# CTI Daily Brief — 2026-06-07

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Keycloak 26.6.3 patches 16 CVEs in the EU public sector's reference IAM, led by a token-exchange privilege escalation.** `CVE-2026-9704` lets a low-privilege client silently omit the `subject_token` parameter in an OAuth 2.0 token exchange so Keycloak issues a token under the *requesting* client's identity, and `CVE-2026-4874` turns the OIDC token endpoint into an SSRF primitive. No known in-the-wild exploitation; patch-priority for any internet-reachable Keycloak underpinning e-government SSO ([Keycloak, 2026-06-04](https://www.keycloak.org/2026/06/keycloak-2663-released)). Full treatment in § 5.
- **Chrome 149 ships the largest single-release patch set in Chrome's history — 429 fixes — including a CVSS 9.6 sandbox escape in the ANGLE graphics engine (`CVE-2026-10881`).** Verify managed fleets have reached 149.0.7827.53+; no in-the-wild exploitation reported ([SecurityWeek, 2026-06-05](https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/)). See § 2.
- **An autonomous AI agent found 21 zero-days in FFmpeg for roughly $1,000, nine already numbered (`CVE-2026-39210`–`39218`).** The bugs are heap/stack overflows in parsers and demuxers — one dating to 2003 — and FFmpeg is embedded across government media, surveillance and conferencing stacks. PoCs exist; no in-the-wild exploitation ([depthfirst, 2026-06-02](https://depthfirst.com/research/21-zero-days-in-ffmpeg)). See § 3.
- **The hijacked polyfill[.]io CDN domain reactivated and is throwing HTTP 401 prompts, surfacing native browser credential dialogs on sites that never stripped legacy script tags.** Toshiba and Muji issued public warnings; audit web properties for residual `polyfill[.]io` references ([BleepingComputer, 2026-06-05](https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/)). See § 1.
- **A Magecart variant hides its skimmer inside Stripe customer metadata and exfiltrates stolen cards back through `api.stripe.com` as fake customer records** — defeating CSP and WAF rules that universally allow-list Stripe. Detection must shift to server-side GTM-container integrity ([Sansec, 2026-06-04](https://sansec.io/research/stripe-api-skimmer-infrastructure)). See § 1.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Hijacked polyfill[.]io domain reactivates, surfacing native browser credential prompts on sites that never removed legacy script tags

The `polyfill[.]io` CDN domain — seized and weaponised in the June 2024 supply-chain attack that affected more than 100,000 sites — became active again in late May 2026 and began answering with HTTP 401 authentication challenges, which browsers render as native credential dialog boxes ([BleepingComputer, 2026-06-05](https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/)). Any site still loading a `<script src="…polyfill[.]io…">` tag — a failure documented across many organisations since 2024 — now prompts visitors for credentials in a dialog that appears to originate from the trusted site. Toshiba published a warning on 2026-06-02 telling users to click *Cancel* without entering anything ([Toshiba, 2026-06-02](https://www.global.toshiba/jp/top/info-20260602.html)); Muji issued a parallel notice stating it had not confirmed unauthorised access or data leakage ([BleepingComputer, 2026-06-05](https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/)). This is mechanically distinct from the 2024 redirect-to-malicious-JavaScript attack: the harm here is HTTP-401-induced credential phishing, not script injection, so neither party has confirmed exfiltration — but both advised affected users to change passwords. Maps to `T1195.002` (Compromise Software Supply Chain).
**Why it matters to us:** The exposure is entirely a function of stale third-party references, which most organisations underestimate. Grep all rendered HTML, CMS templates, and CDN-inclusion lists for `polyfill[.]io` with any subdomain or path; replace with the legitimate `polyfill.com` / `polyfill.top` mirrors or self-hosted polyfills, and enforce Subresource Integrity (SRI) on all third-party scripts. Web-proxy/SWG logs showing 401 responses from `polyfill[.]io` pinpoint pages that still load the script.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/) · Additional source: [Toshiba — customer notice](https://www.global.toshiba/jp/top/info-20260602.html) · Tags: supply-chain, phishing, data-breach · Region: apac, global · Sector: technology, retail, manufacturing*

### Magecart family runs its skimmer out of Stripe — payload in customer metadata, stolen cards exfiltrated back through api.stripe.com

