Threat Research
In-depth guides and analysis on threat research from the Safeguard engineering team.
16 articles
Lessons from Shai-Hulud: The First Self-Propagating npm Worm
In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.
Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week
A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.
Repojacking Explained: Hijacking Abandoned Repository Names
Repojacking lets an attacker claim a renamed or deleted GitHub namespace and serve malicious code to everyone still referencing the old path. Here is how it works.
Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist
A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.
Transitive Dependency Risk Explained: The Code You Never Chose
Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.
Artifact Tampering and Integrity: Trusting What You Actually Ship
Artifact tampering alters a build output after it leaves source control, so what you deploy differs from what you reviewed. Here is how it works and how to verify integrity.
Lessons from the 3CX Attack: The First Supply Chain Attack Caused by Another
3CX shipped a trojanized version of its own softphone through official updates in 2023 — because an employee installed compromised trading software. Here is the cascade, and its lessons.
Build Pipeline Compromise: When the Factory Ships the Malware
A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.
Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door
For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.
Lessons from the XZ Utils Backdoor: A Three-Year Social Engineering Heist
CVE-2024-3094 was a backdoor patiently planted in XZ Utils over years of social engineering, caught by an engineer chasing half a second of SSH latency. Here is the full story.
Maintainer Account Takeover Attacks: Hijacking Trust in Open Source
A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.
Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend
CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.