Skip to content

Trusted Intermediary Compromise

Prime #
1247
Origin domain
Computer Science & Software Engineering
Subdomain
supply chain security → Computer Science & Software Engineering

Core Idea

Trusted intermediary compromise is the structural pattern in which a downstream consumer's integrity depends on the integrity of an upstream producer through a channel that does not distinguish legitimate output from adversarial substitution. Trust is conferred on the producer or the channel rather than verified at each artefact, so an attacker who gains write access at the producer — or anywhere on the channel — lets the channel propagate a hostile payload past defences the consumer placed at its own perimeter. The attack succeeds because of the transitivity of trust across the dependency edge: the consumer's perimeter check is not broken but bypassed, gone around through the trusted relationship.

Five pieces are load-bearing. There is a dependency graph with a trust-bearing edge from consumer to producer. There is a delivery channel — build pipeline, package repository, distribution network, information channel — carrying the producer's output to the consumer. There is trust-conferral on the channel or producer rather than artefact-level verification at the consumer. There is attacker write access at some point on the producer-or-channel path. And there is an asymmetric attack economics: one successful write at the producer pays out across all consumers downstream of the trust edge.

The structural insight that lifts this above any single security finding is that the same configuration — dependency graph plus trusted channel plus non-discriminating delivery plus write access plus transitive trust — recurs across software, AI, pharmaceuticals, food, hardware, information ecosystems, and finance. Across all of them the attacker's leverage is identical: go upstream, write once, harm many. The substrate-specific labels — supply-chain attack, tampering, adulteration, espionage, rating shopping — name one instance each of a single structural pattern.

How would you explain it like I'm…

The Bad Lunch On The Trusted Truck

Imagine you lock your front door carefully, but you always trust your milk delivery and let it straight into the kitchen without checking. If a sneaky person swaps the milk for something bad, it walks right past your locked door because you trusted the delivery instead of checking the bottle. The danger got in through the helper you trusted, not through the door you guarded.

Trusted The Helper, Not The Item

Suppose you carefully lock your front door, but you always accept any package the delivery company drops off without opening it, because you trust them. If a bad guy slips a harmful package into the delivery truck, it sails straight past your locked door — your lock wasn't broken, it was gone AROUND. That's the heart of it: trust passes along a chain, so harming the supplier or the delivery route harms everyone who trusts it. And the math is lopsided for the attacker: tamper ONCE up at the source, and it pays off across every single customer downstream.

Go Upstream, Harm Many

Trusted Intermediary Compromise is the pattern where a downstream consumer's integrity depends on an upstream producer through a channel that does not tell legitimate output apart from a malicious substitution. Trust is granted to the producer or the channel rather than verified for each item, so an attacker who gains write access at the producer — or anywhere along the channel — lets the channel carry a hostile payload right past the defenses the consumer set up at its own perimeter. The attack works through the transitivity of trust across the dependency link: the consumer's check is not broken, it is bypassed, gone around via the trusted relationship. Five pieces are load-bearing: a dependency graph with a trust-bearing edge, a delivery channel carrying the producer's output, trust placed on the channel or producer instead of artefact-level verification, attacker write access somewhere on that path, and asymmetric economics where one successful write upstream pays out across all downstream consumers — go upstream, write once, harm many.

 

Trusted Intermediary Compromise is the structural pattern in which a downstream consumer's integrity depends on the integrity of an upstream producer through a channel that does not distinguish legitimate output from adversarial substitution. Trust is conferred on the producer or the channel rather than verified at each artefact, so an attacker who gains write access at the producer — or anywhere on the channel — lets the channel propagate a hostile payload past defenses the consumer placed at its own perimeter. The attack succeeds because of the transitivity of trust across the dependency edge: the consumer's perimeter check is not broken but bypassed, gone around through the trusted relationship. Five pieces are load-bearing: a dependency graph with a trust-bearing edge from consumer to producer; a delivery channel — build pipeline, package repository, distribution network, information channel — carrying the producer's output to the consumer; trust-conferral on the channel or producer rather than artefact-level verification at the consumer; attacker write access at some point on the producer-or-channel path; and an asymmetric attack economics in which one successful write at the producer pays out across all consumers downstream of the trust edge. The structural insight that lifts this above any single security finding is that the same configuration recurs across software, AI, pharmaceuticals, food, hardware, information ecosystems, and finance — the attacker's leverage identical everywhere: go upstream, write once, harm many. The substrate-specific labels — supply-chain attack, tampering, adulteration, espionage, rating shopping — name one instance each of a single structural pattern.

