GitGuardian's report covers three distinct campaigns that ran concurrently in the last week of May, all going after the same loot: cloud credentials, SSH keys, and developer secrets. The Docker Hub incident is the most concrete — a compromised Trivy container-scanning image was the delivery mechanism, and it received CVE-2026-33634. The npm and PyPI attacks were still unassigned CVE-wise as of early June, which makes scoping harder. Running three campaigns simultaneously across three registries looks less like coincidence and more like a deliberate stress test of detection pipelines. Each registry's security team is watching its own namespace; multi-vector timing exploits that. No single package list has been published yet — the GitGuardian post is the closest thing to an authoritative account, and worth reading in full if you maintain packages on any of the three platforms.