# CTI Daily Brief — 2026-06-26

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8 (1M context), model ID `claude-opus-4-8[1m]`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8 (1M context)) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (1M context) (`claude-opus-4-8[1m]`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8 (1M context) · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.64 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Mandiant reconstructs a months-long zero-day compromise of Cisco Catalyst SD-WAN Manager (CVE-2026-20245)** — updating our 6 June coverage, GTIG details an authenticated `request tenant-upload` CLI command-injection path that planted a `troot` UID-0 account on the controller, reached after a peering-auth-bypass foothold and exploited at a service provider from late 2025 through March 2026, well before the patch ([Mandiant/GTIG, 2026-06-24](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager)). Today's deep dive (§5). Patch to the fixed trains immediately and audit vManage hosts for OS-level account creation.
- **macOS.Gaslight — a DPRK-aligned Rust backdoor that aims its evasion at the analyst, not the sandbox** — SentinelLABS documents a 3.5 KB blob of 38 fabricated "system" messages embedded to derail LLM-assisted triage, alongside Telegram Bot-API C2 and a `com.apple.system.services.activity` LaunchAgent ([SentinelLABS, 2026-06-23](https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/)).
- **ShinyHunters breached Madison Square Garden through a single vishing call into the company's identity platform** — 404 Media's review of the stolen data confirms a low-level employee was talked into letting the operators into MSG's systems, the same vishing → identity-platform (Entra/Okta) → MFA-enrollment kill chain that works equally well against EU public-sector tenants ([404 Media, 2026-06-24](https://www.404media.co/how-hackers-broke-into-madison-square-garden/)).
- **ESET's 2025 Gamaredon paper shows the FSB group's exfil and C2 moving entirely onto trusted cloud services** — S3-compatible object storage (Wasabi/Tebi/Intercolo) via `rclone` and Cloudflare-tunnel/Workers/DevTunnel C2 that blends with legitimate egress; targeting stayed exclusively Ukrainian, but the tradecraft is the transferable part ([ESET, 2026-06-25](https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/)).

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Ukrposhta digital services disrupted by an overnight attack; pro-Russian hacktivists claim a prior data theft

Ukraine's national postal operator Ukrposhta confirmed on 25 June that an overnight "hostile cyberattack" on its IT systems disrupted its mobile app and digital services, with engineers restoring functionality through the day ([The Record, 2026-06-25](https://therecord.media/ukraine-state-postal-operator-reports-disruption); [New Voice of Ukraine, 2026-06-25](https://english.nv.ua/business/cyberattack-disrupts-ukrposhta-app-and-digital-services-50619276.html)). A pro-Russian group styling itself the "IT Army of Russia" — distinct from Ukraine's civilian IT Army — separately claimed it had breached Ukrposhta infrastructure weeks earlier and exfiltrated a user database; Recorded Future News states it could not independently verify that claim, and Ukrposhta has not confirmed any data compromise. Treat the exfiltration as an unverified leak-site-style assertion until the operator says otherwise.

**Defender takeaway:** the pattern — public service disruption timed to a hacktivist data-theft claim — is the recurring playbook against European postal, logistics and other citizen-facing public operators. The hardening lesson is structural: keep internet-facing app/API tiers segmented from back-end customer databases so a front-end outage cannot be parlayed into (or conflated with) a data-store compromise.

— *Source: [The Record](https://therecord.media/ukraine-state-postal-operator-reports-disruption) · Additional source: [New Voice of Ukraine](https://english.nv.ua/business/cyberattack-disrupts-ukrposhta-app-and-digital-services-50619276.html) · Tags: hacktivism, data-breach, russia-nexus · Region: europe · Sector: transport, public-sector*

### ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden

404 Media's review of the stolen Madison Square Garden data and the attackers' own account confirm the intrusion began with a vishing call — the operators phoned a low-level employee and talked them into letting them into MSG's systems ([404 Media, 2026-06-24](https://www.404media.co/how-hackers-broke-into-madison-square-garden/)). Reporting attributes the breach to ShinyHunters; after MSG missed a 15 June ransom deadline, roughly 45 GB / 26M+ records were published ([The Next Web, 2026-06-16](https://thenextweb.com/news/shinyhunters-madison-square-garden-45gb-data-leak-facial-recognition)). The wider pattern this fits — and the one worth detecting — is the vishing → identity-platform (Entra/Okta) → MFA-enrollment → SSO-pivot chain that Abnormal Security documents generically: an IT-impersonation call manufacturing MFA-reset urgency, real-time credential and one-time-code capture on a tenant-branded phishing page, enrollment of an attacker-controlled MFA device, then a pivot into connected SaaS ([Abnormal Security, 2026-02-06](https://abnormal.ai/blog/shinyhunters-sso-social-engineering-mfa-identity-compromise)). Maps to `T1566.004` (vishing), `T1078.004` (cloud accounts), and `T1556.006` (MFA manipulation).

