Pillar 01 Verifiable Origin
The layer that independently verifies the origin of messages, data, and code.
Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data
Allowlists Trust the Domain's Identity, Not the Provenance of What It Carries
The Alephium TokenBridge Exploit ($815K)
Guardian Keys Intact, But No Verification of the Provenance of the Events They Signed
The npm Dependency-Confusion Recon Campaign
33 Packages Impersonating Internal Scopes Exploit the Build Environment's Provenance Assumptions
Claude Code Source-Leak Lures
Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel
SynthID Watermark Reverse-Engineering
How a Statistical Attack Strips the Provenance Mark from AI-Generated Content
The TanStack npm Compromise
Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact
The Verus-Ethereum Bridge Hack ($11.58M)
A Valid Merkle Proof, But No Verification That the Source Amount Matched the Payout
The GitHub Internal Repository Breach
A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface
Megalodon GitHub Supply Chain
CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours
Discord 2.05 Billion Message Scraping via Public API
How Public Channel Data Gets Redistributed as AI Training Datasets
KelpDAO / rsETH Unauthorized Unlock
RPC Manipulation Attack on the DVN Observation Layer
Stake DAO vsdCRV Unauthorized Mint
LayerZero v2 Trust Source Rewriting via Deployer Key