S02: Supply Chain Under Siege

The 2021-2024 supply-chain narrative "scan dependencies, generate SBOMs, rotate credentials" has been proven inadequate in production, one incident at a time.

Shai-Hulud 2.0 showed that pre-install hooks plus dead-man's-switches can compromise 500 packages in 17 hours and wipe $HOME as insurance. The March 2026 TeamPCP campaign showed that "we rotated the credentials" is a checkbox, not a cryptographic event. Aqua thought they had contained the February foothold, then 75 of 76 trivy-action tags were force-pushed a month later with the unrotated credential. The SBOM compliance industry shipped CycloneDX files, while real exploits never touched the dependency graph the SBOM describes.

The fix is not more scanning. The fix is trusted publishing (OIDC), cryptographically-verifiable rotation, and reachability-aware triage. That's the sequence this series walks.

The through-line: Every article answers a version of the same question: "What non-negotiable cryptographic primitive would have prevented the last incident?" If your pipeline can't answer that for this incident and the next one, you're running security theatre.