18,000 organizations installed a compromised update. The vendor was trusted. The signature was valid. But execution was never verified at the boundary.
18,000 organizations were compromised through a trusted software update. Not because trust was wrong — but because trust replaced verification at the execution boundary.
The vendor was legitimate. The signing certificate was valid. The update pipeline followed every standard procedure. But the system never asked: "What will this code actually do when it executes?"
Signature verification answers "who sent this?" — not "what will this execute?" The execution boundary asks both questions before granting the execution permit.
"The signature was valid. The vendor was trusted.
But trust is not attestation."
🚂 In railway systems, this is called an interlock — nothing moves until the state is verified at the point of actuation.
"Zero Trust secures access.
Execution Boundary secures action."