The Attacker's Calendar: How Campaign Timing Aligns With Target Rhythms
Written by the Rafter Team
Plot the disclosed-payload dates from this quarter's supply-chain and breach incidents against the affected sectors' calendar. The points are not uniform. They cluster on dates when the affected sector has the least defender attention to spare: finals week, quarter-end close, the Friday before a holiday weekend, the days immediately after a major product launch.
This is not a new observation. Phishing volume has tracked tax season and holiday shopping for two decades. What is new is how cleanly the pattern transfers to supply-chain and AI-agent attacks — which suggests that the operators running these campaigns are doing calendar reconnaissance as part of their pre-campaign workflow.
If your team's response capacity drops predictably on a known calendar — quarter-end, exam weeks, holiday freezes, the days after a major release — then the attacker also knows it. Treat those windows as elevated-risk periods. Pre-stage on-call coverage, defer non-essential releases out of the window, and audit what's already deployed before the attention trough arrives.
The calendar buckets
Five recurring buckets show up in 2026's incident data.
Bucket 1: Education sector finals weeks
The Canvas / Instructure ShinyHunters breach landed inside the spring finals window. This is not coincidence. Education platforms get maximum user engagement during finals, which means maximum new account creation, maximum credential reuse, maximum support-team distraction, and minimum security-team free time to respond to incident signals. Every defensive variable trends the wrong way at once.
The defender response is to pre-stage. Increase log-retention thresholds before finals start, not after the incident. Have the credential-revocation runbook ready and rehearsed before the calendar trough.
Bucket 2: Quarter-end finance
Multiple supply-chain compromises this quarter landed within the last five business days of the quarter. The Robinhood trusted-channel phishing is the cleanest case: financial-platform user attention is at its peak at quarter-end, security teams are simultaneously absorbed in compliance reporting and quarter-end ops, and the social-engineering content can lean on quarter-end framing ("urgent: action required before close").
The pattern generalizes. Any sector with a fiscal-period rhythm has predictable defender attention dips at the period boundary.
Bucket 3: Friday-before-long-weekend ships
Supply-chain compromises across npm and PyPI cluster around Fridays leading into long weekends, especially when the compromised package will only be discovered during the post-weekend incident review cycle. The longer the weekend, the longer the payload runs unchallenged. The Mercor LiteLLM incident is one such case — the payload had multi-day runway before the weekday incident response started.
The defender response is the operationally hardest one: someone has to actually be watching dependency-publish events during long weekends. Most teams don't, which is why the pattern works.
Bucket 4: Post-launch product windows
After a product team ships a major release, the security team often gets pulled into release-related work — running production audits, responding to release-related incidents, supporting customer rollouts. The post-launch week is one of the highest defender-load weeks per quarter, and the most predictable. Attackers who watch product roadmaps can time follow-on attacks for that window.
The PyTorch Lightning impersonation campaign fits this shape: the impersonation packages went up shortly after a real upstream release, when the maintainer community was distracted with release-feedback work and downstream users were doing exactly the kind of dependency-update operations the attack relies on.
Bucket 5: Holiday freezes
Most engineering organizations institute change-freezes during major holidays. Production deploys stop. Security patches that require coordination wait. Cross-team communication slows. The operator who ships an attack into a holiday freeze knows that the response cycle is longer, the patch cycle is longer, and the window between compromise and remediation is widest.
The end-of-year holiday window has been the canonical example for years. 2026's data adds shorter regional holiday windows — local public holidays, end-of-fiscal-year regional differences, sector-specific freezes — to the pattern.
What the operators are actually doing
The implication is not that attackers happen to ship attacks on these dates. It is that calendar reconnaissance is a deliberate pre-campaign step. An operator running a six-week campaign — like the TeamPCP retrospective describes — picks the publish date inside the campaign window. The publish date selection is driven by target-sector calendar awareness, not by operator availability.
The technical sophistication required for this is low. A spreadsheet of "sector → defender attention trough dates" is enough. Most criminal operators do this implicitly through experience; the more deliberate ones have it written down.
How defenders use the same calendar
The defender side is straightforward in principle and operationally hard in practice.
Pre-stage detection coverage before known troughs. If finals week is a known trough for education-platform defenders, the additional log retention, the on-call coverage, and the pre-warmed incident-response playbook need to be in place the week before, not the week of.
Defer non-essential releases out of the trough. The thing that makes the trough a trough is competing demands on defender attention. Reducing competing demands during the trough widens the response window. Major release ships into a trough are a defender-side own goal.
Audit dependency surface before the trough, not during. The most expensive defender intervention is responding to a supply-chain compromise during a holiday freeze. The cheapest is auditing the dependency surface the week before the freeze so that any anomaly already has a paper trail. rafter run on the main branch before a long weekend produces a baseline that makes any post-weekend re-scan diff legible.
Communicate the calendar to the broader org. Most teams have not written down their own attention-trough calendar. Doing so is half the value. The other half is sharing it with the security team's stakeholders so that they understand why the team is pushing back on a quarter-end ship.
The Rafter angle
rafter run runs at PR-time, which by design means the security review does not bunch up at calendar troughs. A team running Rafter in their CI pipeline does not have a "quarter-end security review backlog" because the review is continuous. That is not a feature unique to Rafter — every PR-gating control has the same property — but it is the structural reason continuous controls beat periodic ones during attention troughs. The periodic control compresses into the worst defender window. The continuous control distributes across the year.
The attacker's calendar will not stop being a useful operational input. Defender posture has to make it less useful — by being continuously present at every date on the calendar, instead of present only on the dates the defender's own rhythms allow.