Structural Signature

the dependency graph with a trust-bearing edgethe delivery channel carrying producer output to consumerthe channel-or-producer trust conferral (not artefact-level verification)the attacker write-access on the producer-or-channel paththe asymmetric write-once-harm-many economicsthe trust-transitivity invariant that bypasses the consumer's perimeter

The pattern holds whenever these components co-occur:

  • The trust edge (role). A dependency edge from consumer to producer on which the consumer's integrity depends.
  • The delivery channel (role). A build pipeline, package repository, distribution network, or information channel carrying the producer's output to the consumer.
  • The channel-level trust (relation). Trust is conferred on the producer or the channel rather than verified at each artefact — the consumer's perimeter check applies to its own walls, not to incoming goods.
  • The write access (role). An attacker who gains the ability to substitute output at the producer or anywhere on the channel.
  • The asymmetric economics (invariant). One successful upstream write costs the same as any write but pays out across all consumers downstream of the trust edge — go upstream, write once, harm many.
  • The trust-transitivity invariant. Trust is intended to be non-transitive but propagates operationally: the consumer's perimeter is not broken but bypassed, gone around through the trusted relationship, so a hostile payload arrives past defences the perimeter never had a chance to check.

The components compose into the signature: a non-discriminating channel plus channel-level trust plus upstream write access lets transitive trust carry an adversarial substitution past the consumer's perimeter — with symptoms surfacing downstream, far from the upstream compromise.

What It Is Not

  • Not trust. Trust is the bare relation of relying on another party; this prime is the exploitation of trust's transitivity by an adversary who writes once upstream to harm many downstream. Trust is the substrate the attack rides, not the attack.
  • Not data_integrity failure in general. Data-integrity loss can be accidental corruption; this prime is adversarial substitution carried past a perimeter through a trusted channel, with asymmetric write-once-harm-many economics.
  • Not signaling. Signaling is a sender conveying type through a costly signal; here the adversary forges the legitimate producer's output so the consumer's verification confirms provenance while the payload is hostile.
  • Not a perimeter breach. The consumer's perimeter is not broken but bypassed — the payload arrives through a trusted edge the perimeter never inspects. Hardening the perimeter does nothing against this vector.
  • Not formal_vs_informal_structures. That prime contrasts official and unofficial organisation; trusted-intermediary compromise is a property of a dependency graph plus delivery channel, independent of whether the trust relationship is formal or informal.
  • Not liquidity. Liquidity concerns the ease of converting or moving an asset; the surface resemblance (things flowing through a channel) is coincidental — this prime is about adversarial integrity across a trust edge, not about market depth or convertibility.
  • Common misclassification. Responding to a supply-chain compromise by reinforcing perimeter controls (firewalls, input validation) that the trusted channel goes around by design. If the threat entered through a trusted relationship the boundary never inspects, perimeter hardening is structurally irrelevant.

