oauth-token-theft
Safeguard articles tagged "oauth-token-theft" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours
GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.
CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm
The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.
TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline
TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.
IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain
IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.
ShinyHunters Breaches Match Group: Hinge, Match, and OkCupid Data Exposed in a Vishing-Driven Extortion Hit
ShinyHunters claimed 10 million records from Match Group's dating apps in late January 2026. Here is what was actually taken (Hinge, Match, and OkCupid — notably not Tinder), how a single vishing call opened the door, and why dating-app data raises the extortion stakes.
PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials
In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.
The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong
Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.
Agentic AI Security: Gartner Says Most AI-Agent Attacks Will Be Access-Control Failures
Gartner predicts that through 2029, more than half of successful attacks against AI agents will exploit access-control issues — with prompt injection as the delivery mechanism. Here's why that framing matters more than the headline number.
OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target
The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.
After the Worms: A CI/CD Security Playbook for Developer Credentials in 2026
The 2026 npm and PyPI worms proved that a trusted release pipeline is a credential vault. Here is what IronWorm and Mini Shai-Hulud actually exploited, and how to harden CI/CD before the next one lands.