8 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.
Criticality
Kind
Topic
Region
TL;DR · the day in one read
01GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware. Google Threat Intelligence Group confirms first AI-generated zero-day exploit observed in the wild. A criminal campaign used an LLM-generated Python exploit (semantic-logic 2FA bypass in an unnamed widely-deployed open-source sysadmin tool) before responsible disclosure cut it short (Google Cloud Threat Intelligence, 2026-05-11). Same report documents AI-augmented malware families (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE) and state-actor Gemini abuse — full treatment in § 5 Deep Dive. →
02TeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK. TeamPCP (UNC6780) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months. Malicious plugin build 2026.5.09 published to the Jenkins Marketplace on 2026-05-09–10 deploys SANDCLOCK to exfiltrate every CI secret reachable from the runner (cloud keys, container-registry credentials, Checkmarx API tokens) (The Hacker News, 2026-05-11; Checkmarx — Ongoing Security Updates, last update 2026-05-09). Treat any pipeline that auto-updated in the window as a full secrets-compromise event. →
03Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today.Instructure paid ShinyHunters; double Canvas intrusion confirmed; per-institution leak deadline is today (2026-05-12). Ransom acknowledged and "shred logs" received for the platform-wide dataset; a second intrusion on 2026-05-07 defaced ~330 institution portals via the same Free-for-Teacher flaw, and ShinyHunters has now set a fresh per-institution payment deadline (The Register, 2026-05-12). European universities reliant on Canvas should treat the platform-wide settlement as legally unverifiable destruction. →
04Palo Alto PAN-OS CVE-2026-0300 — first-wave fixed builds now scheduled for 2026-05-13; until then interim mitigation remains the only option. Palo Alto PAN-OS CVE-2026-0300 — first patch wave now scheduled for 2026-05-13 per the vendor advisory. The PSIRT page (last update 2026-05-07) lists first-wave fixed builds with ETA 05/13 and a second wave around 2026-05-28; until the 05/13 builds ship the interim Threat Prevention signature 510019 and captive-portal source-IP restriction remain the only mitigations against the unauthenticated root RCE that exploitation clusters have been actively abusing (Palo Alto Networks PSIRT — CVE-2026-0300). →
05BKA and ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant. BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca. Operator arrested on a European Arrest Warrant on 2026-05-08; the rebooted platform had reached ~22,000 users and 100+ vendors with ~€3.6 M cumulative commissions before being seized (BKA — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08). Second BKA/ZIT/Spanish-Police takedown of the same brand inside 18 months. →
06ICO fines South Staffordshire Water £963,900 — water-sector OES with partial SIEM coverage; Cl0p attribution and ZeroLogon kill-chain detail sourced to The. ICO fines South Staffordshire Water £963,900 for the 2020–2022 Cl0p intrusion. Regulator-side findings call out inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (Windows Server 2003) and partial SIEM coverage; 633,887 individuals' data was published on the dark web from a total holding of about 1.85 million customer records (ICO notice, 2026-05-11). Reporting by The Record adds the ZeroLogon / two-DC kill-chain detail →
The German Bundeskriminalamt (BKA) and Frankfurt's Central Office for Combating Internet Crime (ZIT), with Spanish National Police support, arrested a 35-year-old German national at his residence in Mallorca on a European Arrest Warrant on 2026-05-08 and shut down the relaunched Crimenetwork (Bundeskriminalamt press release — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08; Help Net Security, 2026-05-11). Crimenetwork was the dominant German-language darknet marketplace; the platform was originally taken down in December 2024, and a new operator rebuilt the infrastructure under the same branding shortly afterwards. The rebooted platform reached ~22,000 users and 100+ vendors and brokered stolen data, narcotics, forged documents and illegal services in BTC / LTC / XMR for an estimated €3.6 million in commissions and vendor fees before being seized. Investigators recovered approximately €194,000 in assets and substantial user/transaction data, which the BKA states will drive a wave of follow-on prosecutions — the press release explicitly frames the seized infrastructure data as the operational value, not the headline arrest.