Broad Use

  • Software supply chain. A compromised build server ships signed updates carrying a trojan to thousands of customers; a subverted maintainer commits a backdoor into a widely used library that propagates into every downstream distribution.
  • AI supply chain. Poisoned training data ingested through scraped corpora, trojaned model checkpoints used without artefact-level verification, and benchmark contamination that produces falsely trustworthy numbers.
  • Pharmaceuticals and food. Tampering written into the distribution channel of a trusted brand, and upstream supplier substitution of a cheaper adulterant that passes identity tests designed for accidental contamination, propagating through trusted retail channels.
  • Hardware. Counterfeit components entering a trusted procurement channel and reaching consumers who trusted the supplier rather than testing each lot.
  • Information and finance. Rumour laundering, where a planted story is escalated through outlets of rising credibility until consumers inherit the falsification from a trusted source; and the rating channel, where investors relied on agency ratings rather than re-examining underlying loans.
  • Intelligence and academia. Trusted-insider compromise, where the channel propagating "trusted" information is itself the attack surface; and citation laundering, where a flawed finding is inherited through a chain of re-citation without re-verification.

Clarity

Naming the pattern reveals that the defensive perimeter at the consumer is structurally irrelevant to this attack class: no matter how strong the consumer's perimeter, the attack arrived through a trusted channel that bypasses it. The framing forces a distinction usually muddled in practice — between perimeter integrity (one's own walls) and supply integrity (incoming goods) — and exposes that many defensive architectures invest heavily in the former and structurally cannot defend against the latter. Once named, the diagnostic question becomes precise: which incoming edges in the trust graph have artefact-level verification, and which rely on channel-or-producer trust?

The framing also names the attacker's economics, which predicts where attacks concentrate. One successful write at a heavily shared upstream producer pays out across thousands of consumers; one successful write at a narrowly shared consumer pays out once. This write-once-harm-many asymmetry tells both the attacker where to concentrate effort and the defender where to concentrate scarce verification resources — at the high-leverage upstream nodes that bear the most consequence-weight, rather than spread evenly across a perimeter that the attack will not even touch.

Manages Complexity

The pattern compresses a wide family of high-impact incidents across software, pharmaceuticals, food, finance, intelligence, and academia into one diagnostic procedure: map the trust graph (which producers does each consumer trust?), identify the channels (how does output reach the consumer?), characterise the verification at the consumer end (channel-trust versus artefact-trust), locate the high-leverage upstream nodes, and install artefact-level verification at the trust edges that bear the most consequence-weight. The procedure is the same regardless of whether the artefacts are software packages, model weights, drugs, food products, or credit ratings.

The intervention catalogue is portable. Artefact-level verification — cryptographic signing, provenance attestation, third-party audit, lot-level testing, multi-source cross-reference. Producer-side hardening — build-server isolation, maintainer-access auditing, supplier qualification, source vetting. Channel verification — immutable distribution channels, signed transport, end-to-end integrity proofs. Diversity of sourcing — multiple independent producers for the same input, reducing single-producer leverage. Consumer-side sandboxing — treat all incoming artefacts as adversarial until proven otherwise rather than trusted by channel. Continuous monitoring of trust-edge behaviour to detect substitution after the fact. Every move shifts trust from the channel level to the artefact level, which is the single structural correction the pattern prescribes.

Abstract Reasoning

Several abstractions sharpen the pattern. Trust transitivity: trust does not compose safely — if A trusts B and B trusts C, A does not thereby trust C in the structural sense, yet A's defences may behave as if it did, and the mismatch between intentional trust composition and operational trust propagation is the gap the attacker exploits. Upstream-leverage reasoning: in a trust graph the consequence-weight per attack scales with downstream consumer count, so attackers concentrate at the highest-leverage nodes — popular packages, dominant suppliers, prestige outlets, anchor citations — and defenders should mirror that concentration. Channel-versus-artefact: every trust edge can be characterised by whether verification is channel-level (trust the source) or artefact-level (verify each instance), and the shift from the former to the latter is the substrate-general intervention.

Two further abstractions extend the analysis. Asymmetric attack economics: writing once at the producer costs the same as writing once anywhere, but the payout multiplies by consumer count, and that ratio is the structural reason these attacks are persistently attractive. Diagnostic-lag reasoning: symptoms appear at the consumer, far from the producer-side compromise, so attribution requires forensics across the trust edge, and the lag favours the attacker. Together these explain why the pattern is both attractive to attack and hard to defend: the leverage is upstream, the symptoms are downstream, and the trust that connects them is exactly what the perimeter was built to extend rather than to check.

