Two concurrent supply chain campaigns this week targeted developer tooling and CI/CD pipelines: a malicious VS Code extension update that stole credentials from developer workstations, and a GitHub Actions tag hijacking that redirected pipeline execution to attacker-controlled code. Both incidents result in credential exfiltration affecting AWS, GitHub, and npm ecosystems. The actions-cool campaign is attributed to TeamPCP with high confidence and overlaps with the Mini Shai-Hulud npm poisoning operation.