diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 81e079d..33fcf61 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -29,7 +29,8 @@ jobs:
           node-version: 22
           cache: npm
       - run: npm ci
-      - run: npm run sbom
+      - name: Generate SBOM
+        run: npx --yes @cyclonedx/cyclonedx-npm@^4 --omit dev --output-file sbom.cdx.json
       - name: Attach SBOM to release
         env:
           GH_TOKEN: ${{ github.token }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 119f56d..c99c567 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ## [Unreleased]
 
+### Fixed
+- The `SBOM` workflow now invokes `@cyclonedx/cyclonedx-npm` via `npx` (pinned to `^4`) instead of `npm run sbom`. This decouples the release-time SBOM generation from the local script, so the workflow can backfill SBOMs against historical tags that pre-date the script.
+
 ## [2.3.0] - 2026-05-10
 
 ### Added