Incident Analysis
tj-actions Compromise: One Year Retrospective
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
Mar 12, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.
The Confluence broken access control zero-day from October 2023 hit thousands of self-hosted instances. A 2026 look at the exploit, the response, and the durable lessons.
The Change Healthcare ransomware attack knocked US healthcare payments offline for weeks. A missing MFA on a Citrix portal was the root cause United confirmed.
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
ProxyNotShell forced enterprises to triage Exchange Server patching under pressure with confusing vendor guidance. A look back at CVE-2022-41040 and CVE-2022-41082.
Midnight Blizzard moved from email exfiltration to Microsoft source code repositories. The pivot from stolen OAuth tokens to code access is the supply chain lesson.
A concrete, timed playbook for the 72 hours after a critical dependency advisory — inventory, reachability, containment, remediation, and retrospective.
Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.
Weekly insights on software supply chain security, delivered to your inbox.