GitHub OIDC trusted-publishing solved the stored-credential problem and created a new attack surface in the same motion: three independent actors exploited it in a single week, producing malicious packages carrying valid provenance attestations.
Three simultaneous EDR exploits expose a $16B cyber insurance underwriting assumption, while npm's collapse as trusted infrastructure validates the developer security VC thesis absorbing the most capital in Q1 2026.
The TeamPCP campaign's full-stack attack on API keys, CI/CD tokens, and developer credentials is simultaneously the proof point for a $24.6 billion NHI acquisition wave and a live stress test of cyber insurance policy language that wasn't written to cover it.
When a vulnerability transmits your database credentials to a third-party endpoint by design and scores CVSS 3.1, the problem is not the vulnerability, it is the triage system that will deprioritize it.
Three independent threat campaigns in early 2026 (the North Korea-attributed Contagious Interview operation, the GlassWorm Zig-dropper IDE extension malware, and the TeamPCP cascading supply chain compromise) converged on the same conclusion: developer workstations are now the highest-value initial access target in enterprise environments. The convergence is a price signal, not a coincidence.
Eight AI agent framework CVEs in one week and ShinyHunters' no-exploit identity breach wave validate the two fastest-growing investment theses in cybersecurity, while CIRCIA's 316,000-entity reporting mandate positions a multi-year compliance procurement cycle.
Adversaries exploited four AI platforms in under 24 hours each while $3.8B in Q1 cybersecurity capital concentrated 46% into AI security: the market validated the attack surface before defenders finished reading the advisories.
Weekly market intelligence: Anthropic's $100M Glasswing commitment, the FBI's $21B cybercrime figure, and why developer security tooling is the next VC cycle.
Security