Safeguard
Tag

oauth-token-theft

Safeguard articles tagged "oauth-token-theft" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Supply Chain Security

Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours

GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.

Jun 24, 20267 min read
Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
Threat Intelligence

TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline

TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.

Jun 23, 20267 min read
Supply Chain Security

IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain

IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.

Jun 22, 20267 min read
Threat Intelligence

ShinyHunters Breaches Match Group: Hinge, Match, and OkCupid Data Exposed in a Vishing-Driven Extortion Hit

ShinyHunters claimed 10 million records from Match Group's dating apps in late January 2026. Here is what was actually taken (Hinge, Match, and OkCupid — notably not Tinder), how a single vishing call opened the door, and why dating-app data raises the extortion stakes.

Jun 20, 20267 min read
Supply Chain Security

PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials

In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.

Jun 20, 20266 min read
Threat Intelligence

The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong

Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.

Jun 17, 20266 min read
Strategy

Agentic AI Security: Gartner Says Most AI-Agent Attacks Will Be Access-Control Failures

Gartner predicts that through 2029, more than half of successful attacks against AI agents will exploit access-control issues — with prompt injection as the delivery mechanism. Here's why that framing matters more than the headline number.

Jun 9, 20267 min read
Threat Intelligence

OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target

The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.

Jun 8, 20267 min read
Supply Chain Security

After the Worms: A CI/CD Security Playbook for Developer Credentials in 2026

The 2026 npm and PyPI worms proved that a trusted release pipeline is a credential vault. Here is what IronWorm and Mini Shai-Hulud actually exploited, and how to harden CI/CD before the next one lands.

Jun 6, 20268 min read
oauth-token-theft — Safeguard Blog