Technology & SaaS supply chain — the week's busiest victim class

The dominant pattern of the week was the third party as entry vector: Klue/Icarus (Salesforce OAuth, ~24 firms), ShapedPlugin (WordPress build pipeline), the npm worm wave, 8x8's SEC-disclosed Salesforce theft, and the BadBlocker Chrome extension (§ 6). In nearly every case the victim organisation patched nothing wrong of its own — the compromise rode in through a trusted vendor, integration token, package or browser extension.