post-mortem
Safeguard articles tagged "post-mortem" — guides, analysis, and best practices for software supply chain and application security.
12 articles
Hugging Face Model Hub Supply Chain Risks in 2025
Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.
debug/chalk npm Compromise Sept 2025: Deep Dive
A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.
xrpl.js npm Backdoor April 2025 Incident Analysis
A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.
Solana web3.js npm Backdoor: Dec 2024 Post-Mortem
A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.
Ledger Connect Kit Attack: What Devs Missed
A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.
Rspack npm Account Takeover: 2024 Incident Analysis
Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.
Polyfill.io CDN Supply Chain Attack: 100K+ Sites
After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.
Cloudflare Code Orange Fail Small: What the Resilience Plan Actually Changes
After November and December 2025 outages, Cloudflare declared Code Orange and shipped a Health Mediated Deployment system, break-glass dependency audits, and graceful-degradation rewrites.
Lottie Player npm Supply Chain Attack Explained
A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.
tj-actions/changed-files Compromise: What Happened
A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.
Ultralytics PyPI Compromise: Dec 2024 Post-Mortem
How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.
Cloudflare November 18 2025 Outage: A Bot Management Feature File Doubled in Size
A ClickHouse permissions change caused Cloudflare's Bot Management feature file to balloon past a hard-coded proxy limit, taking the core network down for two hours and ten minutes.