Breach breakdowns
Would Stateward have caught it?
When a breach hits the news, the first question is "could it happen to us?" Here’s the honest breakdown — what happened, and exactly which Stateward detector catches the same class in your code. We say so plainly when the answer is only partial.
March 2026Caught
Would Stateward have caught the Claude Code source leak?A missing .npmignore rule shipped a ~59.8 MB source map — about 512,000 lines of unobfuscated TypeScript across ~1,900 files — inside a published npm package. A bundler bug kept emitting maps even when disabled, and nothing stripped them before publish.November 2025Caught
Would Stateward have caught Apple’s App Store source leak?Apple shipped a new App Store web build with source maps still enabled in production. A researcher downloaded the .map files and reconstructed the full front-end source; Apple issued DMCA takedowns and GitHub removed thousands of forks.September 2025Class covered
Would Stateward have caught the Shai-Hulud npm worm?The first self-replicating npm worm: a compromised @ctrl/tinycolor release harvested developer credentials, republished trojanised versions of every package the victim maintained, and spread to 500+ packages — exfiltrating secrets to attacker webhooks and a malicious GitHub Actions workflow.February 2025Class covered
Would Stateward have caught the Bybit hack?Attackers compromised the Safe{Wallet} infrastructure and injected malicious JavaScript that altered a signing transaction in the UI, draining ~$1.5B from a Bybit cold wallet — the largest crypto theft to date.Find out before it’s you
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.