Red Hat confirmed a supply-chain compromise in @redhat-cloud-services npm packages. The harder lesson is that signed provenance can still carry malicious code when the trusted workflow itself is abused.
Microsoft's Storm-2949 report shows how self-service password reset abuse can become cloud-wide access across Key Vault, web apps, SQL, storage, VMs, and MFA registration.
Passkeys remove the reusable password from login, but the hard security work moves to recovery, sync, device binding, fallback methods, and privileged account policy.
Quantum-safe messaging is not a single algorithm swap. Teams need to understand hybrid key agreement, ratchets, group behavior, backups, identity keys, and migration transparency.