They Didn’t Hack You. They Hacked What You Trust.

Software supply chain attacks are increasingly targeting the tools and packages developers trust rather than the developers themselves. Using real 2020–2026 incidents (SolarWinds, axios npm hijack, cline VS Code extension, Mini Shai-Hulud CI worm), the post explains how attackers compromise upstream dependencies, poison package registries, and exploit CI/CD pipelines to reach thousands of victims at once. The Mini Shai-Hulud worm is highlighted as a new escalation: it automated the full attack loop, stealing OIDC tokens to self-publish malicious packages with valid SLSA provenance attestations. Practical defenses covered include generating SBOMs, using npm ci with --ignore-scripts, pinning GitHub Actions to commit SHAs, deploying runtime network egress monitoring (StepSecurity Harden-Runner), enforcing least privilege, enabling MFA on publishing accounts, and implementing a dependency cooldown policy.