Real-World Security Incidents
Walk through actual supply chain attacks, data breaches, and vulnerability exploits in interactive, step-by-step scenarios. Understand how they happened and how to prevent them.
The PHP git.php.net Backdoor
Two spoofed commits plant a hidden RCE Easter egg in the language that runs 70% of the web
On March 28, 2021, attackers pushed two malicious commits to the official PHP source repository at git.php.net, spoofing Rasmus Lerdorf and Nikita Popov as authors. The nine-line backdoor in ext/zlib/zlib.c added unauthenticated remote code execution triggered by an HTTP header called HTTP_USER_AGENTT (with two T's) containing the string "zerodium". Michael Voříšek spotted the first commit within hours, Nikita Popov reverted it in 5h 19m, and PHP abandoned its self-hosted git infrastructure entirely — migrating canonical development to GitHub.
Source Map Exposure — Claude Code Leak
Anthropic's Claude Code ships 59.8MB source map exposing 512K+ lines of proprietary TypeScript
Anthropic's Claude Code CLI tool (v2.1.88) accidentally shipped a 59.8MB source map in its npm package, exposing 1,906 TypeScript files including Undercover Mode, KAIROS autonomous agent, anti-distillation mechanisms, and native client attestation — discovered by security researcher Chaofan Shou.
Axios Supply Chain Attack
npm account compromise deploys cross-platform RAT via trusted package
North Korean threat actors used a compromised long-lived npm token to bypass 2FA and publish malicious Axios versions containing a cross-platform RAT disguised as a crypto utility package.
How to use these incident walkthroughs
Each scenario is built from primary sources — vendor post-mortems, CVE entries, security researcher writeups, and regulator filings where they exist — and reconstructed as a step-by-step decision flow rather than a static narrative. The goal is to put you in the shoes of the team that responded to the incident: what they saw first, which signal they followed, where they got it right, and where the response could have moved faster. You can complete a scenario in fifteen to thirty minutes, and the difficulty badge on each card is calibrated to how subtle the root cause is rather than how big the headline was.
The library deliberately mixes attack categories: classic OWASP A01 broken access control failures, supply-chain compromises of widely-trusted packages, identity-provider misconfigurations that quietly broaden access, and the long-tail of operational lapses that only become visible once an attacker is already inside. Reading them side by side helps engineering teams build a shared vocabulary for talking about likelihood, blast radius, and detection lag — the three dimensions that almost always determine whether an incident becomes a footnote or a multi-quarter cleanup.
How these scenarios complement code-review challenges
Code-review challenges in Practice Mode teach you to recognise a vulnerable pattern in a single file. Real-world incidents teach the layer above that: how multiple individually-defensible decisions combine to produce a security failure that no single code review would have caught. The same developer who can spot SQL injection in a Phase 1 challenge benefits from walking through an incident where the SQL injection was real, was found by an external researcher months after deployment, and only triggered a response after a customer complaint surfaced anomalous billing.
For teams using SecureCodingHub for compliance evidence under PCI DSS 4.0.1, ISO 27001, or the EU Cyber Resilience Act, the incident library is intentionally separate from the assignable training catalog. Auditors expect evidence of secure coding training delivered to developers; incident walkthroughs sit alongside that as practitioner enablement and threat-modelling input, not as a substitute for the mapped, completion-tracked assignments. If you need to incorporate a specific incident into a tabletop exercise or post-mortem retrospective, the source links inside each scenario point back to the original public material you can cite directly.
New scenarios are added when a publicly-disclosed incident provides enough technical detail to reconstruct the decision points without speculation. We do not write scenarios from rumour, leaked internal documents, or speculative reports. If you would like to see a specific incident covered, write to editorial@securecodinghub.com with a link to the public source material — we maintain a rolling editorial queue and most reader-suggested scenarios that have publishable source material make it into the library within a few weeks.