Olivia
Online
NextGenRails™
@NextGenRails
Cryptographic proof tools for software supply chains & compliance — signed receipts you can verify yourself, no trust required.
Joined March 2026
51 Following
16 Followers
362 Posts
Pinned Tweet
Building in public. Here's what exists.
Prechained — free cryptographic archive of the entire software supply chain. Every package. Every version. Bitcoin anchored before attacks happen.
cbomcompliance — compliance-grade CBOM receipts. SHA-384, Merkle trees, RS256-signed JWS. Zero retention. CMMC, EU CRA, ISO 27001.
20022validator — cryptographic integrity receipts for ISO 20022 financial messages. Built for DORA and real-time settlement.
cuistandard — CUI scoping toolkit for federal contractors under CMMC Level 2 and NIST SP 800-171.
statutoryregistry — cryptographic receipts for legal instruments and regulatory filings. DORA, NIS2, SEC, EU CRA.
cbomdirectory — the definitive public resource explaining what a CBOM actually is and why an SBOM isn't enough.
stackrift — where builders who ship get found.
8 live. 17 more in deployment. Bitcoin anchored since block 937832. USPTO patent pending.
Trust is not declared. It is computed.
@KirkDerpca:
Captured [email protected] before takedown — receipt at https://t.co/Mr7srqb84b. preinstall hook confirmed.
{
"name": "testzapier",
"version": "1.0.0",
"ecosystem": "npm",
"description": "test zapier ",
"license": "ISC",
"dependencies": {},
"devDependencies": {},
"peerDependencies": {},
"engines": {},
"scripts": {
"install": null,
"preinstall": "node index.js",
"postinstall": null,
"prepare": null,
"prepublish": null,
"prepublishOnly": null
},
"maintainers": [
{
"name": "moza369",
"email": "[email protected]"
}
],
"author": null,
"publishedAt": "2026-06-04T17:10:37.917Z",
"dist": {
"integrity": "sha512-MhWYFtCWzG9R9fH7YlJXuU21/kKnLgvP9Umf9Gc12kY8mJMBhNYrubLmX9/A0ynXuNNbRrdaFmbu7MYoxtNfnw==",
"shasum": "147dce3f38ba7cdeb3e519a5b3d19567e6a23557",
"tarball": "https://t.co/KZN2uarveq",
"fileCount": 2,
"unpackedSize": 762
},
"repository": null,
"homepage": null,
"bugs": null,
"keywords": [],
"_npmUser": {
"name": "moza369",
"email": "[email protected]"
},
"captured_at": "2026-06-05T02:24:03.365Z",
"captured_by": "https://t.co/uSzJhhvPxM",
"crawler_sha384": "a193c661067d7834a4c90201a7abb8729f2519b9f424e59aba94dc70c591e16512ff06cbed12aa3b866ad56b6c449a3a"
}
https://t.co/pmC53yEqbS
@AikidoSecurity @RedHat We just captured 50 versions of ai-sdk-ollama with SHA-384 fingerprints — receipt NGR-PC-MQ01WVR02ZTAIN. Not pre-incident, but the full version history is now archived and verifiable at https://t.co/PuunWe1xzM
@Ransom_DB Appreciate this. ~Trust is not declared it is computed.
https://t.co/EckhRwdNko just got a major upgrade.
For anyone who doesn't know what Prechained is:
It's a free, open-source cryptographic archive of the software supply chain. Every package version we capture gets SHA-384 fingerprinted and permanently archived to GitHub — before any attack is disclosed, before any takedown, before any security researcher publishes a finding.
The receipt already exists. That's the point.
What's new:
→ Real-time npm monitoring. New packages published to npm are monitored in real time, Not a curated list — the entire feed.
→ Live Threat Feed. Automatic detection of fingerprint mutations, new install hooks, publisher changes, and size spikes. Every finding links to verifiable before/after receipts.
→ Incident Registry. Community-submitted and auto-detected incidents in one place. Submit a package. Get a cryptographic receipt.
→ 8 ecosystems. npm, PyPI, Cargo, RubyGems, NuGet, Maven, Packagist, GitHub.
Free. No login. No account. AGPL-3.0.
https://t.co/uSzJhhvPxM
#SupplyChainSecurity #npm #CyberSecurity #infosec #SoftwareSupplyChain #OpenSource #SBOM #DevSecOps #PackageSecurity #CyberThreats #CMMC #OSS
cc @OpenSSF @socketdotdev @SwiftOnSecurity @Ransom_DB
The regulations are here. The deadlines are real.
DORA — in effect now. 160,000+ entities.
CMMC 2.0 — 300,000 defense contractors. November 2026.
EU Cyber Resilience Act — every digital product sold in the EU.
SEC cybersecurity rules — material incidents disclosed in 4 days.
Built five tools to help you prove compliance — not just claim it:
→ https://t.co/uSzJhhvPxM — cryptographic archive of the entire software supply chain. Every package. Every version. Before the attack happens. Free.
→ https://t.co/tu9PxdmpNY — turn your SBOM into independently verifiable evidence. A document is a claim. A signed receipt is proof.
→ https://t.co/33FAagYlRS — cryptographic notarization for regulatory filings, legal instruments, and compliance attestations. Zero retention. Independent verification.
→ https://t.co/hJBI7LH0B9 — CMMC Level 2 CUI scoping documentation in 20 minutes. Assessor-ready. $299.
→ https://t.co/12zRapuMNS — cryptographic receipts for ISO 20022 financial messages. Built for DORA.
