The third-party breach as the week's dominant entry vector

The clearest cross-cutting theme of the week's incidents is that the breach increasingly entered through someone else's systems. iRhythm (social-engineered third-party app), Nintendo (TinyPulse HR SaaS), Texas Parks & Wildlife (unnamed licensing vendor) and the Klue/Icarus cascade (§ 2) all share the same root pattern: the victim's own perimeter held, but a supplier's did not. This is the operational case for extending vendor-access governance — OAuth-grant inventory, supplier breach-notification SLAs, and least-privilege on integration credentials — into the same tier as perimeter hardening, because that is where this week's data actually left.