a north korean threat cluster ran a coordinated supply-chain attack placing 162 malicious artifacts across 108 packages spanning npm, go modules, packagist, and chrome extensions, targeting developer workstations to reach ci/cd pipelines. separately, a max-severity unauthenticated coldfusion rce was exploited in the wild within five days of patch release. both target the software substrate rather than end users.