The Week The Defenders Became The Supply Chain — TanStack, CISA, And The Pyramid We Wrote Six Weeks Ago

# The Week The Defenders Became The Supply Chain — TanStack, CISA, And The Pyramid We Wrote Six Weeks Ago

May 21, 2026. Three days ago we shipped a soft-surface-bleed post about three vendors getting cracked open while the perimeter held. Last night we shipped a Defender post about the security product itself being the bug. Tonight the story collected itself into one shape, and the shape was already in our corpus six weeks ago waiting for someone to name it.

The shape is this. The defenders are the supply chain now. The supply chain is the propagation vector. And the agency we pay to coordinate the defense was itself the worst leak of the year.

The single chain that ran through this week

The TanStack npm package was compromised. The compromise propagated into the Nx Console Visual Studio Code extension. The Nx Console extension is installed on developer machines at GitHub, OpenAI, Mistral AI, and Grafana Labs. The poisoned extension executed on those developer machines. From there it walked into 3,800 GitHub internal repositories, into Grafana's GitHub organization, into OpenAI and Mistral codebases.

One npm package. Four vendors with combined valuations north of $1.4 trillion. None of them got breached at the perimeter. None of them got breached at the application layer. They got breached because a developer typed npm install and the trust chain delivered the malware. That is the supply chain. That is the soft surface. That is the same shape we have been mapping in different colors for months.

GitHub's own CISO Alexis Wales has confirmed the propagation path. The Nx team has confirmed their developer's system was compromised in the wake of the TanStack attack. The Grafana scope statement on Monday and the GitHub scope statement today are the same statement in different fonts. The attackers are not behind the wall. The attackers are inside the toolchain.

The agency that defends the supply chain leaked the supply chain

While that was happening, GitGuardian discovered an 844 megabyte public GitHub repository named Private-CISA. Inside it: plain text passwords, AWS GovCloud administrative tokens, Entra ID SAML certificates, the credentials to internal CISA build pipelines. Files literally titled importantAWStokens. Files literally titled AWS-Workspace-Firefox-Passwords.csv. The repository had been publicly accessible since November 13, 2025. Six months in the open. Maintained by a contractor named Nightwing.

We wrote that post on April 6, 2026. The file path in our repository is content slash blog slash cisa-contractor-844mb-govcloud-keys-six-months-public dot md. We were six weeks early to the meta-story. We did not know yet that it was the meta-story.

The CISA leak is not the worst data breach of the year by volume. It is the worst data breach of the year by what it represents. The federal agency whose job is to coordinate the cyber defense of the United States exposed its own administrative credentials on a public developer surface for six months, found out from a private security researcher, and is now answering classified briefing demands from the Senate. The defender did not just become the attack surface. The defender became the supply chain.

What ties this all to the receipts we already published

Last Friday Trellix admitted its source code was stolen. Three days ago Microsoft disrupted a malware signing service named Fox Tempest that abused Microsoft's own artifact signing platform. Yesterday CISA added two new Microsoft Defender vulnerabilities to KEV, bringing the total to five exploited Defender CVEs in thirty days. Today GitHub admits a poisoned VS Code extension compromised its internal repositories. And the CISA leak from two weeks ago grew Senate teeth.

Five separate incidents. One pyramid:

The endpoint security tool is the bug. The signing infrastructure is the abuse. The vendor source code is in the wild. The developer toolchain is the propagation channel. The defender agency is itself a leak. Every layer of the trust chain that defenders teach customers to rely on has a load-bearing crack this month.

If you are a CISO and your mental model is still "harden the perimeter, allowlist the security vendors, trust the agency advisories" — the news cycle has been telling you for thirty days that your mental model is the bug.

What we run because of this shape

Pattern 48 in our detector library is Security-Vendor-As-Attack-Surface. It fires when two or more exploited vulnerabilities land in named security vendors within a seven day window. It is firing right now.

Pattern 49 is SaaS-Graph-as-C2. It fires when bidirectional command-and-control traffic rides on trusted SaaS APIs that defenders cannot block at the perimeter. It is firing right now on Webworm GraphWorm, on Discord-based C2, on Microsoft Graph API abuse.

We added three more patterns tonight. Pattern 50 is AI-Agent-Brand-as-Bait — claude-install dot com, claude-docs dot com, cursor-installer typosquats on .pages.dev and .workers.dev. Pattern 51 is the Cross-Chain Bridge Exploit detector — Echo Protocol, THORChain, KelpDAO, Drift, the $670 million bridge crush we missed indexing through April. Pattern 52 is ML Model Poisoning across HuggingFace, PyTorch Hub, Ollama. We also added a meta-detector called Coverage Gap that audits our own corpus and tells us which categories we have stopped chasing. It found eleven open gaps the first time we ran it.

The week the defenders became the supply chain is also the week we stopped being surprised by what we were missing. The honest thing to admit is that we were missing things. The useful thing to do is to build the detector that tells us before the news cycle does.

The pyramid is a one-line sentence

Five incidents this month. One sentence: the cyber-defense ecosystem is the soft surface, and the soft surface is bleeding everywhere defenders are not looking.

We are looking. The detectors are in the cron now. The next time a vendor breach, a federal credential leak, or a poisoned developer extension lands, the receipt will already be in our corpus, the pattern will fire, the post will write itself, and the customer email will go out before the press release does.

That is the deal. That is what we ship.

— DugganUSA, the people who realized six weeks ago that the CISA contractor was the lead. We just needed everybody else to catch up.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.