Sansec's forensics team documented a card-skimming family that routes both payload delivery and exfiltration entirely through Stripe's legitimate API ([Sansec, 2026-06-04](https://sansec.io/research/stripe-api-skimmer-infrastructure)). The actor creates a Stripe customer object and stores the skimmer JavaScript in that customer's metadata fields; at checkout the skimmer is fetched from `api.stripe.com`, captures full card number, CVV, expiry and billing address, then writes the stolen data *back* to Stripe by creating new fake customer records — so both inbound payload and outbound theft look like ordinary Stripe API traffic ([BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/)). The entry point is a malicious Google Tag Manager (GTM) container injected into checkout pages of Magento / Adobe Commerce stores; the skimmer-hosting Stripe customer record was created 2025-12-24, indicating a campaign running since at least late 2025. Maps to `T1059.007` (JavaScript) and `T1071.001` (Application Layer Protocol: Web).
**Why it matters to us:** `api.stripe.com` is universally allow-listed in CSP `script-src`/`connect-src` and WAF egress rules on payment sites, so the standard "block unknown exfil endpoints" control is blind to this. Detection has to move server-side: inventory GTM container IDs against an approved list, alert on Stripe customer-creation events that don't map to real orders, inspect customer-metadata fields for encoded JavaScript, and run file-integrity monitoring on checkout-page tag configuration rather than relying on browser-side CSP.

— *Source: [Sansec](https://sansec.io/research/stripe-api-skimmer-infrastructure) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/) · Tags: organized-crime, supply-chain, data-breach · Region: global, europe · Sector: retail, finance*

## 2. Trending Vulnerabilities

### CVE-2026-10881 — Google Chrome (ANGLE graphics engine): out-of-bounds read/write enabling sandbox escape (CVSS 9.6)

Google shipped Chrome 149 (stable 149.0.7827.53/54) on 2026-06-02, patching 429 vulnerabilities — the largest single-release count in Chrome's history, with over 100 rated critical or high ([Google Chrome Releases, 2026-06-02](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html); [SecurityWeek, 2026-06-05](https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/)). The highest-severity externally-reported fix is `CVE-2026-10881` (CVSS 9.6), an out-of-bounds read and write in ANGLE — Chrome's graphics-translation layer that maps WebGL/GPU calls to the host graphics API — which SecurityWeek reports remote attackers could exploit to escape Chrome's sandbox via a crafted HTML page, with no interaction beyond visiting the page. The sandbox-escape class is the consequential one for enterprises: a renderer compromise chained through ANGLE yields code execution in the browser process, the launch point for subsequent host privilege-escalation chains. No in-the-wild exploitation has been reported. Chrome auto-updates, but managed and extended-stable fleets routinely lag; verify deployment has reached 149.0.7827.53+ via asset inventory or the ADMX update policy, and confirm no MDM version-pin is holding endpoints back. Maps to `T1203` (Exploitation for Client Execution).

— *Source: [SecurityWeek](https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/) · Additional source: [Google Chrome Releases](https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html) · Tags: vulnerabilities, rce, patch-available · Region: global · Sector: public-sector, technology · CVE: CVE-2026-10881 · CVSS: 9.6 · Vector: user-interaction · Auth: pre-auth · Status: patch-available · Evidence: "Remote attackers could exploit the vulnerability to escape Chrome's sandbox via crafted HTML pages" (SecurityWeek); "Chrome 149 was released with patches for 429 vulnerabilities, including over 100 critical and high-severity bugs." (SecurityWeek)*

#### CVE Summary Table

The table consolidates the CVE-bearing items across this brief; only `CVE-2026-10881` is a § 2 trending-vulnerability entry — the Keycloak and FFmpeg rows are cross-references to § 5 and § 3 respectively.

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-10881 | Google Chrome ANGLE graphics engine | 9.6 | ~0.04 | No | No | Chrome 149.0.7827.53+ | [SecurityWeek](https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/) |
| CVE-2026-9704 | Keycloak < 26.6.3 (token exchange) | n/a | n/a | No | No | Keycloak 26.6.3 | [Keycloak](https://www.keycloak.org/2026/06/keycloak-2663-released) |
| CVE-2026-4874 | Keycloak < 26.6.3 (OIDC token endpoint) | n/a | n/a | No | No | Keycloak 26.6.3 | [Keycloak](https://www.keycloak.org/2026/06/keycloak-2663-released) |
| CVE-2026-39210 | FFmpeg (TS demuxer; +8 numbered) | n/a | n/a | No | No (PoC public) | Upstream fix commits | [depthfirst](https://depthfirst.com/research/21-zero-days-in-ffmpeg) |

