
When a Package Becomes an Entry Point
Recent attacks against npm, PyPI, GitHub Actions, and CI/CD plugins show that packages and build pipelines are part of the security perimeter. The real impact depends on which keys and permissions a compromised process can reach.