Compromised security tools can turn scanners, GitHub Actions, and AI gateways into attacker infrastructure. This article breaks down the Trivy, KICS, and LiteLLM incidents and shows how to purple team workflow integrity, secrets exposure, egress detection, provenance, and post-compromise cloud activity.