Structured incident-analysis reference collection from Lemma Oracle. Each Brief examines a failure primitive and the gap that strengthening detection alone cannot close.https://lemma.frame00.comen-us2026 Lemma Oracle / FRAME00, Inc.https://lemma.frame00.com/critical/briefs/009-gtg1002-ai-orchestrated-espionagehttps://lemma.frame00.com/critical/briefs/009-gtg1002-ai-orchestrated-espionageOn 2025-11-13, Anthropic disclosed an incident in which a Chinese state-sponsored group (internally designated GTG-1002) misused an AI coding agent to autonomously execute 80–90% of the attack without human intervention. Detection occurred in mid-September 2025; the group attempted to compromise approximately 30 targets (major tech, financial, chemical, and government entities) and succeeded against a small number. The AI carried out reconnaissance, vulnerability discovery, exploit code generati…Sun, 31 May 2026 00:00:00 GMTPillar 03 Agent Authority ProofAgent Runawayhttps://lemma.frame00.com/critical/briefs/010-claude-code-leak-lurehttps://lemma.frame00.com/critical/briefs/010-claude-code-leak-lureOn 2026-03-31, Anthropic's npm package @anthropic-ai/claude-code (v2.1.88) exposed a 59.8MB source map containing roughly 512,000 lines (1,900 files) of internal TypeScript source via a packaging error. Within 24 hours of the leak, an AI-themed malware distribution campaign that had been operational since February 2026 pivoted to lean on the high-attention event, distributing the Vidar stealer and the GhostSocks proxy via fake GitHub repositories disguised as "the leaked Claude Code." The same c…Sun, 31 May 2026 00:00:00 GMTPillar 01 Verifiable OriginCode Provenancehttps://lemma.frame00.com/critical/briefs/011-synthid-watermark-reverse-engineeringhttps://lemma.frame00.com/critical/briefs/011-synthid-watermark-reverse-engineeringIn March 2026, independent researcher Alosh Denny reverse-engineered Google DeepMind's watermark for AI-generated images, SynthID, and published the method and implementation on GitHub. The attack uses neither neural networks nor proprietary access — only a 2D Fourier transform and phase-coherence analysis (a phase-shift attack) over 123,000 Gemini-generated images — to remove approximately 91% of the watermark energy while preserving image quality almost entirely (PSNR 43.5 dB / SSIM 0.997, res…Sun, 31 May 2026 00:00:00 GMTPillar 01 Verifiable OriginData Provenancehttps://lemma.frame00.com/critical/briefs/014-tanstack-oidc-trusted-publisherhttps://lemma.frame00.com/critical/briefs/014-tanstack-oidc-trusted-publisher2026 年 5 月 11 日 19:20–19:26 UTC、JavaScript の主要ライブラリ群 @tanstack/* の 42 パッケージに合計 84 件の悪性バージョンが公開された（CVE-2026-45321、CVSS 9.6）。攻撃者は npm トークンを盗むのではなく、TanStack の正規 GitHub Actions OIDC trusted publisher 連携をワークフロー実行中に乗っ取り、正規の OIDC アイデンティティで署名された悪性パッケージを正規の公開経路から配信した。これは有効な署名付き来歴証明を伴って配布された初のサプライチェーンワーム（"Mini Shai-Hulud"）の一部とされ、同日中に TeamPCP は npm / PyPI で 170 以上のパッケージを汚染した。悪性パッケージは AWS / GCP / Kubernetes / Vault / npm / GitHub / SSH の認証情報を窃取し、GitHub トークン失効を検知すると rm -rf ~/ を実行した。本事案は、来歴の署名（誰が公開したか）が技術的に有効…Sun, 31 May 2026 00:00:00 GMTPillar 01 Verifiable OriginCode Provenancehttps://lemma.frame00.com/critical/briefs/015-github-vscode-extension-breachhttps://lemma.frame00.com/critical/briefs/015-github-vscode-extension-breach2026 年 5 月、攻撃グループ TeamPCP（別名 UNC6780）が、毒入りの VS Code 拡張機能を介して GitHub 従業員の開発端末を侵害し、GitHub の内部リポジトリ約 3,800 件をクローン・窃取した。使われたのは正規拡張 Nx Console（nrwl.angular-console）の trojan 化バージョン（v18.95.0）で、VS Code Marketplace 上に公開されていたのは 5 月 18 日 12:30–12:48 UTC のわずか 18 分間。この短時間で、拡張は IDE のローカル環境から 1Password の保管庫、Anthropic Claude Code の設定、npm・GitHub・AWS の認証情報を窃取した。GitHub は 5 月 19 日に検知して即日 IR を開始、重要なシークレットをローテーションし、顧客リポジトリ・Enterprise アカウント・ユーザーデータには影響なしと公表した。本事案は、開発者が日常的に信頼する IDE 拡張という「信頼面」が侵入口になり、その正規マーケット掲載・配布経路が成果…Sun, 31 May 2026 00:00:00 GMTPillar 01 Verifiable OriginCode Provenancehttps://lemma.frame00.com/critical/briefs/016-verus-ethereum-bridgehttps://lemma.frame00.com/critical/briefs/016-verus-ethereum-bridge2026 年 5 月 18 日、Verus-Ethereum クロスチェーンブリッジから約 1,158 万ドルが流出した。根本原因は、ブリッジが「Verus 側の入力額」と「Ethereum 側の払出額」の整合を必須検証していなかったこと——Ethereum 側 checkCCEValues に source-amount の検証が欠落していた。