The UK Information Commissioner's Office on 2026-05-11 issued a £963,900 fine against South Staffordshire Plc and its water-supply subsidiary for the 2020–2022 intrusion. The ICO's published findings cite inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (the estate still contained Windows Server 2003, EOL since July 2015), and incomplete SIEM coverage; the regulator does not name a CVE or threat actor in its public notice. The technical kill-chain detail — phishing initial access in September 2020 → CVE-2020-1472 (ZeroLogon, T1068) against two unpatched domain controllers → domain admin → ~20 months of unimpeded lateral movement → detection in July 2022 when IT performance degraded — comes from The Record's reporting, as does the Cl0p attribution. The ICO press release records that data on about 1.85 million customers (approximately 750,000 current and 1.1 million former) was held by the company, of which 633,887 individuals had data published on the dark web, and that the published dataset totalled over 4.1 TB including customer credentials, bank account/sort codes, Priority Services Register data (from which disability status can be inferred) and HR records (The Register, 2026-05-11). The fine was reduced 40% on the basis of early admission and cooperative engagement; South Staffordshire agreed not to appeal.
Why it matters to us: The ICO action is the first significant post-Cyber-Security-and-Resilience-Bill UK regulatory action against a water-sector OES, and the regulator's operational findings transfer verbatim to NIS2 Article 21 technical measures and the German KRITIS-DachG public-administration scope that came into force this spring. Concrete defender takeaway: (a) measure your actual SIEM/XDR coverage percentage by hostname inventory rather than by sensor-licence count — partial coverage on a high-value subset is materially worse than uniform sampling; (b) the ZeroLogon pivot reported by The Record is a long-tail patch-management hygiene point on domain controllers any SOC can audit against; (c) detection logic that survives this case maps to Sysmon-class auditing of DC authentication events — 4742 (account changes) and 4769 Kerberos service-ticket anomalies — after vendor disclosure of any DC-impacting CVE.
Škoda Auto Deutschland GmbH disclosed on 2026-05-11 that an unauthorised actor exploited a vulnerability in the standard shop-software platform underlying its German online-retail store, accessing customer names, postal addresses, email addresses, telephone numbers, order history, account data and password hashes (Škoda Auto Deutschland — Sicherheitsvorfall Škoda Shop; SecurityWeek, 2026-05-11). Credit-card data was not exposed — payment processing is delegated to external PSPs and never stored in the shop database. Škoda's own monitoring detected the intrusion; the shop was taken offline, the underlying vulnerability patched, and external forensics retained. The disclosure flags one notable operational shortfall in the company's own framing: insufficient logging coverage prevents investigators from determining definitively whether the accessed data was actually exfiltrated, so customers must be treated as if it was. Škoda Auto a.s. is a VW Group subsidiary headquartered in Mladá Boleslav (Czech Republic); the German operating company's notification reached the competent EU supervisory authority within the GDPR Article 33 72-hour window. No threat actor has been attributed.
West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.
UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).
SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.
Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker ( attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.
UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the …
UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.
Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.
UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around …
Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).
Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.
Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.
ANNUAL REPORT — this is the dedicated treatment of the periodic Google Threat Intelligence Group AI Threat Tracker per PD-9: cherry-picked findings high-relevance to a Swiss / EU public-sector SOC; not a re-summary of the underlying daily-coverage items the GTIG report itself revisits.
Background. GTIG (Google's threat-intelligence merger of Mandiant and the historical Google TAG) has been publishing recurring AI-threat-landscape briefings since the original Adversarial Misuse of Generative AI report (January 2025); CERT-FR's CERTFR-2026-ACT-016 agentic-AI advisory (covered in this brief's 2026-05-10 daily) and the NCSC-CH BACS assessment on AI in vulnerability management (covered same day) lay the European policy floor for the same threat surface. Where the predecessors documented LLM abuse as augmentation of existing tradecraft (phishing-content generation, recon, social-engineering scripts), the May 2026 AI Threat Tracker is the first report to publicly attribute an AI-generated functional zero-day exploit observed in active criminal use (Google Cloud Threat Intelligence — AI vulnerability exploitation initial access, 2026-05-11).
The first AI-generated zero-day exploit observed in the wild
GTIG describes a criminal campaign that used an LLM-generated Python exploit script targeting an unnamed widely-deployed open-source web-based systems-administration tool. The underlying flaw is a 2FA-bypass arising from a semantic logic error: developers hardcoded a trust assumption in one code path that contradicts the authentication-enforcement logic in another. GTIG's editorial point is that this bug class is exactly where LLMs outperform classical static analysis and fuzzers — semantic intent mismatch is undetectable to a fuzzer because the program does not crash, and undetectable to a typical SAST rule because both code paths individually are syntactically defensible.
