malware
Safeguard articles tagged "malware" — guides, analysis, and best practices for software supply chain and application security.
32 articles
The Nx Attack Turned AI Coding Agents Into the Malware
In August 2025, attackers hijacked Nx's npm publish token and used Claude Code, Gemini CLI, and Amazon Q as the exfiltration engine — leaking 2,349 secrets.
How Attackers Clone GitHub Repos to Ship Malware
One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.
How malicious PyPI packages steal cloud credentials at install time
A typosquat of a 200M-download SSH library stole AWS keys from 37,000 installs — before anyone imported it. Here's the install-time attack pattern.
Software supply chain attack trends: what the public incident data shows
Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.
What Is Malware? Types and How It Spreads
Malware is any software built to do harm, from stealing data to locking up your files. Here's a beginner-friendly tour of the main types and how it gets in.
GitHub repo confusion and malware repositories
Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.
eBPF Rootkits Go Mainstream: Inside IronWorm and the Kernel-Level Turn in Supply Chain Malware
IronWorm shipped a kernel-level eBPF rootkit inside dozens of npm packages, hiding the very processes your security tools rely on seeing. Here is what changed, and how to detect kernel-level supply chain malware before it blinds you.
What is Malware
Malware now hides in open source packages and CI pipelines, not just email attachments. Here's what it is, how it spreads, and how to catch it early.
VS Code Marketplace Malware Campaigns in 2025
A senior engineer's review of the 2025 VS Code Marketplace malware wave, including typosquats, trojanized themes, and extensions that stole npm tokens at scale.
PyPI mexalz Malware Campaign Deep Dive
Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting Python developers with infostealers.
What is a Man-in-the-Browser Attack
Man-in-the-browser malware rewrites transactions inside a victim's own browser, bypassing TLS and OTP 2FA -- here's how it works and how to stop it.
Safeguard Eagle 3.0 Release: Classifier Update
Eagle 3.0 is the classification model behind Safeguard's package, image, and secret detection. Here is what changed, what moved, and what it means for alerts.