**Why it matters to us:** the victim is a US private entity, but the kill chain is identity-platform-agnostic and lands the same way against EU public-sector Entra/Okta tenants. Hunt Entra audit logs for new MFA-method registration events correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; the durable control is phishing-resistant FIDO2/passkey MFA that cannot be relayed in real time, plus Conditional Access requiring a compliant device for MFA enrollment.

— *Source: [404 Media](https://www.404media.co/how-hackers-broke-into-madison-square-garden/) · Additional source: [The Next Web](https://thenextweb.com/news/shinyhunters-madison-square-garden-45gb-data-leak-facial-recognition) · Additional source: [Abnormal Security](https://abnormal.ai/blog/shinyhunters-sso-social-engineering-mfa-identity-compromise) · Tags: phishing, identity, data-breach, organized-crime · Region: us, global · Sector: media, technology*

## 2. Trending Vulnerabilities

*No newly-disclosed qualifying vulnerability in window — section intentionally left empty. The window's significant vulnerability development is a material update to previously-covered CVE-2026-20245 (Cisco SD-WAN Manager), handled as an update in §4 with the full forensic kill chain in §5. GitLab's 19.1.1 patch set and the Ubiquiti UniFi OS KEV deadline were assessed and did not clear an inclusion gate — see §7.*

## 3. Research & Investigative Reporting

### macOS.Gaslight — a DPRK-aligned Rust backdoor that targets the LLM-assisted analyst

SentinelLABS analysed macOS.Gaslight, a single-binary Rust implant it ties with high confidence to DPRK-aligned activity (Apple's XProtect detects it as `MACOS_BONZAI_COBUCH`, with a sibling sample caught by the AIRPIPE rule SentinelLABS also attributes to North Korea) ([SentinelLABS, 2026-06-23](https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/)). Its novel evasion is aimed at the *analyst's tooling* rather than a sandbox: the binary carries a 3.5 KB Markdown-fenced blob of 38 fabricated "system" messages whose `{{DATA}}` tokens mimic an LLM triage harness's own prompt scaffold, designed to push an LLM agent into aborting, truncating, or refusing its analysis ([Infosecurity Magazine, 2026-06-24](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/)). Beyond that, it is a full stealer — staging a CPython interpreter at runtime to harvest Chrome/Brave/Firefox/Safari credentials, terminal history, `system_profiler` output, and a wholesale copy of `login.keychain-db`. C2 runs over the Telegram Bot-API `getUpdates` polling loop with AES-GCM payloads over certificate-pinned TLS; persistence is a LaunchAgent labelled `com.apple.system.services.activity` (`T1543.001`).

**Why it matters to us:** as LLM-assisted triage moves into SOC and MDR workflows, embedding adversarial prompt payloads in samples to corrupt that pipeline is a technique class to expect generalising — treat "benign" LLM verdicts on submitted macOS binaries as provisional pending human review, and flag any binary carrying large role/content message arrays for secondary analysis. Detection concepts: LaunchAgent plists masquerading under `com.apple.system.services.*` with non-Apple signers; processes spawning Python from non-standard parents; outbound TLS to `api.telegram.org` from non-user-initiated processes on managed Macs.

