![[BREACH] The Extension Had the Keys](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/zzz.png)
breach
[BREACH] The Extension Had the Keys
The plugin had keys. A VS Code extension sat beside repos, tokens, terminals, and AI configs. That is not just productivity. That is inherited access.
github
![[DEEP RESEARCH] TeamPCP’s CI/CD Trust Inversion: When “Pinned” Actions Become Initial Access](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-1.png)
deep research
[DEEP RESEARCH] TeamPCP’s CI/CD Trust Inversion: When “Pinned” Actions Become Initial Access
A lot of teams “secured” Actions by pinning to tags. Great plan, right up until the trusted scanner becomes initial access. CI trust is now flimsy in ways most incident playbooks still ignore.
github
Unveiling Supply Chain Threats: Charming Kitten and Lazarus Group's Tactics
A recent GitHub supply chain attack on March 17, 2025, compromised a GitHub Actions tool, affecting 23,000 organizations. This incident highlights the vulnerability of software development tools, with attackers altering code to leak secrets.