Threat Intelligence
In-depth guides and analysis on threat intelligence from the Safeguard engineering team.
64 articles
What Is Post-Quantum Cryptography (for software supply ch...
Quantum computers will eventually break RSA and ECDSA. Here's what NIST's 2024 PQC standards, CNSA 2.0 deadlines, and "harvest now, decrypt later" mean for signed software supply chains.
ESET's May 2026 APT Report: Oil Shipments, Drone Makers, and a Poisoned npm Library
ESET's APT Activity Report (May 28, 2026) maps China-, North Korea-, Russia-, and Iran-aligned operations from October 2025 to March 2026 — including BlueNoroff's compromise of the axios npm package, a textbook supply-chain espionage event.
Screening Serpens (UNC1549): Iran-Nexus Espionage and the MiniUpdate RAT (May 2026)
Unit 42's May 22, 2026 report tracks the Iran-nexus group Screening Serpens deploying new MiniUpdate and MiniJunk V2 RATs against US, Israeli, and Gulf targets using job-themed lures and DLL sideloading.
SonicWall SonicOS Scanning Surge in May 2026: The CVE-2026-0400 Early-Warning Pattern
GreyNoise recorded ~597,000 SonicWall SonicOS scanning sessions on May 12, 2026, roughly 46x baseline. The pattern echoes the recon waves that preceded CVE-2026-0400's disclosure. Here is how to read the signal.
Nation-State Actors Operationalize AI: Inside GTIG's May 2026 Threat Tracker
Google's Threat Intelligence Group documented China, North Korea, Russia, and Iran moving AI from experiment to operations in May 2026 — AI-assisted vulnerability research, LLM-enabled malware, and obfuscated model-access infrastructure.
Malicious PyPI packages: common infiltration patterns
Real malicious PyPI package examples — typosquats, dependency confusion, hijacked maintainers, and crypto stealers — and how Safeguard catches them before install.
Malicious NuGet package campaigns targeting developers
Socket.dev has tracked malicious NuGet packages stealing wallets, banking credentials, and sabotaging industrial systems. See how Safeguard catches them first.
Typosquatting across package registries (npm, Go, PyPI)
Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.
Malicious browser and IDE extensions (Chrome, Firefox, VS...
How the Cyberhaven Chrome extension breach and the GlassWorm Open VSX worm exposed a supply chain blind spot that dependency scanners like Socket.dev don't cover.
Shadow-Earth-053: China-Aligned Espionage Across Asia and a NATO State (May 2026)
Trend Micro's May 1, 2026 disclosure of Shadow-Earth-053 documents a China-aligned campaign exploiting N-day Exchange and IIS flaws to plant Godzilla web shells and ShadowPad across government, defense, and civil-society targets in eight-plus countries.
Qilin Ransomware Supply Chain Tactics 2025
Qilin became a top ransomware operator in 2024-2025 by pairing edge-device exploitation with managed service provider compromise. Here is the supply chain breakdown.
Lazarus Financial Sector Campaigns 2024-2025
Lazarus Group's 2024-2025 financial sector campaigns combined exchange compromises, DeFi exploits, and developer social engineering. Here is what defenders must know.