These supply chain breaches are happening a little too often, so these aren't just theoretical security concerns anymore. Two recent incidents are a big part of why I put this post together. In May 2026, a poisoned VS Code extension called Nx Console was used to breach GitHub's own internal repositories, exposing roughly 3,800 repos and stealing credentials from developer machines ... including npm tokens, AWS keys, and Claude Code configs. The malicious version was live