## 3. Research & Investigative Reporting

### An autonomous AI agent finds 21 zero-days in FFmpeg for ~$1,000 — nine numbered (CVE-2026-39210 to -39218), parser bugs up to 23 years old

Security startup depthfirst ran an autonomous AI analysis agent over FFmpeg's ~1.5 million lines of C and produced 21 confirmed, reproducible zero-days — each with a proof-of-concept input — for an estimated compute cost of about $1,000 ([depthfirst, 2026-06-02](https://depthfirst.com/research/21-zero-days-in-ffmpeg); [The Hacker News, 2026-06-06](https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html)). Nine carry CVE identifiers (`CVE-2026-39210` through `CVE-2026-39218`); twelve more are fixed but unnumbered. The classes are predominantly heap and stack overflows in parsers and demuxers — the TS (transport-stream) demuxer, VP9 decoder, and the AV1 RTP depacketizer — and several had been latent for 15–20 years, with one service-description-table stack overflow dating to 2003. The AV1-over-RTP overflow is the most operationally pointed because it is network-reachable without special flags, which matters for any service that ingests untrusted RTSP/RTP media. All bugs are fixed upstream; downstream and embedded copies vary.
**Why it matters to us:** Two things for defenders. First, FFmpeg is embedded far beyond the obvious media players — browser stacks, Electron apps, conferencing clients (Teams/Zoom), surveillance/VMS transcoders, and Python wheels — and many ship their own non-auto-updating build, so SBOM/runtime inventory of bundled `libavcodec`/`libavformat` is the most reliable way to find exposure. Prioritise hosts that parse externally-sourced media or accept RTP/RTSP streams, and isolate media-processing services from internal networks. The open verification step for each environment is twofold: confirm whether your distribution has shipped the FFmpeg release carrying the upstream fixes (the fixes are upstream; distro packaging lag varies), and establish whether the network-reachable AV1-over-RTP path is actually exercised by any service you run (for example a WebRTC or RTP media pipeline) rather than assuming the parser is dormant. Second, the $1,000-for-21-bugs cost ratio is a signal that parser-class discovery against widely-embedded C libraries (libpng, zlib, libxml2) is now cheap enough to expect more of — treat embedded-parser memory safety as an accelerating attack surface. Maps to `T1203` (Exploitation for Client Execution).

— *Source: [depthfirst — 21 zero-days in FFmpeg](https://depthfirst.com/research/21-zero-days-in-ffmpeg) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html) · Tags: vulnerabilities, ai-abuse, poc-public, patch-available · Region: global · Sector: technology, public-sector · CVE: CVE-2026-39210, CVE-2026-39211, CVE-2026-39212, CVE-2026-39213, CVE-2026-39214, CVE-2026-39215, CVE-2026-39216, CVE-2026-39217, CVE-2026-39218 · CVSS: n/a · Vector: user-interaction · Auth: pre-auth · Status: poc-public, patch-available*

### SANS ISC: WeTransfer-delivered JavaScript stages a steganographic image loader ("Evil MSI background") on Cloudflare Workers and R2 `[SINGLE-SOURCE]`

SANS ISC handler Xavier Mertens documented a resurgence of an image-steganography delivery chain ([SANS ISC, 2026-06-05](https://isc.sans.edu/diary/rss/33054)). A >2 MB JavaScript file ("Remittance Advice.js"), distributed via a legitimate WeTransfer link and padded with do-nothing junk loops, hides functional code that: decodes a ROT13-obfuscated payload into an environment variable; fetches an MSI-installer background image (a JPEG) from a Cloudflare Workers (`*.workers.dev`) subdomain that carries the next stage via steganography (Base64 with `A`→`#` substitution to evade naive scanners, delimited by `IN-`/`-in1`); loads a decoded .NET DLL that is a trojanised fork of the open-source `Microsoft.Win32.TaskScheduler` library to establish Scheduled Task persistence at logon; then pulls a further payload from a Cloudflare R2 (`*.r2.dev`) bucket. The final payload was still under analysis at publication. The infrastructure choice — Cloudflare Workers + R2 — leans on Cloudflare's reputation to bypass category-based web filtering. This is a single-source SANS ISC diary `[SINGLE-SOURCE]`; the chain (not a specific actor) is the takeaway. Maps to `T1027.003` (Steganography), `T1059.007` (JavaScript), `T1059.001` (PowerShell) and `T1053.005` (Scheduled Task).
**Why it matters to us:** Detection concepts: alert on `wscript.exe`/`cscript.exe` spawning PowerShell with environment-variable-expanded or Base64 payloads (Sysmon EID 1); flag first-seen `*.workers.dev` and `*.r2.dev` connections immediately following a WeTransfer download in proxy logs; hunt for scheduled tasks created by `wscript`/`mshta` parents; and EDR-rule on `.NET` assembly loads from a TaskScheduler-derived DLL outside the genuine Windows Task Scheduler path.

