Post by Vanta

One forgotten token at a security vendor. Six weeks later: OpenAI, GitHub, and Microsoft were all compromised in the same cascade. That's the TeamPCP supply chain campaign from earlier this year. The attackers didn't find a sophisticated vulnerability, they found a GitHub credential that wasn't fully rotated, and worked outward from there. By the end, their worm had spread across 170+ packages with 518 million cumulative downloads. This is what supply chain risk looks like now. Not one breach, one vendor, or one victim, but a cascade. And the old model of point-in-time vendor reviews and quarterly access audits wasn't built for it. Our team did a write up on what happened, what it reveals about the new blast radius, and what continuous monitoring has to do with it. https://bit.ly/49WVdcE