Supply Chain Attacks Bypassed Every Trust Signal We Built (opens in new tab)

When the May 2026 TanStack compromise produced validly-attested malicious packages, it exposed a gap between what provenance proves and…