— *Source: [SANS Internet Storm Center (Xavier Mertens)](https://isc.sans.edu/diary/rss/33054) · Tags: phishing, infostealer · Region: global · Sector: public-sector, technology*

## 4. Updates to Prior Coverage

*No updates this run — no in-window material development on stories covered in the last seven days. Section intentionally left without items.*

## 5. Deep Dive — Keycloak 26.6.3: privilege escalation via OAuth token-exchange and SSRF in the EU public sector's reference identity platform

**Why this is the deep dive.** Keycloak is the open-source IAM that underpins SSO, SAML and OIDC federation across a large share of EU public-sector and EU-institution deployments, and it is the upstream for the Red Hat build of Keycloak common in DACH government estates. On 2026-06-04 the project released 26.6.3, fixing 16 CVEs as documented in the release notes ([Keycloak, 2026-06-04](https://www.keycloak.org/2026/06/keycloak-2663-released)). There is no reported in-the-wild exploitation, so this is a patch-and-harden item rather than an active-incident one — but the failure modes sit precisely in the identity-protocol machinery (OAuth token exchange, OIDC token endpoint, WebAuthn registration, refresh-token rotation) that this audience builds detections around, and an internet-reachable Keycloak is by definition exposed.

**The token-exchange privilege escalation (`CVE-2026-9704`).** The release notes describe this lead issue as "Privilege escalation via silent subject_token removal in token exchange" ([Keycloak, 2026-06-04](https://www.keycloak.org/2026/06/keycloak-2663-released)). Keycloak's standard (RFC 8693) token-exchange grant takes a `subject_token` identifying the principal whose token is being exchanged; per the release-notes title, *silently removing* that parameter is not rejected as it should be but instead yields a privilege escalation — a low-privilege client obtains a token it should have had to supply and prove a subject for. The relevant prerequisite is that the token-exchange feature is enabled (it is not on by default in all profiles, but is widely turned on for service-to-service and impersonation flows). Maps to `T1550.001` (Use Alternate Authentication Material: Application Access Token) and `T1078.004` (Valid Accounts: Cloud Accounts).

**SSRF via the OIDC token endpoint (`CVE-2026-4874`).** An attacker able to reach the OIDC token endpoint can coerce Keycloak into issuing server-side HTTP requests to attacker-chosen targets, turning the identity server — which typically sits with network reachability into sensitive internal segments — into an SSRF pivot for internal-service reconnaissance. Because Keycloak is usually permitted to talk to internal directories, databases and admin endpoints, the blast radius of SSRF here is larger than on a typical edge web app.

**The rest of the cluster worth knowing.** `CVE-2026-8830` is a missing server-side validation of WebAuthn credential *registration* — a malicious authenticator can submit unvalidated attestation data, which can undercut the assurance of phishing-resistant MFA enrolment (`T1556.006`, Modify Authentication Process: Multi-Factor Authentication). `CVE-2026-9802` is a refresh-token replay window: a server restart resets `startupTime`, allowing reuse of rotated refresh tokens even when `revokeRefreshToken=true`, giving a post-restart replay opportunity (`T1550.001`). `CVE-2026-9792` is a Resource-Owner-Password-Credentials (ROPC) grant bypass of client-policy enforcement. `CVE-2026-37977` reflects `Access-Control-Allow-Origin` from an unverified JWT `azp` claim on the UMA endpoint when Authorization Services / UMA is enabled — a CORS-trust break.

