tag: #least-privilege

Between late April and late May 2026, a single threat actor compromised more than four hundred package versions across npm and PyPI, leaked source code from two AI labs and one widely-used SDK vendor, exfiltrated thousands of internal repositories from a major code-hosting platform, and open-sourced their worm under an MIT license on the same platform they attacked. The interesting question is not how. The interesting question is why the blast radius keeps reaching this size, and the answer points at a structural feature of how engineering organizations grant access to source code.