Catch The Ownership Change Before The Malicious Update.
The xz-style attack pattern is now playbook. A long-trusted maintainer goes quiet, a new contributor inherits commit rights, a malicious update lands months later. Safeguard watches the maintainer surface of every package you depend on and freezes new versions when the social graph shifts.
The Attack Class Pattern Scanners Cannot See.
An OSS maintainer's account is transferred to a new identity. No CVE exists. The package signature is valid. The version bump looks routine. Existing scanners pass the change through to your build with no warning.
The malicious payload arrives in version N+1 — sometimes months after the takeover, sometimes immediately. By the time community researchers publish the disclosure, the affected version is in production at thousands of organisations.
The signal exists in the public record: registry-account changes, GitHub repo ownership transfers, sudden CI-config rewrites, multi-month commit-cadence anomalies. Reading it requires watching every package you depend on continuously — which is what the platform does.
No CVE, No Match
Takeover events leave no CVE for weeks or months. CVE-driven SCA tools cannot see what is by definition undisclosed.
Social-Graph Signal Is Ignored
Maintainer changes, contributor account ages, sudden new committers — these are forensic signals legacy SCA simply does not collect.
Commit-Cadence Anomalies Hide In Plain Sight
A package quiet for 18 months suddenly ships three releases in a week. Without a baseline, the anomaly is invisible.
Coordinated Mirror Lockdown Is Manual
Even when teams suspect a takeover, freezing the affected version across every internal mirror and runtime is a manual checklist that takes hours.
Watch The Maintainer Surface. Freeze. Coordinate.
Continuous Maintainer-Graph Watch
For every package in your tenant SBOMs, the platform watches registry-side ownership, GitHub committer set, and contributor-age distribution — hourly diff against a 90-day baseline.
Anomaly Scoring And Alert
The Eagle ranking model scores each change for takeover-shaped risk (new committer + protected-branch push + CI-config rewrite + version bump within 24h is one such pattern).
Auto-Freeze In Tenant Mirror
When the score crosses tenant policy threshold, the platform freezes the affected version range in the internal package mirror — old versions stay available, new ones gated.
Coordinated Investigation Workflow
Findings open a triage thread with the diff evidence, the maintainer history, and a draft maintainer-outreach message; tied into your existing incident tooling.
From Quiet Account Change To Frozen Release.
On tenant onboarding, the platform builds a 90-day maintainer-history baseline for every package in scope.
Public maintainer surfaces (registry account, GitHub committer set, key signers) re-read hourly and diffed against the baseline.
Each diff scored by Eagle for takeover-shaped risk; the model is trained on disclosed takeover post-mortems and synthetic adversarial cases.
Scores above the tenant's configured threshold open a finding and freeze new versions of the package in the internal mirror.
Finding ships with the diff, the maintainer history, recent CI-config and release-notes deltas, and a draft maintainer-outreach message.
On benign explanation, the freeze lifts with a logged justification. On confirmed compromise, coordinated-disclosure workflow takes over.
What Changes After Adoption.
Ownership Change Is A Signal
Tenant Mirror Holds The Line
Coordinated Response
Don't Let The Next xz Hit Your Build.
Connect one repo and we'll surface the maintainer-anomaly heatmap of your top 100 transitive dependencies.