For years, “we’re not a bank, we don’t need that level of security” was a defensible posture. Most teams ran a dep scanner, had a pen test once a year, and quietly relied on attackers not caring enough to read their code.
That posture is gone. Here’s what changed:
1) Your source code is probably already out there.
May 20, 2026: GitHub disclosed an employee device compromise via a poisoned third-party VS Code extension. ~3,800 internal repos exfiltrated. The malicious version was live in the Visual Studio Marketplace for 18 minutes. In OpenVSX, 36 minutes.
If that can happen to Microsoft-owned GitHub — with MDM, EDR, and a small army of security engineers — assume it already happened to your team. How many extensions did your devs install last week? Do you know what any of them actually do?
