The Scanner Was the Weapon: 36 Months of Precision Supply Chain Attacks Against DevSecOps Infrastructure

**Executive summary:** This report examines four confirmed supply‑chain compromises from March 2024–March 2026 (XZ Utils, reviewdog→tj-actions, Aqua/Trivy, and litellm), detailing how attackers gained and maintained access (long‑term contributor accounts, CI workflow trigger abuse, tag repointing, direct PyPI uploads), the technical implants and exfiltration mechanisms (in‑build test‑file payloads, memory scraping via /proc/{PID}/mem, RSA/AES encrypted credential bundles, blockchain-hosted C2), mappings to MITRE ATT&CK, recurring remediation failures (forgotten bot tokens, mutable tags), detection engineering gaps, and prioritized operational mitigations (pin to commit SHAs, rotate bot tokens, monitor entrypoint sizes, block ICP domains).