Safeguard
Tag

credential-theft

Safeguard articles tagged "credential-theft" — guides, analysis, and best practices for software supply chain and application security.

24 articles

Incident Analysis

Snowflake Customer Breaches 2024: Root Cause

The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.

Mar 8, 20267 min read
Cloud Security

Pandoc CVE-2025-51591: SSRF Against EC2 Metadata in the Wild

Wiz documented active exploitation of Pandoc CVE-2025-51591 to reach the AWS IMDS through iframe rendering. Here is the kill chain and the production controls that contained it.

Sep 30, 20256 min read
Cloud Security

AWS-2025-021: The IMDS Impersonation Bulletin Few Teams Read Carefully

AWS published Security Bulletin AWS-2025-021 warning that EC2 instances may interact with unexpected AWS accounts through the Instance Metadata Service. Here is the technical impact and the IMDSv2 enforcement plan.

Sep 22, 20256 min read
Supply Chain

@ctrl/tinycolor and the 40-Package npm Wave of September 2025

@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.

Sep 18, 20255 min read
Supply Chain

Nx s1ngularity: The First AI-Aware Supply Chain Worm

On August 26, 2025, malicious versions of Nx (20.9.0–21.8.0) harvested 2,349 credentials from 1,079 developers and weaponized Claude, Gemini, and Q CLIs to enumerate local secrets.

Aug 29, 20256 min read
Open Source Security

Credential-Stealing Packages: What They Target and How Th...

Credential-stealing packages harvest env vars, browser passwords, and npm tokens at install time. Here's how ctx, W4SP, and Shai-Hulud actually work.

Aug 1, 20257 min read
Ransomware

Qilin Ransomware and the Chrome Credential Harvesting Gambit

Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browser credentials across entire domains.

Sep 20, 20246 min read
Incident Analysis

Snowflake Customer Data Breaches: 165 Organizations Hit by Credential Theft Campaign

Attackers used stolen credentials from infostealer malware to access Snowflake customer accounts without MFA, compromising data at Ticketmaster, Santander, AT&T, and over 160 other organizations.

Jun 10, 20245 min read
DevSecOps

CI/CD Credential Theft Prevention

CI/CD pipelines are treasure troves of secrets -- cloud credentials, API keys, signing certificates. Preventing credential theft from build environments is critical to supply chain security.

Nov 8, 20236 min read
Threat Analysis

Browser Extension Supply Chain Attacks: The Overlooked Threat Vector

Browser extensions have become a prime target for supply chain attackers. With access to browsing data, credentials, and session tokens, a compromised extension is a skeleton key to your organization.

Nov 15, 20227 min read
Incident Response

Heroku and GitHub OAuth Token Theft: The Early Warning Signs

Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.

Feb 25, 20225 min read
Supply Chain Attacks

Codecov Bash Uploader Compromise: A Supply Chain Attack on CI/CD

Attackers modified Codecov's bash uploader script to steal environment variables from CI pipelines. Thousands of repositories were exposed for two months.

May 20, 20215 min read
credential-theft (Page 2) — Safeguard Blog