All built on the same principle: trust is not declared. It is computed.
https://t.co/KtLrbDwyyo
#CMMC #CyberSecurity #SupplyChainSecurity #DORA #NIS2 #SBOM #CyberResilience #DefenseContracting #ISO20022 #InfoSec #ComplianceTech #CUI #CMMC2 #SoftwareSupplyChain #ZeroTrust
The 80% solution priced like a 200% solution. That gap is the whole problem. Half of what those platforms charge for is lock-in, not compliance. The pieces that actually matter for an assessor are smaller and more boring than the vendors want you to believe, and most of them don't need a six-figure suite to produce.
Most signing systems treat key rotation as "retire the old key, trust the new one."
For a system that issues proof of what was true at a point in time, that's backwards. Retiring a key can't invalidate the receipts it already signed. The whole value is that they stay verifiable forever.
So https://t.co/tu9PxdmpNY now runs this:
Every signing key has a validity window. Every receipt carries its kid. A verifier pulls the exact key that signed a receipt and checks the issuance time falls inside that key's window. Rotation runs automatically on a fixed cadence. Retired keys stay published. Old receipts verify forever.
Revocation closes a key's window at a timestamp. Receipts issued before it stay valid. Anything after is rejected. Revocation without rewriting the past.
The published keyset hash is anchored via OpenTimestamps so the key history itself can't be backdated. Public keys only, private keys never leave the store.
Live keyset: https://t.co/RpCObDCqfX
Thanks @JundoYaps for the question that pushed this.
Trust is not declared. It is computed.
@JundoYaps Appreciate it. And it's not just the model, it shipped. Live now, keyset with windows, kid-resolved verification, auto-rotation, anchored history. You can poke at the whole keyset here: https://t.co/0kL2nxM6IZ
An SBOM tells you what's in your software. It doesn't prove it.
A Cryptographic Bill of Materials does. https://t.co/tu9PxdmpNY takes your CycloneDX or SPDX manifest and issues a signed cryptographic receipt. SHA-384 field hashing, Merkle root, RS256 signed, independently verifiable against a published public key.
The SBOM is the inventory. The CBOM is the proof.
https://t.co/tu9PxdmpNY
@tonylturner @tywilson21 @adnanthekhan @JundoYaps @KuptoKosmos @maruchan_MM @ResilientCyber
#SBOM #CBOM #SupplyChainSecurity #CMMC #CyberResilienceAct
@JundoYaps
Your question actually pushed me on the revocation piece. The cleanest model I keep coming back to: each key carries a validity window, and the keyset document itself gets anchored via OpenTimestamps so the window can't be backdated. Revocation then just closes a key's window at a timestamp, receipts before it stay valid, anything after is rejected. Anchoring the public keyset, never the private keys, so it's integrity not secrecy. Building it out now. Appreciate the nudge.
Two layers to that. The signing key: today it's a single RS256 key with the kid in every JWS header, public key on a stable endpoint, so a verifier always knows which key signed. Rotation isn't built yet. The direction is a published JWKS keyset so retired keys still verify old receipts while new ones sign with the current key, with key status published separately rather than invalidating past signatures, since a receipt's whole value is that it stays verifiable forever.
The customer access codes are separate and do have a lifecycle today: status, usage limits, and linked replacement codes when one is rotated out.
Prechained captured the complete version history of @redhat-cloud-services/tsc-transform-imports before this was public. 69 versions, cryptographic fingerprint of every manifest, timestamped Jun 1 at 07:36 AM PDT. If the manifest changes post-disclosure, we will show it. https://t.co/xzx4DnbCNZ NGR-PC-MPVBBU0J95WZZU
Open source packages change silently. By the time an incident is disclosed, the evidence is already gone.
Prechained captures cryptographic fingerprints of package manifests before incidents break publicly. We had tsc-transform-imports fingerprinted three hours before Miasma was disclosed. Your browser re-hashes the archived manifest from GitHub and checks it against the stored fingerprint. No trust required.
Verify it yourself. NGR-PC-MPVBBU0J95WZZU at https://t.co/xzx4DnbCNZ
@lukOlejnik @feross @Cyber_O51NT @S1r1u5_
#SupplyChainSecurity #opensource #Miasma #threatintelligence
Supply chain incidents are only useful as evidence if you can prove when you knew.
Prechained captured @redhat-cloud-services/tsc-transform-imports before the Miasma campaign was public. The receipt is independently verifiable — your browser re-hashes the archived manifest from GitHub and checks it against the stored fingerprint. No trust required.
Verify it yourself:
NGR-PC-MPVBBU0J95WZZU
https://t.co/xzx4DnbCNZ
#SupplyChainSecurity #SBOM #Miasma #opensource
ISO 20022 migration also creates a message integrity problem — pain, camt, pacs messages passing through legacy middleware with no verifiable record of their state at transmission. https://t.co/12zRapuMNS is building cryptographic receipts for exactly this. Same SHA-384 + Merkle + signed receipt stack.
@SourceCodeContr @CriticalHitNet Good framing. The 'beyond checkbox' piece usually comes down to whether your SBOM evidence is independently verifiable or just self-reported. That gap is where most programmes are still thin.
@FiniteStateInc @FiniteStateInc
The Sept 11 gap is what most miss. A timestamped cryptographic receipt of your SBOM state at triage is one way to prove operational readiness — not just that you had a scanner. https://t.co/TuoGZo5QK5 generates them.
@ActiveState A cryptographic receipt is exactly that provenance chain — SHA-384 Merkle-committed, RS256-signed, independently verifiable without contacting us. https://t.co/TuoGZo5QK5 if that's what you're building toward.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers