You installed a package last week. Something might have left with it.

Three incidents. Seven days. The same attack surface, hit three different ways.

On May 16, Grafana confirmed that a targeted group gained unauthorized access to its GitHub repositories and downloaded its codebase. The entry point was an npm supply chain compromise involving TanStack packages. Not a breach of Grafana’s servers. A library. One they trusted.

On May 19, GitHub published a statement that its own internal repositories had been accessed. The vector was a poisoned VS Code extension installed on an employee device. GitHub removed the malicious extension, isolated the endpoint, and opened an incident response. The disclosure hit 6.1 million views within hours.

On May 20, Microsoft Threat Intelligence identified “Mini Shai-Hulud”: an npm supply chain attack targeting antv packages, including antv/g2 and the widely used echarts-for-react. A compromised maintainer account published malicious versions containing an obfuscated payload delivered via a Bun preinstall hook. What it takes: GitHub PATs, OIDC tokens, AWS credentials, SSH keys, kubeconfigs, .env files, Slack tokens, Stripe tokens, Vault tokens. Exfiltration over HTTPS. No warning. No confirmation prompt. It runs the moment you install.

The connecting thread is not a specific actor. It is a category of trust: the tools that developers use daily are now the preferred delivery surface.

npm preinstall hooks run silently. VS Code extensions run with full file system access. Both had a bad week.

The question worth sitting with: how many more are already in the wild?