ctipilot.ch
Wed · 06 May 2026
All daily briefs ↗
Daily brief · UTC day

Wednesday, 6 May 2026

0 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Verification & coverage notes1 run

2026-05-06-migrated · unknown · 0 entries published

Items verified multi-source: CVE-2026-31431 (CERT-EU, Microsoft, Unit 42, Ubuntu, BSI, THN); CVE-2026-4670/5174 (Help Net Security, THN, CERT-FR, NVD); CVE-2026-41940 (watchTowr, Rapid7, CyberScoop, Help Net Security, Shadowserver telemetry); CVE-2026-23918 (THN, CERT-FR); CVE-2026-32305 (NVD, CERT-FR); ScarCruft/BirdCall (ESET, THN, BleepingComputer); UAT-8302 (Cisco Talos, THN); TeamPCP SAP npm worm (SANS ISC, Sophos X-Ops, Check Point); DigiCert support portal (Help Net Security, SecurityWeek); Instructure (BleepingComputer, TechCrunch, SecurityWeek); Trellix (BleepingComputer, THN); ADT (ADT newsroom, SEC 8-K); Mediaworks Hungary (The Record, Security Boulevard, company statement); Germany .de DNSSEC outage (IP.network, SecurityWeek, heise Security).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]:

  • NCSC Switzerland "Double Phishing" advisory (§ 2) — single source: NCSC Switzerland Im Fokus, 2026-05-05.
  • CERT-FR batch advisories (§ 2) — single source per advisory: ANSSI/CERT-FR cert.ssi.gouv.fr; CVE identifiers for PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run — administrators must consult the CERT-FR advisories directly for full CVE listings.
  • Europol IOCTA 2026 (§ 4) — single source: Europol / EC Migration & Home Affairs, 2026-04-28.

Items marked [SINGLE-SOURCE-OTHER]:

  • Microsoft AiTM "Code of Conduct" phishing campaign (§ 4) — single source: Microsoft Threat Intelligence blog, 2026-05-04. No independent corroboration retrieved.
  • Microsoft Edge cleartext passwords (§ 4) — single source: SANS ISC Diary, 2026-05-04. No independent corroboration retrieved.

Items dropped:

  • Fiserv / Everest group: Everest ransomware group listed Fiserv on its leak site approximately 2026-05-03. Fiserv has issued no public statement. Dropped per Prime Directive 6 (ransomware leak-site claim without victim confirmation or HIGH-reliability journalism corroboration).
  • Medtronic / ShinyHunters: ShinyHunters claimed a Medtronic breach (alleged 9 million records) on 2026-05-04. Medtronic has issued no public statement. Dropped pending victim confirmation.

Unconfirmed vector noted: ADT breach vector (vishing attack on Okta SSO account, followed by Salesforce exfiltration) was claimed by the ShinyHunters threat actor. ADT's official disclosures do not confirm this vector. Reported in § 3 with clear attribution to the attacker's claim.

Recency window notes:

  • Europol IOCTA 2026 (§ 4) was published 2026-04-28 — eight days before this brief, outside the standard 72-hour recency window (and outside an extended 72-hour window for actively developing items). Included as first coverage for this brief series given its high relevance to the EU public-sector audience; will not be re-summarised in subsequent briefs per Prime Directive 9.
  • France ANTS breach: primary breach event (detected 2026-04-13, citizen notification 2026-04-22) falls outside the 72-hour window. Included because the suspect detention (2026-04-25) was widely reported as a material new development during this reporting window (coverage 2026-05-04), and this is a high-relevance ongoing story at a peer EU government identity registry.
  • CVE-2026-31431 CERT-EU advisory was published 2026-04-30 (outside 72h); the BSI Germany advisory update on 2026-05-04 and the CISA KEV listing with a 2026-05-15 deadline confirm this as an actively developing item within the window.

Source failures (consecutive_failures incremented in sources.json):

  • CISA.gov (cisa-kev, cisa-advisories, cisa-news, cisa-directives): HTTP 403 on direct fetches. KEV and advisory data obtained via corroborating secondary sources.
  • inside-it.ch: HTTP 403.
  • CSIRT Italia / csirt-acn-it: HTTP 403.
  • PRODAFT / prodaft: HTTP 403.
  • UK ICO / ico-uk: HTTP 403. UK ICO breach notifications not covered in this run.
  • Cisco Talos / talos: HTTP 403 on direct fetch; UAT-8302 content obtained via The Hacker News corroboration.

Sources with no qualifying items in the reporting window (fetched, no failures): NCSC UK, CERT Polska, Tenable Research, Rapid7 (no new in-window posts beyond cPanel ETR), watchTowr Labs (no new in-window posts beyond cPanel), ZDI, VulnCheck, GreyNoise, Shadowserver (telemetry used via secondary reporting), Volexity, The DFIR Report, Krebs on Security, Sekoia.io, Citizen Lab, CNIL France, EDPB.

Coverage gaps: CCN-CERT Spain (not fetched, sub-agent budget limit); GovCERT.ch advisory archive (navigation page only); CERT.at and GovCERT Austria (navigation pages only, no dated advisory content returned); NCC Group Research, WithSecure Labs, Dragos, SANS ICS, Cloudflare Cloudforce One, Akamai SIRT, Elastic Security Labs, Group-IB, Secureworks CTU, Red Canary, Huntress, Sygnia — not fetched in this run.

Migrated from briefs/2026-05-06.md (v2).