Knowledge Transfer

Because the pattern is a configuration of a trust graph and a delivery channel rather than anything substrate-specific, both its analysis and its defences transfer across fields that share no content. The digital-signature pattern transferred from secure communication into package signing and supply-chain attestation frameworks, carrying the artefact-level-verification recipe intact. The lot-level testing, provenance documentation, and chain-of-custody recordkeeping of pharmaceutical quality assurance transferred into food-supply assurance. The recognition of citation chains as trust channels shaped fact-checking, and the preregistration and replication norms of science are the same artefact-level-verification recipe applied to academic publication. The insider-threat model from espionage ported into zero-trust corporate architectures that explicitly assume trusted-channel compromise is always possible.

The deepest transfer is the recipe itself — artefact-level verification, producer hardening, channel verification, source diversity, consumer sandboxing, continuous monitoring — recognisable across every substrate instance because each is a way of shifting trust from the channel to the artefact. A practitioner who has installed package signing in software can recognise, in pharmaceuticals or finance, that the consumer is trusting a channel rather than verifying an artefact, and that the repair is lot-level testing or loan-level re-evaluation — the same move in a different medium. The load-bearing claim that makes the transfer clean is the trust-transitivity insight: trust is intended to be non-transitive but propagates operationally, and once that gap is named, the diagnostic-and-intervention recipe becomes a substrate-general practice of installing artefact-level verification at trust edges, regardless of what the trusted producer happens to deliver.

Examples

Formal/abstract

A software build-and-distribution supply-chain attack is the canonical worked instance, and it makes the trust-transitivity invariant concrete. The dependency graph has a trust-bearing edge from thousands of customer organisations to a network-management software vendor whose product they install with high privilege. The delivery channel is the vendor's build pipeline and signed-update mechanism. Channel-level trust holds because each customer verifies the vendor's code-signing signature rather than inspecting the artefact's behaviour — the perimeter check applies to "is this really from the vendor?", not to "is this payload benign?". The attacker write access is gained at the build server: the adversary inserts a backdoor into the source before it is compiled and signed, so the malicious build is signed by the legitimate key and is indistinguishable, to every downstream check, from a clean release. The asymmetric economics are the structural payoff — one successful write at the shared upstream vendor pays out across every customer who pulls the update: go upstream, write once, harm many. The trust- transitivity invariant is exactly what the case displays: each customer's perimeter is not broken but bypassed, gone around through the trusted update relationship, so the hostile payload arrives past defences that never had a chance to inspect it. The single structural correction the pattern prescribes — shift trust from the channel to the artefact — instantiates as reproducible builds, provenance attestation (proving the binary was built from the published source), and behavioral sandboxing of updates before deployment. Mapped back: the customer-to-vendor dependency is the trust edge, the signed-update pipeline is the delivery channel, the build-server intrusion is the upstream write access, the signed trojan reaching all customers is the write-once-harm-many economics, and the bypassed (not broken) perimeter is the trust-transitivity invariant.

