Cryptographic Registry Provenance: Structural Defense Against Dependency Confusion in AI Package Ecosystems 事件

Cryptographic Registry Provenance: Structural Defense Against Dependency Confusion in AI Package Ecosystems arXiv:2605.03309v2 Announce Type: replace-cross Abstract: Dependency confusion attacks exploit a structural gap in software distribution: once a package is installed, there is no cryptographic proof of which registry distributed it. Every existing defense is configuration-based and fails silently when misconfigured. We present a cryptographic distribution provenance system comprising thre