When the Pipeline Signs Your Malware: The May 2026 Supply-Chain Chain

Three supply-chain compromises in eight days self-propagated through SLSA-attested pipelines. The custodians signed the malware themselves.