The breach of 3,800 GitHub internal repositories didn't start with a phishing email or a brute-forced credential — it started with a VS Code extension, making this a case study in how deeply supply-ch