GTIG attributes the script to LLM generation with high confidence based on structural artefacts atypical of human exploit authors: abundant "educational" docstrings explaining each function's purpose to a hypothetical reader; a hallucinated CVSS score embedded in comments; ANSI-colour helper imports and a --help menu scaffold characteristic of LLM training-data formatting; consistent variable-naming patterns that read like a tutorial rather than an exploit. Mapped to T1190 Exploit Public-Facing Application at runtime, and notable as the first publicly attributed instance of an LLM operating as the exploit author rather than as a phishing-content generator. Responsible-disclosure coordination patched the underlying tool before mass exploitation took hold; GTIG explicitly believes the disclosure disrupted the campaign.
The same GTIG release documents four malware families that integrate LLM calls into runtime behaviour rather than into development:
CANFAIL and LONGSTREAM (Russia-nexus) insert LLM-generated inert decoy code blocks and daylight-saving-time API calls at runtime to inflate benign-looking telemetry, polluting downstream behavioural-sequence detectors. Mapped to T1553 Subvert Trust Controls (as an EDR-evasion variant) and T1027 Obfuscated Files or Information (LLM-generated junk code as obfuscation).
PROMPTFLUX uses the Gemini API at runtime to generate just-in-time self-modifying code for EDR evasion — a logical extension of the polymorphism / packer class, but with the unique property that no two execution-instance signatures need ever match because the LLM is the polymorphism engine.
HONESTCUE requests VBScript-obfuscation stubs from Gemini at runtime, weaponising the cloud-API surface as the obfuscator's compiler.
GTIG documents state-affiliated actor usage of Gemini for: ORB-fleet management (operating relay-network proxies), recursive-prompting validation of CVE / PoC quality at scale, and persona-driven jailbreaking attempts against embedded-device firmware analysis (TP-Link, the OFTP industrial protocol). UNC5673 (TEMP.Hex) is specifically called out for operating Claude-Relay-Service and CLI-Proxy-API tooling to pool illicit LLM access across Southeast Asian government-targeting operations — meaning the operational unit of compromise has shifted to include stolen LLM API keys as a primary objective, not a side-channel. This is the structural reason TeamPCP's SANDCLOCK stealer (§ 4 UPDATE) now explicitly enumerates LLM API keys alongside cloud credentials: there is a developed criminal market for stolen LLM access keys, driven by both volume billing arbitrage and access to higher-rate-limit / less-monitored model tiers.
Defender takeaway for Swiss / EU public-sector estates running AI workloads: treat LLM API keys as Tier-1 secrets equivalent to cloud-administrator credentials. Specifically: rotate at the same cadence; store in the same KMS / HSM-backed secret manager; enable usage-anomaly alerting at the LLM provider (rate-limit baselines per service principal, geographic / ASN anomalies, prompt-content categories outside business profile); audit any embedded-key check-ins to source control with the same gates as cloud-credential leak detection (T1552.001 Credentials In Files). The GTIG attribution that UNC5673 specifically targets government organisations means the threat profile applies directly to government developers and government-procured AI tooling.
Hardening / detection summary
Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:
Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.
2026-05-12-cd1ab844· Claude Opus 4.7 · 8 entries published
Items dropped or held back
Ivanti EPMM May 2026 chain (CVE-2026-6973 et al.) — § 4 UPDATE candidate, dropped after verifier check. S2 surfaced CERTFR-2026-ACT-021, 2026-05-11 framed around named Dutch public-sector victims (Autoriteit Persoonsgegevens, Raad voor de Rechtspraak) as the in-window delta justifying re-coverage. The Phase 5.7 verifier's re-fetch of CERT-FR ACT-021 (and NCSC-NL — Casus kwetsbaarheden Ivanti EPMM-systemen) confirms neither source names those organisations; CERT-FR's affected-systems table reads "Non spécifié par l'éditeur". Without the named-victims claim, the bulletin's only operational delta is a recommendation to rotate EPMM admin credentials as carry-over from the January 2026 chain — already covered in the 2026-05-09 daily. Per PD-8 + PD-13, no fresh material delta in window; dropped. The hallucinated named-victims claim is an example of research-sub-agent drift that the cold-reader verification caught at iteration 1.
