Technology / developer toolchain — CI/CD supply chain remains the week's highest-volume attack surface

The Shai-Hulud/Megalodon waves (§ 2) made the developer toolchain the single most-targeted surface of the week by volume — 5,561 repositories mass-poisoned in one Megalodon burst, GitHub's own internal repos exfiltrated, and the SLSA BL3 trust model invalidated. The cross-cutting lesson for every sector running CI/CD (which is now every sector) is that build-time trust controls — OIDC token scoping, provenance attestation, registry publishing gates — are the contested ground, and the npm staged-publishing GA (§ 8) is the first registry-level structural response.