The hacking group known as TeamPCP is asking for a modest $50,000 for the keys to the kingdom. GitHub, the Microsoft-owned developer platform, confirmed this week that 3,800 internal repositories were breached after an employee installed a poisoned extension for Visual Studio Code. The malicious software, a trojanized version of Nx Console 18.95.0, was live for only 18 minutes but it was long enough to exfiltrate a vast trove of source code. This follows a separate, even more embarrassing blunder at the Cybersecurity and Infrastructure Security Agency (CISA). KrebsOnSecurity reports that a CISA contractor created a public GitHub profile titled "Private-CISA" and accidentally published AWS GovCloud keys and plaintext passwords for dozens of federal systems. Sen. Maggie Hassan has demanded a briefing on how the agency tasked with securing America left its own credentials in the digital equivalent of an unlocked car. Read together, the GitHub breach and the CISA key exposure describe a national security architecture held together by spit and prayer; the causal link between the poisoned extension and the agency's plaintext passwords, if it exists, is in no filing this paper has seen. It appears that while the world builds AI, the supply chain is being held together by optimistic fools.