CVE-2024-1708 / CVE-2024-1709 — ConnectWise ScreenConnect path-traversal + auth-bypass chain (KEV deadline 2026-05-12). S1 surfaced again with Kimsuky (DPRK) / Storm-1175 (China-linked) / Medusa attribution. Both the underlying KEV addition (2026-04-28) and the actor-attribution article (The Hacker News, 2026-04-28) sit outside the 36 h recency window and were already considered and dropped in yesterday's brief on the same basis. Per PD-13, a KEV deadline arriving today is not in itself material new development. No fresh in-window ITW evidence, no fresh in-window research delta. Dropped.
CVE-2026-0073 — Android adbd wireless-ADB authentication-bypass (PoC public ~2026-05-11; vendor patch 2026-05-01). S1 surfaced with Penligent/Barghest research (in-window PoC disclosure) and the Android Security Bulletin May 2026. Strict § 2 gate not cleared: vector is AV:A adjacent-network (over wireless ADB on TCP/5555), not internet-exposed; CVSS 8.8 below the ENISA EUVD CVSS-9 threshold; no ITW; not on the KEV catalogue at time of run. Dropped from § 2; logged here for the next brief if exploitation evidence emerges. The mitigation guidance is straightforward and not novel — MDM policies should disable wireless ADB globally on enrolled devices regardless of this CVE.
GLPI cluster (CVE-2026-32312 / 40108 / 42317 / 42318 / 42320 / 42321 / 5385). Already fully treated as § 2 entries in the 2026-05-10 daily; the CERT-FR ACT-021 weekly recap on 2026-05-11 does not add a material delta — instance counts, sectoral framing, and patch paths are unchanged. No re-coverage.
SEPPmail Secure Email Gateway cluster (CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864). Already the 2026-05-09 deep dive; S2 acknowledged the NCSC-CH security-hub post 12551 is ~44 h old and outside the strict 36 h window. No re-coverage.
CB Financial Services (CBFV) SEC Form 8-K Item 1.05 (filing 2026-05-11 per S4 SEC EDGAR search). S4 could not retrieve the filing body (URL guess fell to 404); no corroborating press coverage was located. Community bank in Carmichaels, PA — limited systemic EU / Swiss relevance, and the filing-detail gap means we cannot quote the disclosure. Held back for tomorrow's brief once the filing body is reachable.
Akamai SIRT "Shadow AI" LLM-malware post. Surfaced by S3 via search but the article's publication date is undetermined; www.akamai.com is not on the bridge allow-list and WebFetch returned 403. Cannot establish in-window status; dropped.
Single-source / reduced-confidence items
West Pharmaceutical Services SEC 8-K is [SINGLE-SOURCE-OTHER] for press corroboration: the SEC filing itself is HIGH-reliability primary, but no tier-1 security press coverage was retrieved before the brief was composed (S4 found only FrenchBreaches.com, an aggregator). Confidence on the disclosure itself: HIGH. Confidence on attribution class (ransomware vs. other actor): MEDIUM — the SEC filing's wording strongly implies double-extortion ransomware but the company does not use the word. Included on the strength of the primary regulator filing.
Škoda Auto online shop breach is corroborated by SecurityWeek + Škoda's own vendor statement; no independent security-research source (Heise, Inside-IT, Le Monde, BKA / BfDI / Czech UOOU enforcement notice) was found before composition. Confidence on the disclosure itself: HIGH. Confidence on the data-exfiltration scope: MEDIUM by Škoda's own admission (logging gap).
ConnectWise ScreenConnect note (above) also relies on cybernews.com and the vendor PSIRT URL, both of which failed to fetch in this run; we are not including the item, but we note that the trust-cert issue on the ConnectWise PSIRT URL is a transport-side recurring problem that we have not yet logged for the bridge fetcher allow-list expansion.
Contradictions / ambiguities
Instructure Canvas "data destruction" claim from ShinyHunters. Instructure's own communication frames receipt of "shred logs" as digital confirmation of deletion; security-research community framing in The Register and Infosecurity Magazine is that ransomware-actor "shred log" artefacts are unverifiable. We follow the security-research framing in the brief because (a) it matches established practice for breach-notification scope decisions under GDPR / Swiss DSG, and (b) the second intrusion on 2026-05-07 and the per-institution deadline reset for today demonstrate that the actor's word is not a forensic primitive.