— *Source: [SentinelLABS](https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/) · Additional source: [Infosecurity Magazine](https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/) · Tags: nation-state, espionage, north-korea-nexus, infostealer, ai-abuse, identity · Region: global · Sector: technology, finance*

### ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT)

ESET's annual Gamaredon paper documents the FSB-linked group's 2025 toolset — six new PowerShell tools (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste) plus a resurrected PteroSetup VBScript weaponizer — and, more usefully for defenders elsewhere, a wholesale shift of infrastructure onto trusted services ([ESET, 2026-06-25](https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/)). C2 now rides Cloudflare tunnels (`trycloudflare.com`), Cloudflare Workers (`workers.dev`), Microsoft DevTunnels (`devtunnels.ms`), Loophole, No-IP DDNS, Clever Cloud and Supabase; data is exfiltrated via `rclone` to S3-compatible object storage (Wasabi, Tebi, and Intercolo — which became the primary destination by December), and hostnames are brokered through dead-drop resolvers spread across Telegram, Telegra.ph, Dropbox, GoFile, Mastodon and a dozen paste services so no fixed IP or domain appears in the implant. ESET also confirms an early-2025 collaboration with Turla. Sekoia independently documented the same 2025 shift toward tunnel-service C2 and S3-compatible cloud-storage exfiltration in its parallel "FSB's Matryoshka" Gamaredon series ([Sekoia, 2026-06-04](https://www.sekoia.com/blog/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel)). Targeting stayed **exclusively** Ukrainian government and military — the report names no EU targets — so the relevance here is the tradecraft, not the victimology.

**Why it matters to us:** the tunnel-and-cloud-storage model defeats domain/IP blocklists and blends with legitimate egress, and it is exactly the pattern any espionage operator can adopt. Detection concepts: alert on tunnel-service egress (`trycloudflare.com` / `workers.dev` / `devtunnels.ms`) initiated by Office or scripting processes; flag `rclone` or S3-API `PUT`/`POST` from hosts with no backup role; hunt PowerShell that reads paste-site domains and decodes base64 blobs.

— *Source: [ESET WeLiveSecurity](https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/) · Additional source: [Sekoia](https://www.sekoia.com/blog/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel) · Tags: nation-state, espionage, russia-nexus · Region: europe · Sector: public-sector, defense*

## 4. Updates to Prior Coverage

### UPDATE: Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245

> **UPDATE (originally covered 2026-06-06):** When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail. Mandiant/GTIG has now published the forensic reconstruction, confirming the flaw was used as a **zero-day at a communications service provider from late 2025 through March 2026 — months before the patch** ([Mandiant/GTIG, 2026-06-24](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager)).
>
> The new substance is the kill chain: a peering-authentication-bypass foothold (CVE-2026-20127 / CVE-2026-20182) into SSH as `vmanage-admin`, then a crafted tenant CSV through the `request tenant-upload` CLI handler injecting commands that planted a backdoor `troot` UID-0 account, with anti-forensic clean-up (admin-password change-then-revert, history/syslog deletion). Mandiant names no threat actor. Full mechanics, ATT&CK mapping and host-level detection are in §5.
>
> — *Source: [Mandiant/GTIG](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager) · Additional source: [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx) · Tags: vulnerabilities, actively-exploited, priv-esc, rce, patch-available · Region: global · Sector: telco, public-sector · CVE: CVE-2026-20245 · CVSS: 7.8 · Vector: local · Auth: post-auth · Status: exploited, patch-available*

## 5. Deep Dive — Cisco Catalyst SD-WAN Manager CVE-2026-20245

Mandiant's Google Threat Intelligence Group published a forensic reconstruction of an intrusion in which Cisco Catalyst SD-WAN Manager (formerly vManage) was compromised through CVE-2026-20245 as a zero-day — exploited at a communications service provider from late 2025 through March 2026, months before Cisco's advisory ([Mandiant/GTIG, 2026-06-24](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager)). Mandiant attributes the activity to no named actor. The reason this matters beyond one victim: SD-WAN Manager is the control plane for an entire WAN fabric — root on the controller is push-access to every managed edge device — so it warrants the same monitoring tier as a VPN concentrator or firewall, and it is now one of several Cisco SD-WAN flaws confirmed exploited during 2026.

**The vulnerability.** CVE-2026-20245 (CVSS 7.8, no workaround) is a command-injection weakness in the SD-WAN Manager CLI tenant-upload handler: the feature that ingests a tenant-list CSV fails to sanitise file content before it reaches a shell context, so an authenticated operator can embed OS commands inside a crafted CSV and have them execute as root on the underlying Linux host ([Cisco PSIRT, cisco-sa-sdwan-privesc-4uxFrdzx](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx)). The injected commands appended a new UID-0 account (`troot`) to the host's local account databases, giving the actor a persistent root login independent of the vManage application's own user model.

