Safeguard
Tag

post-mortem

Safeguard articles tagged "post-mortem" — guides, analysis, and best practices for software supply chain and application security.

12 articles

Incident Analysis

Hugging Face Model Hub Supply Chain Risks in 2025

Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.

Feb 20, 20267 min read
Incident Analysis

debug/chalk npm Compromise Sept 2025: Deep Dive

A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.

Feb 13, 20267 min read
Incident Analysis

xrpl.js npm Backdoor April 2025 Incident Analysis

A stolen Ripple-adjacent npm token pushed key-stealing versions of xrpl.js. Timeline, payload structure, and what XRPL integrators should do next.

Feb 9, 20267 min read
Incident Analysis

Solana web3.js npm Backdoor: Dec 2024 Post-Mortem

A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.

Feb 5, 20266 min read
Incident Analysis

Ledger Connect Kit Attack: What Devs Missed

A phishing-obtained GitHub token published a wallet drainer as @ledgerhq/connect-kit in Dec 2023. What the incident tells us about Web3 supply chain trust.

Feb 1, 20267 min read
Incident Analysis

Rspack npm Account Takeover: 2024 Incident Analysis

Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.

Jan 28, 20267 min read
Incident Analysis

Polyfill.io CDN Supply Chain Attack: 100K+ Sites

After a domain handover, polyfill.io began serving malware to more than 100,000 sites. Here is the attack chain and what the incident teaches us.

Jan 23, 20266 min read
Cloud Security

Cloudflare Code Orange Fail Small: What the Resilience Plan Actually Changes

After November and December 2025 outages, Cloudflare declared Code Orange and shipped a Health Mediated Deployment system, break-glass dependency audits, and graceful-degradation rewrites.

Jan 20, 20267 min read
Incident Analysis

Lottie Player npm Supply Chain Attack Explained

A leaked maintainer token published three trojanized versions of @lottiefiles/lottie-player to npm, targeting wallet drains. Here is the mechanics.

Jan 19, 20267 min read
Incident Analysis

tj-actions/changed-files Compromise: What Happened

A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.

Jan 14, 20267 min read
Incident Analysis

Ultralytics PyPI Compromise: Dec 2024 Post-Mortem

How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.

Jan 9, 20267 min read
Cloud Security

Cloudflare November 18 2025 Outage: A Bot Management Feature File Doubled in Size

A ClickHouse permissions change caused Cloudflare's Bot Management feature file to balloon past a hard-coded proxy limit, taking the core network down for two hours and ten minutes.

Nov 21, 20257 min read
post-mortem — Safeguard Blog