Today, 84 TanStack npm packages were compromised in the Mini Shai-Hulud supply chain attack. Credential-stealing malware. 42 affected packages. The advisory told users to "pin to a prior known-good version." That advice assumes something most teams don't have: a verifiable record of what known-good actually looked like before 19:20 UTC today. The SBOM problem A Software Bill of Materials tells you what was listed in your dependency manifest. It cannot prove whether the artifact you're running matches what was published before the compromise window opened. If your SBOM was generated after the attack, it reflects the compromised state. If it was generated before, you have a document — but not cryptographic proof that your running environment matches that document. There's a difference between a list and a proof. What cryptographic attestation actually gives you A cryptographic receipt issued against your manifest before the attack window gives you a fixed anchor. SHA-384 Merkle-committed, RS256 signed.…