Today, 84 TanStack npm packages were compromised in the Mini Shai-Hulud supply chain attack. Credential-stealing malware. 42 affected packages. The advisory told users to "pin to a prior known-good version."
That advice assumes something most teams don't have: a verifiable record of what known-good actually looked like before 19:20 UTC today.
The SBOM problem
A Software Bill of Materials tells you what was listed in your dependency manifest. It cannot prove whether the artifact you're running matches what was published before the compromise window opened.
If your SBOM was generated after the attack, it reflects the compromised state. If it was generated before, you have a document — but not cryptographic proof that your running environment matches that document.
There's a difference between a list and a proof.
What cryptographic attestation actually gives you
A cryptographic receipt issued against your manifest before the attack window gives you a fixed anchor. SHA-384 Merkle-committed, RS256 signed. Independently verifiable. Zero retention.
Any version installed after that window won't verify against the pre-attack receipt. You know exactly what changed and when — not because someone told you, but because the math says so.
This is the difference between detection and proof.
Why it matters beyond today
The TanStack attack will be resolved. Packages will be unpublished, pipelines secured, advisories updated. But the next attack will have a different window, different packages, different timing.
The teams that will respond fastest aren't the ones with the best incident response playbooks. They're the ones who can prove their pre-attack state in seconds rather than hours.
The question to ask your team today
Can you prove what your manifest state was before 19:20 UTC on May 11, 2026?
If the answer involves spreadsheets, Slack messages, or "I think we were on version X" — that's the gap.
cbomcompliance.com exists to close it.
NextGenRails™ builds cryptographic compliance infrastructure. Trust is not declared. It is computed.
Top comments (0)