Safeguard
Tag

credential-theft

Safeguard articles tagged "credential-theft" — guides, analysis, and best practices for software supply chain and application security.

24 articles

Supply Chain Attacks

The elementary-data hijack: when a dbt observability tool became a credential harvester

A hijacked GitHub Actions token let attackers publish a backdoored elementary-data release that stole cloud, warehouse, and SSH credentials.

Jul 16, 20266 min read
Supply Chain Attacks

Postmortem: The Bun-Based Stealer Inside SAP's @cap-js and mbt Packages

Four SAP npm packages shipped a Bun-executed credential stealer on April 29, 2026 — a look at how it evaded Node-centric detection and what actually stops it.

Jul 16, 20266 min read
Supply Chain Attacks

The anatomy of a PyPI credential stealer

In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.

Jul 11, 20267 min read
Supply Chain Attacks

Bun-compiled JS binaries as PyPI credential stealers

Two lightning releases fetched the Bun runtime at import time to run an 11MB obfuscated JS stealer — PyPI's Python trust model didn't expect a JS binary.

Jul 8, 20266 min read
Supply Chain Attacks

How malicious PyPI packages steal cloud credentials at install time

A typosquat of a 200M-download SSH library stole AWS keys from 37,000 installs — before anyone imported it. Here's the install-time attack pattern.

Jul 8, 20266 min read
Software Supply Chain Security

Laravel Lang supply chain advisory

A leaked PAT let attackers rewrite 700+ git tags across four Laravel-Lang packages, planting a credential stealer that ran on every PHP request.

Jul 1, 20267 min read
DevSecOps

Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)

In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.

May 21, 202610 min read
Supply Chain Attacks

Microsoft's durabletask PyPI Package Compromised (19 May 2026): A Linux Wiper and Multi-Cloud Credential Theft

On 19 May 2026, three malicious versions of Microsoft's durabletask PyPI package were uploaded in a 35-minute window. The payload steals AWS, Azure, GCP, and Kubernetes credentials in under four seconds and ships a locale-gated rm -rf wiper.

May 20, 202610 min read
Supply Chain Attacks

node-ipc Compromised Again (14 May 2026): An 80 KB Credential Stealer in a 10M-Download Library

On 14 May 2026, three malicious node-ipc versions (9.1.6, 9.2.3, 12.0.1) shipped an 80 KB credential-stealing IIFE appended after module.exports in the CJS bundle — no install scripts, harvesting 90+ secret categories from a library with 10M+ weekly downloads.

May 15, 20269 min read
Supply Chain Attacks

TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack

On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.

May 13, 202612 min read
Vulnerability Analysis

What is Phishing

Phishing drives more breaches than any other attack vector. Here's how it works, how it hits software supply chains, and how to defend against it.

Mar 26, 20268 min read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

Mar 12, 20268 min read
credential-theft — Safeguard Blog