A 48-day-old stolen session cookie seeded a GitHub Actions OIDC exploit that published a self-propagating credential worm into 32 official Red Hat npm packages, defeating MFA, provenance verification, and hash-based detection in a single chain.