supply-chain-attack

该技能不是普通开发辅助，而是系统化的供应链攻击方法论。其能力与描述一致，但一致地指向恶意/未授权攻击：发布恶意包、修改 CI/CD、窃取 secrets 并向 attacker.com 外传。无明显混淆或安装器供应链问题，但因其明确提供可操作的攻击与外传流程，应判定为高风险、近似恶意的进攻性技能。

This fragment is a high-confidence malicious supply-chain attack playbook. It provides actionable, cross-ecosystem dependency-confusion exploitation steps and concrete install-time payload examples that execute during dependency installation and make attacker-controlled DNS/network callbacks to confirm compromise. No defensive mitigation or safe operational constraints are integrated into the payload logic, and the inclusion of publication steps makes it directly suitable for misuse.