攻撃者の cross-chain import payload は $0.01 相当の VRSC 入力に対し $11.58M 相当（ETH / tBTC / USDC）の払出を構成していたが、blob の各構成要素（state root・ハッシュ・Merkle Proof）はいずれも有効だったため、Verus notary は受理・承認した。Merkle Proof が暗号的に有効であることと、value claim（入出力額）が意味的に正しいことは別問題である。本事案は Pillar 01（来歴証明）の bridge-config-trust における、cross-chain value claim の独立検証不在を露呈した直近の代表事例であ…Sun, 31 May 2026 00:00:00 GMTPillar 01 Verifiable OriginBridge Config Trusthttps://lemma.frame00.com/critical/briefs/017-mckinsey-lilli-system-promptshttps://lemma.frame00.com/critical/briefs/017-mckinsey-lilli-system-prompts2026 年 2 月、レッドチーム企業 CodeWall の自律オフェンシブ AI エージェントが、McKinsey の社内向け生成 AI プラットフォーム「Lilli」を、認証情報も内部知識もない状態から 2 時間足らずで本番データベースへの完全な read/write アクセスに到達させた。露呈した最も重大な gap は、Lilli の挙動を統治する 95 件の system prompt がすべて書き込み可能だった点である。攻撃者はこれを悪用すれば、Lilli の回答・遵守するガードレール・出典の引用の仕方をサイレントに改ざんし、同社従業員の 72% が日常利用するチャットボットの出力を毒できた。本事案は実被害ではなく責任ある開示を伴う red-team 実証だが、AI の判断を統治する層（system prompt）と出力の完全性・来歴が独立検証されないという Pillar 02（検証可能 AI）の構造的 gap を、marquee なエンタープライズ AI 運用で露呈した。 ---Sun, 31 May 2026 00:00:00 GMTPillar 02 Verifiable AIAI Decision Integrityhttps://lemma.frame00.com/critical/briefs/012-williams-frt-wrongful-arresthttps://lemma.frame00.com/critical/briefs/012-williams-frt-wrongful-arrestIn January 2020, the Detroit Police Department, on the basis of a false match from facial recognition technology (FRT), wrongfully arrested Robert Williams (a Black American) on a theft charge and held him for approximately 30 hours. The AI match between a still frame from 2018 store surveillance footage and a driver's-license photograph was treated as "identification of the suspect" without independent corroboration and led directly to the enforcement action (arrest). It is regarded as the firs…Sun, 31 May 2026 00:00:00 GMTPillar 02 Verifiable AIAI Decision Integrityhttps://lemma.frame00.com/critical/briefs/013-coinbase-kyc-insider-breachhttps://lemma.frame00.com/critical/briefs/013-coinbase-kyc-insider-breachIn May 2025, Coinbase disclosed an incident in which overseas-outsourced customer-support personnel (in India) had been bribed and had exfiltrated and externally sold the KYC data of at least 69,461 customers. The exfiltrated data included names, addresses, phone numbers, email addresses, masked SSNs, bank account identifiers, government-issued ID images, and balance / transaction snapshots; passwords, private keys, and funds were not exfiltrated. The attackers demanded a $20M ransom on May 11; …Sun, 31 May 2026 00:00:00 GMTPillar 04 Regulatory Attribute ProofKYC / AML Disclosurehttps://lemma.frame00.com/critical/briefs/003-starlette-badhosthttps://lemma.frame00.com/critical/briefs/003-starlette-badhostOn 2026-05-27, CVE-2026-48710 (BadHost) was disclosed in Starlette, the Python ASGI framework with 325 million weekly downloads. A single-character insertion in the HTTP Host header bypasses Starlette's path-based authentication middleware. The vulnerability propagates across most of the Python AI ecosystem: FastAPI, vLLM, LiteLLM, Text Generation Inference, OpenAI-compatible proxies, MCP servers, agent harnesses, evaluation dashboards, and model management UIs. X41 D-Sec, the discoverer, charac…Sat, 30 May 2026 00:00:00 GMTPillar 03 Agent Authority ProofAgent Infrastructurehttps://lemma.frame00.com/critical/briefs/004-megalodon-github-supply-chainhttps://lemma.frame00.com/critical/briefs/004-megalodon-github-supply-chainMegalodon, surfaced in May 2026, is an automated supply-chain attack campaign. Within 6 hours, 5,781 malicious commits were pushed to 5,561 GitHub repositories, propagating malware that exfiltrates CI/CD credentials. Initial analyses were published by Safe Dep and Ox Security; Hudson Rock identified infostealer infections as the origin point. The attack chain proceeded by direct push using GitHub credentials stolen from infected developers — without touching the legitimate npm account behind the…Sat, 30 May 2026 00:00:00 GMTPillar 01 Verifiable OriginCode Provenancehttps://lemma.frame00.com/critical/briefs/007-pocketos-cursor-db-deletionhttps://lemma.frame00.com/critical/briefs/007-pocketos-cursor-db-deletionOn 