credential-theft
Safeguard articles tagged "credential-theft" — guides, analysis, and best practices for software supply chain and application security.
24 articles
Snowflake Customer Breaches 2024: Root Cause
The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.
Pandoc CVE-2025-51591: SSRF Against EC2 Metadata in the Wild
Wiz documented active exploitation of Pandoc CVE-2025-51591 to reach the AWS IMDS through iframe rendering. Here is the kill chain and the production controls that contained it.
AWS-2025-021: The IMDS Impersonation Bulletin Few Teams Read Carefully
AWS published Security Bulletin AWS-2025-021 warning that EC2 instances may interact with unexpected AWS accounts through the Instance Metadata Service. Here is the technical impact and the IMDSv2 enforcement plan.
@ctrl/tinycolor and the 40-Package npm Wave of September 2025
@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.
Nx s1ngularity: The First AI-Aware Supply Chain Worm
On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.
Credential-Stealing Packages: What They Target and How Th...
Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.
Qilin Ransomware and the Chrome Credential Harvesting Gambit
Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browser credentials across entire domains.
Snowflake Customer Data Breaches: 165 Organizations Hit by Credential Theft Campaign
Attackers used stolen credentials from infostealer malware to access Snowflake customer accounts without MFA, compromising data at Ticketmaster, Santander, AT&T, and over 160 other organizations.
CI/CD Credential Theft Prevention
CI/CD pipelines are treasure troves of secrets -- cloud credentials, API keys, signing certificates. Preventing credential theft from build environments is critical to supply chain security.
Browser Extension Supply Chain Attacks: The Overlooked Threat Vector
Browser extensions have become a prime target for supply chain attackers. With access to browsing data, credentials, and session tokens, a compromised extension is a skeleton key to your organization.
Heroku and GitHub OAuth Token Theft: The Early Warning Signs
Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.
Codecov Bash Uploader Compromise: A Supply Chain Attack on CI/CD
Attackers modified Codecov's bash uploader script to steal environment variables from CI pipelines. Thousands of repositories were exposed for two months.