In six weeks, adversaries executed a systematic campaign against GitHub's core infrastructure — RCE exploits, poisoned VS Code extensions, Actions token theft, and 3,800 internal repos exfiltrated. The real threat is what happens when the layer that vouches for software integrity is compromised.