factory-reset roughly 200,000 of Stryker's devices in real time. The lesson is uncomfortable: your management plane is your biggest single point of failure.

Jun 21, 20267 min read
Threat Intelligence

Ransomware vs. Hospitals: The 2026 Healthcare Surge and the Push to Call It Terrorism

Healthcare ransomware dipped in volume in May 2026 but kept climbing in impact, and a former FBI cyber chief is asking Congress to treat hospital ransomware as terrorism. We weigh the policy debate against what actually protects patients.

Jun 20, 20267 min read
Threat Intelligence

ShinyHunters Breaches Match Group: Hinge, Match, and OkCupid Data Exposed in a Vishing-Driven Extortion Hit

ShinyHunters claimed 10 million records from Match Group's dating apps in late January 2026. Here is what was actually taken (Hinge, Match, and OkCupid — notably not Tinder), how a single vishing call opened the door, and why dating-app data raises the extortion stakes.

Jun 20, 20267 min read
Threat Intelligence

Kairos Ransomware Hits Gregory Jewellers: 574 GB of Data Extortion at an Australian Luxury Retailer

The Kairos extortion group claims it stole roughly 574 GB from Australian luxury jeweller Gregory Jewellers. Here is what is verified, what the group's playbook tells us, and why pure data-extortion crews are the harder problem.

Jun 19, 20267 min read
Threat Intelligence

The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong

Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.

Jun 17, 20266 min read
Threat Intelligence

Ransomware Economics in 2026: Data Extortion Wins, Encryption Loses

Payment rates hit record lows in 2025 while attack volume surged. The result is a colder, leaner extortion economy built on data theft, not encryption — and a RaaS market reconsolidating around a handful of operators.

Jun 12, 20267 min read
Threat Intelligence

OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target

The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.

Jun 8, 20267 min read
Threat Intelligence

Sonatype Firewall: Malicious Package Protection

Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.

Jun 5, 20267 min read
Threat Intelligence

What Is Open Source Malware

Open source malware is code deliberately planted in packages to attack the systems that install it. Learn how it spreads, real incidents, and how it differs from CVEs.

Jun 3, 20267 min read
Threat Intelligence

What Are Open Source Vulnerabilities

Open source vulnerabilities explained: how flaws like Log4Shell and XZ Utils spread through dependency trees, how Sonatype tracks them, and how to prioritize fixes.

Jun 3, 20268 min read
Threat Intelligence — Supply Chain Security Blog | Safeguard