When attackers steal your code, they have it. That's done. You can't undo it.
Most organizations understand this. What most organizations don't understand is that the theft itself is only the first problem. The second problem — often larger than the first — is what comes after.
Regulators will ask what was in your repositories. Insurers will ask whether your stack was compliant at the time of the breach. Lawyers will ask whether the stolen code contained vulnerabilities the attacker could exploit. Customers will ask whether their data was exposed. A federal court may ask all of the above, under oath, with documentary evidence required.
And the question underneath all of those questions is the same:
What did your software stack look like before the access window opened — and can you prove it?
Not after. Before. Not approximately. Exactly. Not claimed. Proven.
Most organizations cannot answer this question. Not because they were negligent, but because the tools the industry has given them — SBOMs, logs, internal documentation — were never designed to produce legally defensible, independently verifiable proof of a pre-incident software state.
The Questions That Follow Every Breach
Consider what happened when GitHub's internal repositories were exfiltrated in May 2026. The breach vector was a poisoned VS Code extension. The attacker gained access to approximately 4,000 internal repositories. The data was listed for sale publicly at $95,000.
GitHub's immediate response was textbook incident response: isolate the endpoint, rotate credentials, begin forensic analysis. But the harder questions — the ones that will follow for months and years — are not about what they did after the breach. They are about what they can prove about before it.
Were the exfiltrated repositories free of known vulnerabilities at the time of theft? Without a pre-incident cryptographic snapshot — cannot be proven.
Was the organization in compliance with EO 14028, CMMC, or the EU Cyber Resilience Act at the moment of the breach? Without a cryptographically signed receipt predating the incident — cannot be proven.
What was the exact composition of the software stack before the access window opened? Without pre-incident provenance infrastructure — cannot be proven.
These are not hypothetical questions. They are the questions that insurance adjusters, compliance auditors, plaintiff attorneys, and federal investigators actually ask.
Why Logs and SBOMs Are Not Enough
The instinct is to reach for logs. Logs are not enough. Logs are mutable, they can be tampered with, and they are controlled by the same infrastructure that was compromised.
The instinct is also to reach for SBOMs. SBOMs are not enough either. A Software Bill of Materials is a document. Its accuracy depends entirely on the integrity of the producing party. There is no cryptographic mechanism in the SBOM standard itself that allows an independent third party to verify that the SBOM matches the actual software state at a specific point in time.
An SBOM asserts. A cryptographic receipt proves. A description tells you what something is claimed to be. A proof gives you the means to independently verify that claim — without trusting the claiming party, without access to the original systems, without any cooperation from the organization that issued it.
The Attack Surface Has Changed
This year alone: Axios compromised via maintainer account takeover, attributed to North Korean threat actors. Trivy — the vulnerability scanner itself — compromised. Checkmarx, an application security platform, compromised. DAEMON Tools official installers trojanized with a valid digital certificate, active for nearly a month before detection.
The pattern is identical every time. Attackers did not break through perimeter defenses. They compromised the tools, packages, extensions, and pipelines that developers trust implicitly — and rode that trust directly into production environments.
What Cryptographic Proof Actually Does
A cryptographic receipt does not stop attackers from stealing your code. What it does is answer the questions that come after the theft — with mathematical precision, in a form that holds up in any jurisdiction, to any auditor, in any proceeding.
Each component in a software manifest is hashed individually using SHA-384. Those hashes become the leaves of a Merkle tree. The tree is processed recursively until a single root hash is produced — a cryptographic commitment to the entire software state at that moment. That root is signed with an RS256 private key and anchored to the Bitcoin blockchain — a globally verifiable, decentralized timestamp that cannot be altered retroactively.
A change to any single component — one version number, one dependency name, one extension — changes that component's hash, propagates through the Merkle tree, and produces a different root, invalidating the receipt. The binding is enforced by mathematics, not procedure.
When a regulator asks what your software stack looked like before the breach, you present the receipt. When an insurer asks whether you were compliant at the time of the incident, you present the receipt. That is the safe harbor defense. That is the litigation shield.
The Regulatory Convergence
EO 14028, the EU Cyber Resilience Act, CMMC. All converging on the same requirement: prove what was in your software.
These frameworks are not asking organizations to prove they were never breached. They are asking organizations to prove they exercised appropriate diligence — that they knew what was in their software, assessed it for known risks, and can document that assessment with independent evidence.
The breach happened. The data is gone. The only question left is what you can prove about what you had before it.
If the answer is nothing — that cannot be fixed retroactively. Provenance infrastructure must exist before the incident. A receipt generated after a breach proves nothing about the state that existed before it.
The time to build this infrastructure is now.
NextGenRails™ built the cryptographic receipt infrastructure for software provenance. cbomcompliance.com
Top comments (0)