Technology and developer toolchain — CI/CD pipeline supply chain under sustained assault

The week saw three distinct supply-chain attack vectors against developer infrastructure: (1) TeamPCP/Mini Shai-Hulud cross-ecosystem worm (npm/PyPI/Packagist), exploiting OIDC-token propagation and Composer plugin execution; (2) node-ipc npm package backdoor via expired-domain account takeover on 2026-05-16 — the 90+ dependent packages demonstrate the dependency-graph amplification risk; (3) Grafana Labs Pwn-Request GitHub Actions breach — pull_request_target misconfiguration allowed fork-injected code to exfiltrate a privileged GitHub token and clone the full private codebase. All three vectors exploit weak CI/CD pipeline trust models (OIDC token scoping, GitHub Actions trigger semantics, npm supply-chain authentication). The SentinelOne CI/CD subversion taxonomy from 2026-05-16 provides the detection-engineering framework spanning all three.