cache-poisoning-pwn-demo

Educational demo (v0.1.32) reproducing a supply-chain attack via GitHub Actions cache poisoning, modeled on the TanStack compromise. Installs trigger an innocuous Calculator payload to demonstrate how a closed PR can poison cache and cause the maintainer's own CI to publish a malicious release with valid npm provenance. Not for production use — acts as a training and hardening reference.