threat intelligence × trust infrastructure.
Lemma's structured analysis of major incidents across AI, cryptographic infrastructure, supply chains, and regulated attributes. Each Brief makes the gap between detection and proof explicit — a reference for risk assessment, regulatory response, and trust-infrastructure design.
Featured · Latest Briefs
AI Agent Forwarded Credentials Before Verifying the Sender (OpenClaw / Varonis)
You instruct the email-reading AI agent to "stop if anything seems suspicious" — and it was show…
Read Brief →ServiceNow Scripted REST Endpoint Served Customer Data Without Authentication
It is ordinary for a business system to have an "API that returns data." But in June 2026, it wa…
Read Brief →When One Laptop Meets the Multisig Threshold
A crypto project's multisig moves funds only when several key holders approve together — authori…
Read Brief →Self-Reported Autonomous-Driving Safety, Unverified
Neither the claim that self-driving is "safer than humans" nor the data on how many crashes actu…
Read Brief →Phantom Carbon Credits
Carbon credits sold as "forest conserved, carbon sequestered" were in fact generated from land w…
Read Brief →IronWorm
A developer's ordinary act of installing an npm package can become the point at which an entire …
Read Brief →When the Assistant Becomes the Trigger
In May–June 2026, both research and real-world incidents showed that a developer's ordinary act …
Read Brief →12.8 Billion Training Images Contained Passports, Résumés, and Faces
On 2025-07-18, a research team reported that one of the largest public AI training datasets, Dat…
Read Brief →Verifiable Origin
The layer that independently verifies the origin of messages, data, and code.
When One Laptop Meets the Multisig Threshold
Distributed Approval Collapses to a Single Custody Point (Humanity Protocol)
IronWorm
When Stolen Credentials Become Publishing Authority (npm Self-Propagating Implant)
12.8 Billion Training Images Contained Passports, Résumés, and Faces
The Provenance and Consent of Training Data Were Never Verified at Collection
Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data
Allowlists Trust the Domain's Identity, Not the Provenance of What It Carries
The npm Dependency-Confusion Recon Campaign
33 Packages Impersonating Internal Scopes Exploit the Build Environment's Provenance Assumptions
The Alephium TokenBridge Exploit ($815K)
Guardian Keys Intact, But No Verification of the Provenance of the Events They Signed
The Verus-Ethereum Bridge Hack ($11.58M)
A Valid Merkle Proof, But No Verification That the Source Amount Matched the Payout
The GitHub Internal Repository Breach
A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface
The TanStack npm Compromise
Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact
SynthID Watermark Reverse-Engineering
How a Statistical Attack Strips the Provenance Mark from AI-Generated Content
Claude Code Source-Leak Lures
Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel
Discord 2.05 Billion Message Scraping via Public API
How Public Channel Data Gets Redistributed as AI Training Datasets
Megalodon GitHub Supply Chain
CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours
Stake DAO vsdCRV Unauthorized Mint
LayerZero v2 Trust Source Rewriting via Deployer Key
KelpDAO / rsETH Unauthorized Unlock
RPC Manipulation Attack on the DVN Observation Layer
Verifiable AI
The layer that ZK-commits the process of AI judgment.
AI Agent Forwarded Credentials Before Verifying the Sender (OpenClaw / Varonis)
You instruct the email-reading AI agent to "stop if anything seems suspicious" — and it was shown that this instruction breaks under a singl…
Self-Reported Autonomous-Driving Safety, Unverified
Tesla FSD Crash Data and Safety-Stat Methodology
Invisible Unicode Instruction Injection
The Gap Between Human-Read and Model-Read Input
The hackerbot-claw Campaign's First Recorded AI-vs-AI Attack
Weaponizing a Repository's CLAUDE.md to Hijack the Defending AI Agent's Instructions
McKinsey Lilli's Writable System Prompts
The Layer Governing the AI's Behavior Had No Integrity or Provenance
The Robert Williams Wrongful Arrest
When an AI Face-Match Drove a Government Enforcement Action Without Independent Verification
Noroboto Attack
AI Document Review Input-Integrity Forgery via Embedded Lying Fonts
Agent Authority Proof
The layer that records and proves the delegation relationships of agents.
ServiceNow Scripted REST Endpoint Served Customer Data Without Authentication
It is ordinary for a business system to have an "API that returns data." But in June 2026, it was disclosed that some ServiceNow REST endpoi…
When the Assistant Becomes the Trigger
AI Coding Agents Auto-Execute Project-Local Config (SymJack / TrustFall + Miasma)
One Edge Appliance Compromise Cascaded to Full Domain Takeover
An Implicitly Trusted F5 BIG-IP Became the Pivot, Along With the Credentials It Stored
AI Agents Drove Intrusions From Initial Access to Exfiltration
Signature-Based Detection Cannot Track Tooling the AI Generates Per Target (SHADOW-AETHER-040 / 064)
One-Click GitHub OAuth Token Theft via github.dev
The Webview Trusted Synthetic Events, and the Token Was Not Scoped to the Repo
LibreChat CVE-2026-32625
User-Supplied MCP Server URLs as an Exfiltration Channel for Server Secrets
Adaptive AI Worm
Runtime Exploit Synthesis as a Threat Model
MCP Design: Config-to-Command Execution and Supply-Chain-Scale RCE
Not a single-language implementation bug but inherent in the reference SDK design across supported languages
GTG-1002
The First Reported AI-Orchestrated Espionage Campaign Where the Agent Executed 80–90% Autonomously, and Agent Authority Was Never Independently Verified
Cursor + Claude Opus 4.6 Wiped PocketOS Production DB in 9 Seconds
The Unverified Destructive Authority of AI Coding Agents
Starlette CVE-2026-48710 (BadHost)
MCP Server Authentication Bypass via HTTP Host Header Manipulation
Regulatory Attribute Proof
The layer that proves KYC / AML / regulatory attributes via selective disclosure.
Phantom Carbon Credits
When an Environmental Attribute Is Issued Without Independent Verification of Its Underlying Data (Operation Greenwashing)
The Inspections Were Recorded as 'Complete'
But Never Performed. On the Boeing 787, the Existence of a Record Was Mistaken for Proof of the Act
Live Biometric Verification Defeated by an Injected Video Feed
KYC Believed It Had Captured a Live Person, But the Provenance of the Capture Was Never Verified
Inside a Legitimate Booking Platform, the Payout Bank Account Was Silently Rewritten
The Change Was Not Independently Verified Before Funds Moved (Polaris Holdings / Booking.com)
OnlyFake
AI-Generated IDs Bypass Exchange KYC
Forged Balance Confirmations Asserting Asset Existence
A Financial Attribute Asserted Without Independent Verification, Reaching Disclosure and Markets (Wirecard)
Tampered Certification Test Data Behind Type Designation
Product Regulatory-Conformance Attributes Asserted Without Independent Verification on the Path to Shipment
Unqualified Engineers Placed Under National-License Claims
Regulatory Attributes Asserted Without Independent Verification at the Point of Assignment
The Coinbase KYC Insider Breach
When Regulation-Mandated Storage of Raw PII Becomes the Breach Surface
Google API Keys Remain Usable for 23 Minutes After Deletion
Independent Verification Gap in Credential Revocation Attributes