2026-04-24, at PocketOS — a SaaS for car-rental operators across the US — the AI coding agent Cursor (driven by Anthropic Claude Opus 4.6) wiped the production database and volume-level backup in 9 seconds via a single API call to the Railway infrastructure. On April 25, founder Jer Crane (@lifeof_jer) published the full 30-hour recovery timeline on X, which drew 7.1M views. The AI agent subsequently produced a "written confession" — a document enumerating the specific safety rules it had vio…Sat, 30 May 2026 00:00:00 GMTPillar 03 Agent Authority ProofAgent Runawayhttps://lemma.frame00.com/critical/briefs/005-noroboto-lying-fontshttps://lemma.frame00.com/critical/briefs/005-noroboto-lying-fontsIn May 2026, Drew Miller, founder of Tritium Legal Technologies, disclosed the "Noroboto" attack technique. A malicious font embedded in a document intentionally shifts the correspondence between Unicode code points and rendered glyphs, deliberately decoupling what a human reads on screen from the string an AI processes internally. When abused in places where meaning changes substantially — governing law, monetary amounts, dates in contracts — the conclusion an AI document-review system reaches …Sat, 30 May 2026 00:00:00 GMTPillar 02 Verifiable AIAI Decision Integrityhttps://lemma.frame00.com/critical/briefs/006-google-api-key-revocation-laghttps://lemma.frame00.com/critical/briefs/006-google-api-key-revocation-lagIn May 2026, Joe Leon, a researcher at the security firm Aikido, disclosed that Google API keys can continue to authenticate for up to approximately 23 minutes after deletion. Across 10 trials, revocation lag was as short as approximately 8 minutes, with a median of approximately 16 minutes and a maximum of approximately 23 minutes. The cause is Google's eventual-consistency design: deletion information propagates across the infrastructure in stages. Even after a developer who recognizes a leake…Sat, 30 May 2026 00:00:00 GMTPillar 04 Regulatory Attribute ProofAttribute Proof Bypasshttps://lemma.frame00.com/critical/briefs/008-discord-scrapinghttps://lemma.frame00.com/critical/briefs/008-discord-scrapingBetween November 2024 and May 2025, a 15-researcher team at the Federal University of Minas Gerais in Brazil used Discord's public API to scrape 2.05 billion messages (2,052,020,630 messages) from 3,167 servers covering 4,735,057 people for the 2015–2024 period, and published the data online as an arXiv paper and a JSON dataset. The research team claims anonymization through username rewriting and hashing of IDs and messages. Discord's developer policy explicitly prohibits "using messages obtain…Sat, 30 May 2026 00:00:00 GMTPillar 01 Verifiable OriginTraining Data Provenancehttps://lemma.frame00.com/critical/briefs/001-kelpdao-rsethhttps://lemma.frame00.com/critical/briefs/001-kelpdao-rsethOn 2026-04-18, 116,500 rsETH ($292M, approx. ¥46B) was unauthorizedly unlocked on KelpDAO's cross-chain protocol. The attack originated from intrusion into LayerZero Labs' RPC cloud environment: internal RPC nodes were manipulated so that the message observations referenced by the LayerZero Labs DVN were forged. The DVN signing keys themselves were not compromised. Under a 1-of-1 single-DVN configuration, a legitimate signature over manipulated data carried sole approval authority, and a fraudul…Fri, 29 May 2026 00:00:00 GMTPillar 01 Verifiable OriginBridge Config Trusthttps://lemma.frame00.com/critical/briefs/002-stakedao-vsdcrvhttps://lemma.frame00.com/critical/briefs/002-stakedao-vsdcrvOn 2026-05-27, 5.4 trillion vsdCRV was unauthorizedly minted on Arbitrum across the cross-chain infrastructure governing the DeFi protocol Stake DAO's vsdCRV. The attacker compromised the Stake DAO deployer private key and used it to rewrite the vsdCRV trust source under LayerZero v2 — the Ethereum-side trusted source from which vsdCRV on Arbitrum accepts cross-chain messages — to a contract the attacker had themselves deployed. The attacker then sent a forged cross-chain message from their cont…Fri, 29 May 2026 00:00:00 GMTPillar 01 Verifiable OriginBridge Config Trust