**Kill chain (as Mandiant documents it):**
- **Initial access** — the actor reached an authenticated position by abusing peering-authentication-bypass flaws CVE-2026-20127 / CVE-2026-20182 to enrol unauthorised peering and obtain SSH as the `vmanage-admin` account, or alternatively by using certificate material stolen in a previous compromise ([T1190](https://attack.mitre.org/techniques/T1190/), [T1078.004](https://attack.mitre.org/techniques/T1078/004/)).
- **Privilege escalation** — exploitation of CVE-2026-20245 via the crafted tenant CSV, executing as root ([T1068](https://attack.mitre.org/techniques/T1068/)).
- **Persistence** — creation of the `troot` UID-0 account in the host account databases, reachable via `su` ([T1136.001](https://attack.mitre.org/techniques/T1136/001/)).
- **Defense evasion / anti-forensics** — the actor changed the legitimate `admin` password and then reverted it to its original value to reduce detection probability, and deleted command history, syslog entries, and the uploaded files after use ([T1070.003](https://attack.mitre.org/techniques/T1070/003/)).

**Hunt and detection concepts.** The decisive gap is that vManage's own health dashboards do not surface OS-level account creation — detection has to happen on the underlying host. Baseline and monitor `/etc/passwd` and `/etc/shadow` for accounts added since a known-good snapshot (a UID-0 account other than `root` is the high-fidelity signal here). Review SD-WAN Manager audit logs for tenant-upload CLI/API invocations and correlate them with subsequent privileged shell activity; alert on child processes spawned by the tenant-upload service, and on shell-history truncation or gaps on the controller host. Because the actor reverted the admin password, an unexplained password-change-then-revert pair in admin account auditing is itself worth investigating.

**Hardening.** Upgrade to a fixed train — 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2 — as there is no workaround. Restrict which operators hold privileged CLI roles, place the management/northbound interfaces behind a source-IP ACL rather than exposing them broadly, enforce MFA on all administrator accounts, and rotate SD-WAN admin credentials (including the default `vmanage-admin`) on any controller that may have been exposed before patching. Cisco's Catalyst SD-WAN Hardening Guide carries the vendor's own configuration baseline.

— *Source: [Mandiant/GTIG](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager) · Additional source: [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx) · Tags: vulnerabilities, actively-exploited, priv-esc, rce, patch-available · Region: global · Sector: telco, public-sector · CVE: CVE-2026-20245 · CVSS: 7.8 · Vector: local · Auth: post-auth · Status: exploited, patch-available*

## 6. Action Items

- **Patch Cisco Catalyst SD-WAN Manager now** to a fixed train (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2) — pre-disclosure root exploitation is confirmed and there is no workaround. On any controller potentially exposed before patching, baseline `/etc/passwd`/`/etc/shadow` for non-`root` UID-0 accounts, review tenant-upload audit logs, and rotate admin credentials including default `vmanage-admin`. See §4 and §5.
- **Hunt the vishing → Entra kill chain.** Alert on new MFA-method registration events in Entra audit logs correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; move privileged and helpdesk-reachable identities to phishing-resistant FIDO2/passkey MFA and require a compliant device for MFA enrollment via Conditional Access. See §1.
- **Add detection for trusted-service abuse in exfil/C2.** Flag tunnel-service egress (`trycloudflare.com` / `workers.dev` / `devtunnels.ms`) from Office or scripting processes, and `rclone`/S3-API `PUT`/`POST` from hosts with no backup role — the Gamaredon model that any espionage operator can copy. See §3.
- **Treat LLM triage verdicts as provisional on submitted macOS samples.** Until human review, do not trust an automated "benign" verdict on a macOS binary, and hunt LaunchAgents under `com.apple.system.services.*` signed by non-Apple identities. See §3.

— *Source: [Mandiant/GTIG](https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager) · Additional source: [SentinelLABS](https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/) · Tags: actively-exploited, priv-esc, identity, phishing, espionage · Region: global · Sector: telco, public-sector*

