Attackers are weaponizing the automated trust granted to Dependabot and Renovate to inject malicious packages into CI/CD pipelines through legitimate-looking dependency update pull requests. No CVE exists because there is no software defect — the attack exploits intentional automation behavior combined with weak pipeline governance. Any organization using these tools with auto-merge enabled or without mandatory human review on bot PRs is exposed.