A GitHub employee installed a VS Code extension. Eighteen minutes later, the marketplace pulled the malicious version. By then, around 3,800 of GitHub's internal repositories had been exfiltrated. The poisoned extension was Nx Console, the credentials behind it had been stolen earlier through a separate npm compromise, and the worm doing the work was a variant of the second self-replicating supply chain worm of the year. This is what software supply chain attacks look like now: automated, fast, and aimed at the systems your team trusts the most. In this session, Brian brings a defender's perspective to a year of supply chain incidents. Drawing on his time at GitHub and his work with engineering teams, he walks through how modern attacks unfold: how attackers harvest credentials from developer machines, how stolen npm and GitHub tokens get reused to publish trojanized packages and extensions, and how a single misconfigured workflow can turn your CI/CD pipeline into a data exfiltration service. Brian covers the mitigations that actually move the needle, including commit pinning for GitHub Actions, scoped tokens, secret rotation, dependency review, build provenance with SLSA, and the parts of GitHub Advanced Security that pull their weight. This isn't a fear-driven session. It's a practical one. Brian covers what to harden first, what tools to bring in, and how to have the conversation with leadership about why "we use a popular package" stopped being a security argument.