Lemma Critical Brief

threat intelligence
× proof layer.

Structured analysis of incidents across AI, cryptographic infrastructure, supply chain, and regulatory attributes — read through the Detection ≠ Proof thesis . Each Brief makes the failure primitive explicit and identifies the structural gap that hardening detection alone cannot close, then connects it to the pre-execution attestation design.

● 30 briefs published since 2026-05-29 · RSS feed · Methodology · Newsletter

About this collection

Lemma Critical Brief is a structured-incident-analysis reference collection from Lemma. Each Brief covers one incident across nine sections (TL;DR + §1–§8) , structuring the failure primitive and the structural gap that detection alone cannot close, and connecting them to the pre-execution attestation design. Series scope, citation conventions, and editorial process are consolidated on the Methodology page.

Featured · Latest Brief

No. 030

2026-06-06

Pillar 01 · Verifiable Origin

Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data

On June 4, 2026, e-commerce security firm Sansec disclosed a new Magecart (web-skimming) campaign abusing Stripe's API infrastructure. Stripe itself was not breached. The attacker repurposed the trusted domains an online store implicitly al…

Read Brief →

Pillar 01

Verifiable Origin

12 briefs

The layer that independently verifies the origin of messages, data, and code.

No. 030 · 2026-06-06

Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data

Allowlists Trust the Domain's Identity, Not the Provenance of What It Carries

Code Provenance Identity & AuthData Provenance Brief →

No. 028 · 2026-06-05

The npm Dependency-Confusion Recon Campaign

33 Packages Impersonating Internal Scopes Exploit the Build Environment's Provenance Assumptions

Code Provenance Identity & Auth Brief →

No. 023 · 2026-06-05

The Alephium TokenBridge Exploit ($815K)

Guardian Keys Intact, But No Verification of the Provenance of the Events They Signed

Bridge Config Trust Identity & Auth Brief →

No. 016 · 2026-05-31

The Verus-Ethereum Bridge Hack ($11.58M)

A Valid Merkle Proof, But No Verification That the Source Amount Matched the Payout

Bridge Config Trust Identity & Auth Brief →

No. 015 · 2026-05-31

The GitHub Internal Repository Breach

A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface

Code Provenance Identity & Auth Brief →

No. 014 · 2026-05-31

The TanStack npm Compromise

Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact

Code Provenance Identity & Auth Brief →

No. 011 · 2026-05-31

SynthID Watermark Reverse-Engineering

How a Statistical Attack Strips the Provenance Mark from AI-Generated Content

Data Provenance AI Decision Integrity Brief →

No. 010 · 2026-05-31

Claude Code Source-Leak Lures

Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel

Code Provenance Identity & Auth Brief →

No. 008 · 2026-05-30

Discord 2.05 Billion Message Scraping via Public API

How Public Channel Data Gets Redistributed as AI Training Datasets

Training Data Provenance Data ProvenanceAttribute Proof Bypass Brief →

No. 004 · 2026-05-30

Megalodon GitHub Supply Chain

CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours

Code Provenance Identity & Auth Brief →

No. 002 · 2026-05-29

Stake DAO vsdCRV Unauthorized Mint

LayerZero v2 Trust Source Rewriting via Deployer Key

Bridge Config Trust Identity & Auth Brief →

No. 001 · 2026-05-29

KelpDAO / rsETH Unauthorized Unlock

RPC Manipulation Attack on the DVN Observation Layer

Bridge Config Trust Identity & Auth Brief →

Pillar 02

Verifiable AI

5 briefs

The layer that ZK-commits the process of AI judgment.

No. 024 · 2026-06-05

Invisible Unicode Instruction Injection

The Gap Between Human-Read and Model-Read Input

AI Decision Integrity Agent InfrastructureData Provenance Brief →

No. 018 · 2026-05-31

The hackerbot-claw Campaign's First Recorded AI-vs-AI Attack

Weaponizing a Repository's CLAUDE.md to Hijack the Defending AI Agent's Instructions

AI Decision Integrity Agent RunawayIdentity & Auth Brief →

No. 017 · 2026-05-31

McKinsey Lilli's Writable System Prompts

The Layer Governing the AI's Behavior Had No Integrity or Provenance

AI Decision Integrity Identity & AuthAgent Runaway Brief →

No. 012 · 2026-05-31

The Robert Williams Wrongful Arrest

When an AI Face-Match Drove a Government Enforcement Action Without Independent Verification

AI Decision Integrity Identity & AuthAI Bias / Harm Brief →

No. 005 · 2026-05-30

Noroboto Attack

AI Document Review Input-Integrity Forgery via Embedded Lying Fonts

AI Decision Integrity Data Provenance Brief →

Pillar 03

Agent Authority Proof

7 briefs

The layer that records and proves the delegation relationships of agents.

No. 029 · 2026-06-06

One-Click GitHub OAuth Token Theft via github.dev

The Webview Trusted Synthetic Events, and the Token Was Not Scoped to the Repo

Agent Infrastructure Identity & Auth Brief →

No. 027 · 2026-06-05

LibreChat CVE-2026-32625

User-Supplied MCP Server URLs as an Exfiltration Channel for Server Secrets

Agent Infrastructure Identity & Auth Brief →

No. 026 · 2026-06-05

Adaptive AI Worm

Runtime Exploit Synthesis as a Threat Model

Agent Runaway Agent InfrastructureIdentity & Auth Brief →

No. 025 · 2026-06-05

MCP Design: Config-to-Command Execution and Supply-Chain-Scale RCE

In April 2026, OX Security disclosed that Anthropic's Model Context Protocol (MCP) official SDK contains a design-level issue in which confi…

Agent Infrastructure Identity & AuthCode Provenance Brief →

No. 009 · 2026-05-31

GTG-1002

The First Reported AI-Orchestrated Espionage Campaign Where the Agent Executed 80–90% Autonomously, and Agent Authority Was Never Independently Verified

Agent Runaway Identity & Auth Brief →

No. 007 · 2026-05-30