WordPress had two supply chain attacks in one week. Same structural gap.

Two separate WordPress supply chain attacks landed the same week via completely different vectors, one through a Flippa acquisition, one through a compromised update server. The structural gap is identical in both: no code signing, no ownership transfer review, update pipeline trusts the source implicitly. The "fix" WordPress pushed left malicious PHP in wp-config.php on thousands of sites.