TeamPCP's open-source release of the Shai-Hulud worm was attribution warfare, not generosity — deliberately fragmenting defender tracking while seeding a distributed credential-theft workforce. SLSA provenance attestation fails when the CI runner is compromised. The toolkit is now permanent commons.