Well-architected best practices for software supply chain security

**Executive summary:** The report describes a series of active npm supply-chain campaigns (e.g., Shai-Hulud, Chalk/Debug, tea.xyz) where compromised maintainer accounts and malicious packages harvested tokens and credentials to propagate across developer environments and CI/CD pipelines; it highlights detection evidence (MAL-IDs, CVE references), attack TTPs (phishing, credential harvesting, token farming, sleeper packages), and prescribes defense-in-depth mitigations including temporary credentials, artifact signing, centralized dependency management, continuous scanning, logging, and provenance verification.