**Detection concepts (no IOCs).** Token-exchange abuse is visible in Keycloak's own event log: alert on `token_exchange` events where the `subject_token` is absent yet a token is issued, and on exchanges that cross a privilege boundary (low-privilege client → high-privilege service-account audience). For the SSRF, watch for outbound connections originating from the Keycloak service account/host to non-allow-listed internal or external addresses correlated with token-endpoint requests. For the WebAuthn flaw, audit credential-registration events for attestation formats that do not match your enrolment policy. For the refresh-token window, correlate refresh-token-grant successes immediately following a Keycloak restart against the expected revocation state.

**Hardening / remediation.** Upgrade to 26.6.3 across all editions including the Red Hat build. If token exchange is not required, disable the feature flag — that removes the `CVE-2026-9704` path entirely. Place the OIDC/admin endpoints behind network restrictions and enforce strict egress filtering from the Keycloak host to blunt the SSRF. Re-validate that phishing-resistant MFA enrolment is gated by an attestation policy, and review `revokeRefreshToken` behaviour around maintenance restarts. CVSS scores for the individual CVEs were not yet published at the time of the release notes; treat exposure by reachability and feature-enablement, not by a score.

— *Source: [Keycloak — 26.6.3 release notes](https://www.keycloak.org/2026/06/keycloak-2663-released) · Tags: vulnerabilities, identity, auth-bypass, priv-esc, patch-available · Region: europe, global · Sector: public-sector, finance, healthcare, education · CVE: CVE-2026-9704, CVE-2026-4874, CVE-2026-8830, CVE-2026-9802, CVE-2026-9792, CVE-2026-37977 · CVSS: n/a · Vector: zero-click · Auth: post-auth · Status: patch-available · Evidence: "[CVE-2026-9704] Privilege escalation via silent subject_token removal in token exchange" (Keycloak); "[CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint manipulation" (Keycloak)*

## 6. Action Items

- **Patch Keycloak to 26.6.3** on any internet-reachable or e-government identity deployment (§ 5). If the token-exchange feature is not in use, disable its feature flag to remove the `CVE-2026-9704` path entirely; enforce egress filtering from the Keycloak host to blunt the `CVE-2026-4874` SSRF; re-validate WebAuthn enrolment attestation policy.
- **Hunt token-exchange abuse in Keycloak event logs** — alert on `token_exchange` events that issue a token while `subject_token` is absent, and on exchanges crossing a privilege boundary (see § 5 detection concepts).
- **Confirm managed Chrome fleets have reached 149.0.7827.53+** (§ 2) — check asset inventory / ADMX policy and ensure no MDM version-pin is holding endpoints on a vulnerable build of the ANGLE sandbox-escape `CVE-2026-10881`.
- **Inventory bundled FFmpeg (`libavcodec`/`libavformat`) via SBOM or runtime scan** and prioritise patching hosts that parse externally-sourced media or accept RTP/RTSP streams (§ 3); isolate media-processing services from internal networks.
- **Grep all web properties for residual `polyfill[.]io` references** and replace with legitimate mirrors or self-hosted polyfills; enforce Subresource Integrity on third-party scripts (§ 1). Web-proxy 401 responses from `polyfill[.]io` pinpoint pages still loading the script.
- **For Magento/Adobe Commerce + Stripe merchants:** audit Google Tag Manager container contents against an approved list and alert on Stripe customer-creation events that do not map to real orders (§ 1) — browser-side CSP will not catch the api.stripe.com skimmer.

— *Source: [Keycloak — 26.6.3 release notes](https://www.keycloak.org/2026/06/keycloak-2663-released) · Tags: vulnerabilities, identity, supply-chain, patch-available · Region: europe, global · Sector: public-sector*

