The threat landscape for the week of 2026-05-20 is dominated by a coordinated, multi-vector software supply chain campaign attributed to TeamPCP, which has compromised CI/CD pipelines, npm and PyPI ecosystems, developer tooling, and internal repositories at GitHub and Grafana at scale affecting hundreds of millions of package downloads. A secondary but overlapping threat from TamperedChef clusters targets enterprise Windows endpoints via trojanized productivity applications employing extended dormancy to evade detection. Immediate action is required across all organizations consuming open-source npm or PyPI packages, operating GitHub Actions pipelines, or using the named productivity applications; additionally, OT environments running robotic operating systems require urgent network isolation pending vendor advisory, and network teams must patch or mitigate CVE-2026-20171 in Cisco NX-OS to prevent BGP-based denial of service.