S2 (Claude Sonnet 4.6, 572 s): returned 3 items. 1 item kept as § 4 UPDATE (Ivanti EPMM CERT-FR ACT-021 + named EU public-sector victims); 2 items already-covered (GLPI 2026-05-10; SEPPmail 2026-05-09 deep dive). Bridge-mandatory hosts NCSC-CH security-hub (12548 + 12551) and ENISA EUVD fetched cleanly via the bridge subcommands. Telemetry: webfetch=14, websearch=18, bridge=8.
S3 (Claude Sonnet 4.6, 642 s): returned 5 items. 2 items kept (GTIG AI Threat Tracker as § 5 Deep Dive per PD-9 annual-report rule; TeamPCP Checkmarx Jenkins as § 4 UPDATE). 2 items duplicated with S4 (Canvas/Instructure ransom-paid; Škoda online-shop breach — merged with S4 framing). 1 item duplicated with S1 (Trellix source-code coverage — already covered 2026-05-10). Telemetry: webfetch=18, websearch=18, bridge=4.
S4 (Claude Sonnet 4.6, 556 s): returned 4 items. 3 items kept (ICO South Staffordshire fine; West Pharma SEC 8-K; Škoda online shop). 1 item duplicated with S3 (Canvas/Instructure UPDATE — merged). Telemetry: webfetch=22, websearch=21, bridge=3.
Tool / source issues observed
hub.ivanti.com, downloads.seppmail.com, ccb.belgium.be are not on the tools/fetch_source.py bridge allow-list — bridge attempts on these hosts return refused: host '...' is not in the allow-list. Direct WebFetch returns 403 on hub.ivanti.com. Coverage is recovered via NCSC-CH security-hub, CERT-FR, and CIRCL vulnerability.circl.lu, but adding these three hosts to the bridge allow-list would remove a recurring single-point coverage risk on Ivanti, SEPPmail, and Belgian-CCB advisories.
bleepingcomputer article-level URLs continue to 403 on direct WebFetch; bridge url returns 200 with SPA-empty body. Listing-level URLs work. No change since 2026-05-11.
advisories-ncsc-nl CSAF bridge — S2 recorded 404 on several recent advisory IDs (NCSC-2026-0384, 0399, 0400, 0401); NCSC-2026-0135 (Ivanti EPMM) fetched cleanly. The NameError that broke yesterday's bridge call is gone; the new mode is upstream 404 on advisory IDs that are presumably embargoed or never published. Worth tracking.
research.nccgroup.com is not on the bridge allow-list (S3 attempted via bridge url; refused).
darkreading article-level URLs continue to 403 on direct WebFetch (S3, S4 both hit this).
databreaches-net Cloudflare Managed Challenge confirmed again; WebSearch fallback used per allow-list, no in-window items surfaced.
Coverage gaps: cisa-kev (bridge OK; no new KEV additions in window 2026-05-11 / 2026-05-12); enisa-euvd (bridge OK; recent lastvulnerabilities returned only low-severity XSS, criticals and exploited only items already covered); ncsc-ch-security-hub (bridge OK; latest posts 12548 + 12551 are 2026-05-08 and already absorbed into S2 returns; no new posts in window); bsi-de (RSS OK; in-window items routine — Linux kernel, libxml2, NGINX, IBM); cert-pl, cert-at, csirt-acn-it (not fetched in this run — rotation candidates for tomorrow); cert-eu (no advisory 2026-007 yet — 2026-006 was the last published); ccn-cert-es (demoted source, not fetched); cnil-fr, edpb, aepd, garante (no in-window enforcement / breach decisions found); ico-uk (sitemap bridge fetched; the South Staffordshire action was the only new enforcement in window); inside-it-ch (Cloudflare-blocked — WebSearch fallback used, no S2 items surfaced); databreaches-net (Cloudflare-blocked — WebSearch fallback, no items); sec-edgar (CB Financial CBFV 8-K Item 1.05 filed 2026-05-11 but filing body not retrievable from EDGAR URL guess — see drops above); hub.ivanti.com, downloads.seppmail.com, ccb.belgium.be, research.nccgroup.com, akamai-sirt — bridge allow-list expansion candidates.