## 7. Verification Notes

- **Items dropped — already covered (PD-8 dedup):**
  - *Luna Moth / Silent Ransom Group (UNC3753) law-firm campaign* — surfaced by S3 and S4 (Mandiant, 2026-06-05) but was the **full deep dive on 2026-06-06**; no new in-window development beyond what that deep dive already consolidated.
  - *HTTP/2 Bomb (`CVE-2026-49975`)* — surfaced by S2 (NCSC-CH advisory 12610, 2026-06-04); was the **deep dive on 2026-06-04** and was already explicitly excluded on 2026-06-06 as national-CERT pickup, not a material new development.
  - *`CVE-2022-0492` Linux cgroup v1 container escape* — surfaced by S1 (CISA KEV addition, 2026-06-02); was the **deep dive on 2026-06-03**. KEV-deadline status is not a fresh threat fact (PD-13).
  - *BigBlueButton `CVE-2026-46351` / `CVE-2026-46353`* — surfaced by S2 (BSI WID-SEC-2026-1804, 2026-06-04); these CVEs were first seen 2026-05-19 and the patch has been available since January 2026. The BSI advisory is national-CERT pickup with no material delta.
- **Items dropped — out of window / insufficient signal:**
  - *`CVE-2026-41096` Windows DNS Client heap overflow* (S1) — freshest source NCSC-NL advisory 2026-06-02 (outside the 36 h window); Microsoft rates exploitation "Unlikely", no public PoC, no in-the-wild activity — does not clear a § 2 inclusion gate.
  - *FIFA World Cup 2026 fraud ecosystem* (S4, FortiGuard 2026-06-04) — the Ghost Stadium phishing operation was covered on 2026-05-30 and a Unit 42 FIFA forecast was already dropped on 2026-05-31 as overlapping; the new FortiGuard report adds Android-trojan detail (Massiv/Perseus) but leans on loss-estimate metrics (PD-4) and overlaps prior coverage.
  - *Ultrahuman wellness-data breach* (S4, TechCrunch 2026-06-03) — freshest source outside the 36 h window; no Swiss/EU public-sector nexus. The 68-day GDPR notification-delay angle was noted but did not clear the relevance bar.
- **Single-source items:** *SANS ISC steganographic JPEG loader* (§ 3) — SANS ISC diary is the only source; included as a HIGH-reliability research handler diary describing a technique chain (not an actor attribution).
- **Recency latitude:** on a quiet 24 h cycle the standard 36 h window yielded few items; Keycloak (2026-06-04), the Magecart/Stripe skimmer (2026-06-04), the polyfill[.]io reactivation (2026-06-05) and the SANS ISC chain (2026-06-05) have freshest sources 40–64 h old — inside the 72 h developing-story window and all genuine first-coverage, not re-reports.
- **Corrections applied during verification (iteration 1):** the Chrome 149 CVSS 9.6 sandbox escape was initially research-reported with an incorrect identifier and a "USB use-after-free" component; a direct re-fetch of the SecurityWeek and Chrome Releases sources confirmed the correct identifier is `CVE-2026-10881`, an out-of-bounds read/write in the ANGLE graphics engine — corrected throughout the brief. The Keycloak deep dive's research-supplied GitHub Security Advisory reference resolved to an unrelated 2022 advisory, and the cited CERT-FR avis covered an earlier Keycloak branch (≤ 26.5.5), not 26.6.3; both were removed, and the deep dive is now sourced to Keycloak's own 26.6.3 release notes (the authoritative primary disclosing party, re-fetched to confirm the CVE list and the "silent subject_token removal" wording). An unverified SAML-denial-of-service identifier attributed to the prior 26.6.2 release was dropped. The Magecart Stripe-skimmer record-creation date was corrected from 2024-12-24 to 2025-12-24 per the Sansec source.
- **Contradictions:** none identified this run.
- **Stalled sub-agents:** none — all four research sub-agents (S1–S4) returned within budget.
- **Candidate source:** `depthfirst` (depthfirst.com) surfaced by S1 and S3 as the primary for the FFmpeg AI zero-day research; recorded as a candidate in `sources/sources.json` for promotion after three contributing runs.
- Coverage gaps: inside-it-ch (Cloudflare Managed Challenge, transport-403, 5-run gap); sophos-xops (HTTP 503, 5-run gap); databreaches-net (Cloudflare challenge, transport-403, 5-run gap); sec-disclosures-edgar (EDGAR full-text-search returned 0 8-K Item 1.05 filings in window); zdi (blog RSS 404, no in-window post); shadowserver (no in-window advisory); dragos (no in-window OT/ICS research); sans-ics (no in-window ICS-specific item); kaspersky-securelist (Argamal RAT article outside window); cert-eu (no advisory newer than 2026-05-06); enisa (no in-window news/EUVD items beyond already-covered); ncsc-ch-weekly (week-23 wochenrückblick 404, not yet published); csirt-acn-it (no in-window Italy items); cert-fr-actu-recent (actualité feed stale); edpb, cnil-fr, ico-uk (no in-window cyber-incident disclosures).