Applied/industry

Pharmaceutical supplier adulteration is the applied worked case, exercising a physical-goods domain and confirming the pattern is not specific to software. The dependency graph runs from a drug manufacturer (and ultimately patients) to an upstream raw-ingredient supplier. The delivery channel is the global ingredient supply chain and trusted retail distribution. Channel-level trust holds because the manufacturer's incoming-quality tests are identity tests designed to catch accidental contamination, and it trusts the qualified supplier rather than re-assaying every lot against an adversary. The attacker write access is the supplier substituting a cheaper adulterant engineered to pass those identity tests — a deliberate spoof of the verification the consumer relies on. The asymmetric economics are identical to the software case: one substitution at a shared upstream supplier propagates through every finished batch and out across trusted retail channels to many patients. The trust-transitivity invariant holds because the manufacturer's perimeter (its own quality lab) is bypassed via the trusted supplier relationship — the hostile payload arrives past a perimeter built to extend trust, not to check incoming goods. The repair is the same channel-to-artefact shift, realised as lot-level testing against adversarial substitution, supplier diversification to cut single-producer leverage, and provenance documentation. Two further genuine domains exhibit the same configuration: in finance, investors relied on agencies' credit ratings (a trusted channel) rather than re-examining the underlying loans, so a compromise of the rating channel propagated to all holders; and in scholarship, citation laundering inherits a flawed finding through a chain of re-citation without re-verification, the academic instance of channel-trust over artefact-trust. Mapped back: the supplier dependency is the trust edge, the ingredient supply chain is the delivery channel, the test-passing substitution is the upstream write, the propagation to all patients is the asymmetric economics, and the bypassed quality lab is the trust- transitivity invariant — repaired by lot-level artefact verification.

Structural Tensions

T1 — Channel-Level Trust versus Artefact-Level Verification (scopal). The compromise lives in trusting the producer or channel rather than verifying each artefact; the repair is to push verification to the artefact (signatures, lot testing, reproducible builds). But artefact verification is costly and does not scale to every dependency. The failure mode is trusting the channel for convenience and being bypassed, or demanding artefact-level checks everywhere and grinding the supply chain to a halt. Diagnostic: ask whether trust is conferred on the relationship or established per-artefact, and whether the verification cost is concentrated where the blast radius justifies it.

T2 — Perimeter Defense versus Transitive Bypass (sign/direction). The consumer's perimeter is not broken but bypassed — the hostile payload arrives through the trusted edge, past defenses that only face outward. Hardening the perimeter does nothing against this vector. The failure mode is responding to a supply-chain compromise by reinforcing perimeter controls (firewalls, input validation) that the trusted channel goes around by design. Diagnostic: ask whether the threat enters through a defended boundary or through a trusted relationship that the boundary never inspects.

T3 — Write-Once-Harm-Many Economics versus Defender's Per-Edge Cost (scalar). The attacker's leverage is asymmetric: one upstream write pays out across all downstream consumers, while the defender must secure every edge. The economics structurally favor the attacker at scale. The failure mode is the defender spreading security budget evenly across dependencies, when the attacker concentrates on the single highest-fan-out node. Diagnostic: rank trust edges by downstream blast radius and ask whether defensive investment is concentrated on the high-fan-out producers, not uniformly distributed.

T4 — Trust as Vulnerability versus Trust as Necessary Efficiency (coupling). Transitive trust is the exploit, but it is also what makes supply chains, package ecosystems, and division of labor work — verifying everything from scratch defeats the purpose of an intermediary. The competing prime is that trust is load-bearing efficiency, not mere laziness. The failure mode is prescribing zero-trust everywhere and destroying the productivity the intermediary existed to provide. Diagnostic: ask whether the trust edge can be removed or must be retained, and if retained, how to make compromise detectable rather than impossible.

T5 — Upstream Compromise versus Downstream Symptom (temporal/scopal). The cause is an upstream write; the symptom surfaces downstream, far from the compromise in space, time, and accountability — often long after the malicious artefact was distributed. This separation is the prime's diagnostic difficulty. The failure mode is investigating the breach at the victim consumer, where nothing local explains it, never reaching the upstream producer. Diagnostic: when many independent consumers fail in correlated ways, trace the shared upstream dependency rather than each consumer's perimeter.

T6 — Detecting Substitution versus Authorized-but-Malicious Producer (measurement). The model assumes an attacker gains illegitimate write access, repairable by integrity verification (the artefact matches the legitimate producer's output). But the producer itself may be the adversary, or coerced — then signatures verify a genuinely-produced malicious artefact. Integrity checks confirm provenance, not benignity. The failure mode is trusting a valid signature as evidence of safety when the legitimate producer is the threat (the xz/insider case). Diagnostic: ask whether the defense verifies that the artefact came from the producer, or that the producer itself is trustworthy — these are different guarantees.