## 7. Verification Notes

**Items dropped:**
- **Ubiquiti UniFi OS CVE-2026-34908 / -34909 / -34910** (S1) — dropped as a PD-8 duplicate: this exact triple-flaw chain was the deep dive on 2026-06-24. It is also out-of-window (patched 2026-05-21 in UniFi OS Server 5.0.8) and S1's reported product/fixed-version detail ("UniFi OS 4.1.13") was inaccurate against the vendor record. The only fresh hook was today's CISA KEV federal remediation deadline, which is not operational signal for a CH/EU audience (PD-13).
- **GitLab 19.1.1 / 19.0.3 / 18.11.6** (S1, S2) — dropped from §2. Verified against GitLab's release notes (published 2026-06-24): the headline issues are stored XSS CVE-2026-10086 (CVSS 8.7) and CVE-2026-10712 (CVSS 8.0), with lower-severity authorization/SSRF issues (the SSRF, CVE-2026-12635, is only CVSS 3.1). No in-the-wild exploitation, not RCE, below the CVSS-9 threshold — clears no §2 inclusion gate. Self-hosted public-sector instances should still apply on their normal patch cycle. (A sub-agent over-stated this as "code injection / SSRF highest-impact"; corrected.)
- **PixelSmash / CVE-2026-8461** FFmpeg MagicYUV heap OOB (S3) — out-of-window: JFrog disclosure 2026-06-22, outside the 36 h window with no fresh in-window development. Noted for catch-up given Nextcloud/Jellyfin server-side-preview relevance to CH/EU public sector if it develops.
- **Microsoft DART parallel dual-actor SharePoint case study** (S3) — out-of-window (2026-06-22) and single-source.
- **Tata Electronics / World Leaks 630 GB leak** (S4) — out-of-window (2026-06-22/23).
- **River Financial Corp 8-K (Item 1.05)** (S4) — US community bank, no CH/EU nexus; SINGLE-SOURCE (SEC filing recovered via search). Watch for an 8-K/A around 1–2 July.
- **DraftKings credential-stuffing sentencing** (S4) — US law-enforcement follow-up; limited CH/EU public-sector relevance.
- **Black Kite Europe ransomware report** (S2) — periodic statistics report; declined under the no-vanity-metrics rule. Its one operational nugget (the Miljödata HR-SaaS supply-chain breach cascading to ~200 Swedish municipalities) references a 2025 incident, not in-window.

**Corrections resolved during verification (sub-agent conflicts cross-checked against primaries):**
- *Cisco SD-WAN CVE-2026-20245* — three sub-agents returned three different fixed-version lists and two different Cisco advisory IDs; resolved against the Mandiant primary and Cisco PSIRT to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 and advisory `cisco-sa-sdwan-privesc-4uxFrdzx`. Mandiant asserts **no** actor attribution, so sub-agent "nation-state/espionage" framing was dropped. Primary publication date is 2026-06-24 (one sub-agent reported 06-25).
- *macOS.Gaslight* — two sub-agents conflicted on C2 (HTTPS vs Telegram), XProtect signature (BONZAI.D/E vs MACOS_BONZAI_COBUCH) and persistence path; resolved against the SentinelLABS primary (Telegram Bot-API C2; XProtect `MACOS_BONZAI_COBUCH`; LaunchAgent `com.apple.system.services.activity`). The fabricated SentinelLABS URL returned by one sub-agent was discarded in favour of the verified one.
- *Gamaredon* — ESET and Sekoia both published 2025 Gamaredon research on 2026-06-25; the ESET annual paper was fetched and verified. Sub-agent claims of "EU secondary targeting" were not supported by the report (exclusively Ukrainian targeting) and were dropped.

**Single-source / reduced confidence:** Ukrposhta data-exfiltration claim is a pro-Russian-hacktivist self-report, unverified by Recorded Future News; the service disruption itself is multi-source.

**Stalled sub-agents:** none — all four returned within the window.

**Coverage gaps:** databreaches-net (per-article 403 on the bridge; items recovered via corroborating publishers); cert-fr-avis, cert-fr-actu (feeds stale / nothing in window); ncsc-ch-focus (Week 26 review not yet published — HTTP 404 at run time); mandiant-gtig (Feedburner IncompleteRead — recovered via direct article fetch); bleepingcomputer (403 — recovered via alternates).

**Source-health probe:** the end-of-run `source_health.py` snapshot flagged five sources `needs-demote` — cisa-advisories, cisa-directives, cisa-news, sophos-xops, trellix. No demotion applied this run: the three CISA entries are documented routine-UA transport-blocking (exempt from demotion per the source-lifecycle rules; the `cisa-kev` bridge recipe itself returned 200 this run), and sophos-xops / trellix are single-probe failures below the 5×404 demotion threshold. Monitoring; will revisit if the failures persist across runs.