High profile security vendors and national security officials have a real history of describing script kiddie jobs using months or years-old public exploits as "sophisticated" or "nation-state level", one instance that turned out to be a real supply chain attack that actually requires serious resources...doesn't really change the overall picture. In the Boy Who Cried Wolf fable, we don't fault the villagers for failing to expect that there would be a wolf this time.
Can you cite specific examples of national security officials misattributing a script kiddie as nation-state level sophistication? This is a common take which I've never seen substantiated anywhere. In comparison with hidden cobra, olympic destroyer, or the canonical stuxnet which were all clearly not script kiddies.
I don't have a more recent example, but this article[0] identifies a component of the RSA SecurID attack which utilized Poison Ivy. In my own experience experimenting with PI as an underaged teen in high school, it was a very popular and very lethal trojan and by most definitions, users were "script kiddies".
The old school concept of a script kiddie was someone who had a limited skill set that consisted of downloading exploits and trying everything to see what worked. Traditionally, a script kiddie didn't develop any of their own exploits.
Nowadays these people are known as Network Security Consultants and they are paid very well.
