Home / Critical Brief / Category archive
Lemma Critical Brief · Category archive

Code Provenance

Supply-chain attacks, commit forgery, intrusion via CI/CD.

7 Briefs
No. 030 · 2026-06-06

Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data

Allowlists Trust the Domain's Identity, Not the Provenance of What It Carries

Pillar 01 Verifiable Origin Code Provenance Identity & AuthData Provenance Brief →
No. 025 · 2026-06-05

MCP Design: Config-to-Command Execution and Supply-Chain-Scale RCE

In April 2026, OX Security disclosed that Anthropic's Model Context Protocol (MCP) official SDK contains a design-level issue in which confi…

Pillar 03 Agent Authority Proof Agent Infrastructure Identity & AuthCode Provenance Brief →
No. 028 · 2026-06-05

The npm Dependency-Confusion Recon Campaign

33 Packages Impersonating Internal Scopes Exploit the Build Environment's Provenance Assumptions

Pillar 01 Verifiable Origin Code Provenance Identity & Auth Brief →
No. 010 · 2026-05-31

Claude Code Source-Leak Lures

Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel

Pillar 01 Verifiable Origin Code Provenance Identity & Auth Brief →
No. 014 · 2026-05-31

The TanStack npm Compromise

Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact

Pillar 01 Verifiable Origin Code Provenance Identity & Auth Brief →
No. 015 · 2026-05-31

The GitHub Internal Repository Breach

A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface

Pillar 01 Verifiable Origin Code Provenance Identity & Auth Brief →
No. 004 · 2026-05-30

Megalodon GitHub Supply Chain

CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours

Pillar 01 Verifiable Origin Code Provenance Identity & Auth Brief →