Software supply chain attacks have caught the security community off-guard. Arnica, starting with GitHub & Azure DevOps, addresses the two primary root causes: 1) 🪄 excessive permissions to developer tools2) 🥸 lack of abnormal behavior detection