Safeguard
Topic

Threat Research

In-depth guides and analysis on threat research from the Safeguard engineering team.

16 articles

Threat Research

Lessons from Shai-Hulud: The First Self-Propagating npm Worm

In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.

Jul 8, 20266 min read
Threat Research

Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week

A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.

Jul 7, 20266 min read
Threat Research

Repojacking Explained: Hijacking Abandoned Repository Names

Repojacking lets an attacker claim a renamed or deleted GitHub namespace and serve malicious code to everyone still referencing the old path. Here is how it works.

Jul 7, 20266 min read
Threat Research

Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist

A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.

Jul 6, 20265 min read
Threat Research

Transitive Dependency Risk Explained: The Code You Never Chose

Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.

Jul 6, 20266 min read
Threat Research

Artifact Tampering and Integrity: Trusting What You Actually Ship

Artifact tampering alters a build output after it leaves source control, so what you deploy differs from what you reviewed. Here is how it works and how to verify integrity.

Jul 5, 20266 min read
Threat Research

Lessons from the 3CX Attack: The First Supply Chain Attack Caused by Another

3CX shipped a trojanized version of its own softphone through official updates in 2023 — because an employee installed compromised trading software. Here is the cascade, and its lessons.

Jul 5, 20266 min read
Threat Research

Build Pipeline Compromise: When the Factory Ships the Malware

A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.

Jul 4, 20266 min read
Threat Research

Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door

For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.

Jul 4, 20266 min read
Threat Research

Lessons from the XZ Utils Backdoor: A Three-Year Social Engineering Heist

CVE-2024-3094 was a backdoor patiently planted in XZ Utils over years of social engineering, caught by an engineer chasing half a second of SSH latency. Here is the full story.

Jul 3, 20266 min read
Threat Research

Maintainer Account Takeover Attacks: Hijacking Trust in Open Source

A maintainer account takeover lets an attacker publish malicious versions of a trusted package under a legitimate identity. Here is how it happens and how to defend.

Jul 3, 20266 min read
Threat Research

Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend

CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.

Jul 2, 20266 min read
Threat Research — Supply Chain Security Blog | Safeguard