Why no tool can currently prove your code was reviewed and why that gap is now a crisis

In March 2025, a GitHub account compromise triggered one of the most damaging software supply chain attacks of the year. In September, the Shai-Hulud worm tore through 800 npm packages via self-propagation — the first known self-replicating open source malware. In October, F5 Networks' development environment was breached by a China-linked group who stole BIG-IP source code containing encryption keys and configuration files. In November, trojanized versions of packages from PostHog, Zapier and Postman were pushed to npm via compromised maintainer accounts. And in almost every post-incident analysis, the same question surfaced: When exactly did the clean version become the compromised version, and how would anyone know? That question doesn't have a good answer today. This article explains why and what answering it properly actually requires. The scale of the problem Software supply chain attacks more than doubled globally in 2025. Over 70% of organisations reported experiencing at least