threat-intelligence
Safeguard articles tagged "threat-intelligence" — guides, analysis, and best practices for software supply chain and application security.
47 articles
First VPN Takedown: How May 2026's Strike on Ransomware Infrastructure Worked
In May 2026, an international coalition dismantled First VPN, a service the FBI says at least 25 ransomware gangs used to hide. We unpack the takedown, the broader 2026 infrastructure offensive, and why disrupting plumbing matters more than chasing brands.
SonicWall SonicOS Scanning Surge in May 2026: The CVE-2026-0400 Early-Warning Pattern
GreyNoise recorded ~597,000 SonicWall SonicOS scanning sessions on May 12, 2026, roughly 46x baseline. The pattern echoes the recon waves that preceded CVE-2026-0400's disclosure. Here is how to read the signal.
The Gentlemen RaaS Database Leak: What the May 2026 Breach Revealed About a Top Ransomware Operation
An insider sold The Gentlemen's internal 'Rocket' backend in May 2026, exposing affiliate structure, tooling, and negotiation logs of one of 2026's most prolific RaaS crews. Here is what the leak teaches defenders.
Nation-State Actors Operationalize AI: Inside GTIG's May 2026 Threat Tracker
Google's Threat Intelligence Group documented China, North Korea, Russia, and Iran moving AI from experiment to operations in May 2026 — AI-assisted vulnerability research, LLM-enabled malware, and obfuscated model-access infrastructure.
Malicious PyPI packages: common infiltration patterns
Real malicious PyPI package examples — typosquats, dependency confusion, hijacked maintainers, and crypto stealers — and how Safeguard catches them before install.
Malicious NuGet package campaigns targeting developers
Socket.dev has tracked malicious NuGet packages stealing wallets, banking credentials, and sabotaging industrial systems. See how Safeguard catches them first.
Malicious browser and IDE extensions (Chrome, Firefox, VS...
How the Cyberhaven Chrome extension breach and the GlassWorm Open VSX worm exposed a supply chain blind spot that dependency scanners like Socket.dev don't cover.
Shadow-Earth-053: China-Aligned Espionage Across Asia and a NATO State (May 2026)
Trend Micro's May 1, 2026 disclosure of Shadow-Earth-053 documents a China-aligned campaign exploiting N-day Exchange and IIS flaws to plant Godzilla web shells and ShadowPad across government, defense, and civil-society targets in eight-plus countries.
Qilin Ransomware Supply Chain Tactics 2025
Qilin became a top ransomware operator in 2024-2025 by pairing edge-device exploitation with managed service provider compromise. Here is the supply chain breakdown.
Lazarus Financial Sector Campaigns 2024-2025
Lazarus Group's 2024-2025 financial sector campaigns combined exchange compromises, DeFi exploits, and developer social engineering. Here is what defenders must know.
Flax Typhoon Residential Proxy Supply Chain 2024
Flax Typhoon's Raptor Train botnet turned consumer IoT into a state-aligned proxy network. Here is the tradecraft, the takedown, and the supply chain lessons.
Developer Social Engineering Campaigns 2024-2025
State-aligned and financially motivated actors now target individual developers with bespoke social engineering. Here is the tradecraft and what engineering leaders must do.