Pillar 01 Verifiable Origin
The layer that independently verifies the origin of messages, data, and code.
When One Laptop Meets the Multisig Threshold
Distributed Approval Collapses to a Single Custody Point (Humanity Protocol)
IronWorm
When Stolen Credentials Become Publishing Authority (npm Self-Propagating Implant)
12.8 Billion Training Images Contained Passports, Résumés, and Faces
The Provenance and Consent of Training Data Were Never Verified at Collection
Stripe's Trusted API Infrastructure Repurposed to Deliver Card-Skimming Code and Store Stolen Data
Allowlists Trust the Domain's Identity, Not the Provenance of What It Carries
The Alephium TokenBridge Exploit ($815K)
Guardian Keys Intact, But No Verification of the Provenance of the Events They Signed
The npm Dependency-Confusion Recon Campaign
33 Packages Impersonating Internal Scopes Exploit the Build Environment's Provenance Assumptions
Claude Code Source-Leak Lures
Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel
SynthID Watermark Reverse-Engineering
How a Statistical Attack Strips the Provenance Mark from AI-Generated Content
The GitHub Internal Repository Breach
A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface
The Verus-Ethereum Bridge Hack ($11.58M)
A Valid Merkle Proof, But No Verification That the Source Amount Matched the Payout
The TanStack npm Compromise
Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact
Megalodon GitHub Supply Chain
CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours
Discord 2.05 Billion Message Scraping via Public API
How Public Channel Data Gets Redistributed as AI Training Datasets
KelpDAO / rsETH Unauthorized Unlock
RPC Manipulation Attack on the DVN Observation Layer
Stake DAO vsdCRV Unauthorized Mint
LayerZero v2 Trust Source Rewriting via Deployer Key