Safeguard
Tag

incident-analysis

Safeguard articles tagged "incident-analysis" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Supply Chain Attacks

Anatomy of the Codecov Bash Uploader compromise

A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.

Jul 16, 20266 min read
Threat Research

Lessons from Shai-Hulud: The First Self-Propagating npm Worm

In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.

Jul 8, 20266 min read
Threat Research

Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week

A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.

Jul 7, 20266 min read
Threat Research

Lessons from event-stream: How a Free Handoff Became a Bitcoin Heist

A volunteer handed control of a hugely popular npm package to a stranger, who used it to target one Bitcoin wallet app. The event-stream incident is the case study in maintainer-handoff risk.

Jul 6, 20265 min read
Threat Research

Lessons from the 3CX Attack: The First Supply Chain Attack Caused by Another

3CX shipped a trojanized version of its own softphone through official updates in 2023 — because an employee installed compromised trading software. Here is the cascade, and its lessons.

Jul 5, 20266 min read
Threat Research

Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door

For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.

Jul 4, 20266 min read
Threat Research

Lessons from the XZ Utils Backdoor: A Three-Year Social Engineering Heist

CVE-2024-3094 was a backdoor patiently planted in XZ Utils over years of social engineering, caught by an engineer chasing half a second of SSH latency. Here is the full story.

Jul 3, 20266 min read
Threat Research

Lessons from Log4Shell: How One Logging Call Became the Internet's Worst Weekend

CVE-2021-44228 let an unauthenticated attacker run code by getting a single string logged. Here is how Log4Shell worked, why it was everywhere, and what actually contained it.

Jul 2, 20266 min read
Threat Research

Lessons from SolarWinds: When the Build Pipeline Becomes the Attack Surface

The SUNBURST backdoor reached roughly 18,000 organizations through a trojanized SolarWinds Orion update. Here is what actually happened, and the defenses that hold up years later.

Jul 1, 20266 min read
Software Supply Chain Security

Vendor breach exposure: third-party risk lessons from the Klue incident

A single forgotten credential at Klue exposed Salesforce CRM data at 14+ companies, including Snyk and Huntress—here's what it teaches about vendor risk.

Jun 28, 20268 min read
Industry Analysis

MFT Mass Exploitation Trend In 2026

Managed file transfer platforms have become a recurring epicenter of mass exploitation. We trace the 2026 incidents, the reused tradecraft, and what defenders should do now.

Apr 13, 20267 min read
Industry Analysis

npm Account Takeover Pattern Evolution

npm account takeovers have shifted from opportunistic phishing to coordinated, multi-stage operations. We trace the 2025 to 2026 evolution and what it means for maintainers.

Apr 9, 20267 min read
incident-analysis — Safeguard Blog