Supply chain attacks via package managers are exactly the nightmare scenario. A few months ago I had a production issue where a composer dependency got silently nuked from our vendor/ — the package was setasign/fpdf. Before restoring it, my first instinct was "did someone compromise the repo?". Turned out to be local, but the 10 minutes between discovery and confirmation were terrifying. Now we pin every dependency by hash in composer.lock and review any change in it before deployment. Still not enough — if the registry itself is compromised, the hash pin saves you only from drive-by tampering, not from poisoned-at-origin uploads. Feels like we need something like Sigstore-level attestation for PHP/npm at minimum.