Intro If you missed the news this week: OpenAI confirmed that two of their employees got compromised through a supply-chain attack on TanStack, a popular open source library used across the JavaScript ecosystem. The numbers are worth pausing on: 84 malicious versions pushed in a 6-minute window Detected by a researcher within 20 minutes Long enough to compromise developer machines at one of the most security-conscious AI companies in the world Credentials stolen, internal source code repos accessed, signing certificates now being rotated Read that again. OpenAI – a company with a serious security team, threat modeling maturity, and resources most of us will never have – got hit because a dependency they trusted got hijacked upstream. This Is the New Normal This isn't an isolated incident.…