Structural–Framed Character

Trusted intermediary compromise sits on the structural side of the middle of the structural–framed spectrum — a mixed-structural prime with an aggregate of 0.4. Its core is a graph-theoretic configuration: a dependency graph with a trust-bearing edge, a non-discriminating delivery channel, channel-level (not artefact-level) verification, upstream write access, and write-once-harm-many economics, with trust transitivity as the invariant that carries a hostile payload past a perimeter it bypasses rather than breaks. That skeleton is genuinely abstract and substrate-spanning — the entry instantiates it identically in software builds, pharmaceutical adulteration, credit-rating channels, and citation laundering — so one diagnostic reads fully structural: institutional_origin is 0. The trust-graph-plus-channel configuration is a formal property of any intermediated dependency, not an artifact of a particular human institution.

Two diagnostics read mid, and one carries a real charge, which together land the 0.4. The pattern is partly human-practice-bound (0.5) and, more pointedly, requires adversarial agents: there is no compromise without an attacker who gains write access and deliberately substitutes. Unlike a purely physical pattern that runs in any substrate indifferently, this one needs producers, consumers, and an adversary — agentic roles — even though those roles span digital, physical, and informational media. Evaluative weight is 0.5: the prime carries a security/safety load. "Compromise," "hostile payload," "attack," "harm many" frame it as an adversarial pathology, not a value-neutral structure — though the underlying graph configuration is itself neutral, which is why the criterion is half rather than full. Vocabulary travels at 0.5 ("trust edge," "delivery channel," "artefact-level verification," "write-once-harm-many" are portable across every substrate the entry visits), and invoking the prime imports the supply-chain-security frame rather than merely recognizing a wired-in pattern (import_vs_recognize 0.5). The honest reading is a crisp structural configuration that only manifests as a compromise under adversarial agency and carries security stakes — mixed-structural, just structural-of-center.

Substrate Independence

Trusted intermediary compromise is a strongly substrate-independent prime — composite 4 / 5 on the substrate-independence scale. Its domain breadth is wide: the trust-transitivity-exploited-across-a-channel pattern recurs across the software supply chain (SolarWinds, the xz backdoor), the AI supply chain (poisoned training data, trojaned checkpoints), pharmaceuticals and food (the Tylenol tampering, melamine adulteration passing identity tests), hardware procurement (counterfeit components), information and finance (rumour laundering, reliance on agency ratings), and intelligence and academia (trusted-insider compromise, citation laundering) — genuinely distinct domains where the same exploited-trust-edge does the work. Its structural abstraction is high: the signature is a relational pattern over a dependency graph — a consumer inherits trust transitively from an intermediary, and an adversary subverts the intermediary to push a hostile payload past a perimeter that would have caught it directly — statable without any one field's vocabulary. Transfer evidence is the strongest component: named, well-documented instances exist in each substrate (SolarWinds, xz, Tylenol, melamine, rating-channel failure), and the defensive logic (verify artefacts rather than channels, reduce transitive trust) transfers verbatim between software, pharma, and hardware. What holds the composite at 4 rather than 5 is that the pattern requires an adversarial agent and a trust relation, so there is no purely physical or non-agentic substrate, and it carries a mild security/safety evaluative load — but within that band the structure is clean and the cross-domain transfer is heavily documented.

  • Composite substrate independence — 4 / 5
  • Domain breadth — 4 / 5
  • Structural abstraction — 4 / 5
  • Transfer evidence — 5 / 5

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.Trusted IntermediaryCompromisecomposition: TrustTrust

Parents (1) — more general patterns this builds on

  • Trusted Intermediary Compromise presupposes Trust

    The file: substrate-to-exploit — trust is the bare relation the attack RIDES; this prime is the adversarial exploitation of trust's TRANSITIVITY (write once upstream, harm many downstream past a bypassed perimeter). Presupposes trust as the substrate. The 0.959 nearest is trust — the substrate, NOT identity and NOT a reparent.

Path to root: Trusted Intermediary CompromiseTrust

Neighborhood in Abstraction Space

Trusted Intermediary Compromise sits among the more crowded primes in the catalog (35th percentile for distinctiveness): several abstractions describe nearly the same structure, so a description that fits it will tend to fit its neighbors too — transporting it usually means disambiguating within this family rather than landing on it exactly.

Family — Information Channels & Intermediaries (15 primes)

Nearest neighbors

Computed from structural-signature embeddings · 2026-06-14

Not to Be Confused With

The embedding-nearest neighbour is trust, and the relationship is substrate-to-exploit. trust is the bare relation of relying on another party's output, intention, or competence — a structural primitive that makes division of labour, supply chains, and intermediated systems possible at all. Trusted-intermediary compromise is not trust but the adversarial exploitation of trust's transitivity: the gap between trust as intended (non-transitive — A trusting B does not mean A trusts whoever compromised B) and trust as it propagates operationally (the consumer's defences behave as if the trust composed, so a hostile payload written upstream rides the trusted edge straight through). The prime depends on trust the way an exploit depends on a vulnerable feature, but it adds a dependency graph, a delivery channel, write access, and write-once-harm-many economics — none of which belong to trust itself. The distinction is load-bearing precisely because the repair is not "stop trusting" (T4: transitive trust is the load-bearing efficiency the intermediary exists to provide) but "shift verification from the channel to the artefact," which presupposes that trust must be retained and made compromise-detectable rather than eliminated. A practitioner who reads the prime as "trust is bad" destroys the productivity the intermediary existed for; the prime's actual content is that channel-level trust must be supplemented with artefact-level verification at high-blast-radius edges.

The second genuine confusion is with data_integrity. Both concern an artefact arriving in a state other than its legitimate one, and integrity verification is in fact one of the prime's repairs. But generic data_integrity covers any corruption — bit rot, transmission error, accidental overwrite — and is satisfied by checks that confirm an artefact matches its expected value. Trusted-intermediary compromise is specifically adversarial and specifically transitive: an attacker with upstream write access substitutes a malicious-but-validly-signed artefact, so ordinary integrity checks pass (the binary is signed by the legitimate key) while the payload is hostile. The sharpest divergence is T6: integrity checks confirm provenance (this came from the producer), not benignity (this is safe), and when the legitimate producer is itself the adversary or is coerced, data-integrity verification gives a green light to a genuinely- produced malicious artefact. Conflating the two leads to trusting a valid signature as evidence of safety — the exact failure the insider/xz case embodies — when the guarantee the situation needs (producer trustworthiness) is one that integrity verification structurally cannot provide.

A third worth distinguishing is signaling. A signaling relationship has a sender deliberately producing a costly signal so a receiver can infer the sender's type; the warrant flows from the cost structure. Trusted- intermediary compromise inverts the trust the signal was meant to carry: the adversary forges the producer's legitimate output (a signed update, a test-passing ingredient lot) so that the consumer's verification of the "signal" confirms authenticity while the substance is hostile. Where signaling supplies a warranted inference from cue to type, this prime is an attacker counterfeiting that very cue. The distinction tells the practitioner that the defence is not "read the signal more carefully" but "verify the artefact against adversarial substitution," because the cue itself has been captured.

For a practitioner the distinctions route the response: a trust framing asks whether the relationship can be removed (usually not); a data_integrity framing asks whether the artefact matches its expected value (necessary but not sufficient, since it confirms provenance not benignity); a signaling framing asks whether the cue is warranted (but the cue may be forged); and the trusted-intermediary-compromise framing asks the operative question — which incoming trust edges rely on channel-level trust rather than artefact-level verification, and which of those bear enough downstream blast radius to justify concentrating scarce verification there.

Solution Archetypes

No catalogued solution archetypes reference this prime yet.