Items dropped (with reason):
- PAN-OS GlobalProtect CVE-2026-0257 (proposed § 4 UPDATE — S1, S2): topic was the 2026-05-30 deep dive; proposed delta (Rapid7 ETR 2026-05-29; NCSC-NL advisory NCSC-2026-0172, 2026-05-30T10:52Z forecasting increased exploitation; an unverified GreyNoise webshell-via-secondary-zero-day claim) adds no material new development under PD-8 — no new actor, victim, CVE-in-chain, fresh patch, or law-enforcement action. Primary sources are out of the 36 h window. KEV-deadline framing excluded per PD-13 (US FCEB compliance date, not a threat fact).
- Oracle May 2026 Critical Patch Update — E-Business Suite (CVE-2026-46817, -46818, -46819, -46820, -46821) (S1): out-of-window (Oracle CPU 2026-05-20; NCSC-NL advisory NCSC-2026-0170, 2026-05-29) and clears no § 2 inclusion gate — not CISA KEV, no ENISA-EUVD
exploited=true, no public PoC, no observed in-the-wild exploitation at publication. Noted for operator awareness: three of the 12 EBS patches are unauthenticated/network-vector and Oracle Public Sector Financials International (12.2.3–12.2.15) is an affected product — CH/EU public-sector finance operators should apply the May 2026 CPU regardless of its absence from § 2. - Zimbra Collaboration Suite — BSI WID-SEC-2026-1735 (S1): single-source, out-of-window (2026-05-29), low-severity classes (XSS / information disclosure / security bypass), no exploitation; CVE identifiers could not be confirmed (BSI CSAF carried no numeric CVE fields and WebSearch surfaced unverified numbers) — excluded rather than cite unverified CVEs.
- Tycoon 2FA AiTM — Elastic Security Labs (S3): out-of-window (2026-05-26) and the topic was already the 2026-05-27 deep dive (identity-infra).
- Red Canary Intelligence Insights May 2026 (S3): out-of-window monthly retrospective (2026-05-26); the ACR Stealer fake-Claude-Code lure component was already covered 2026-05-26.
Single-source items: SmartApeSG → NetSupport (§ 3) — SANS ISC handler diary (HIGH-reliability source, single-day forensic observation, no independent in-window corroboration of the identical chain); flagged inline.
Recency / reduced-confidence posture: The Italy commercial-spyware deep dive (§ 5) is retained under the PD-7 deep-dive analysis exception. Its in-window news hook (heise.de, 2026-05-31) was TollBit-gated (HTTP 402, body unavailable) and is therefore not cited; the deep dive rests on the EDRi investigation (2026-05-28) and Osservatorio Nessuno technical analyses (April 2026), all fetched this run. The npm campaigns (Microsoft, 2026-05-30) and the PostHog incident (2026-05-30) sit at the window edge and are retained as fresh, distinct developments.
Contradictions: none surfaced this run.
Sub-agents: all four returned within the 30 min cap (S1 511 s, S2 690 s, S3 472 s, S4 489 s); all ran Claude Sonnet 4.6.
Note on databreaches-net: rotation-priority source failed for a 5th consecutive run (HTTP 403, no usable Wayback snapshot). Per the source-lifecycle rule sustained 403 is transport blocking and does not demote; left active, carried forward below. Candidate for an alternate-URL strategy or replacement next run.
Coverage gaps: inside-it-ch (HTTP 403, no Wayback — 3rd consecutive failure); heise-sec (TollBit HTTP 402, article bodies gated); databreaches-net (HTTP 403, no Wayback — 5th consecutive failure); sophos-xops (feed silent / prior 503, rotation-priority unrecovered); dragos (SPA, no RSS / no in-window OT-ICS items); recordedfuture-insikt (feed returned no output); volexity (feed returned no output); sekoia (reached, last post 2026-04-23, no in-window items); cert-fr-actu, anssi-fr (feeds stale, no in-window advisories); cert-eu (no new advisory since 2026-006, 2026-05-06); sec-edgar (reached, 0 Item 1.05 cyber filings in window); ico-uk, cnil-fr, edpb (reached, no in-window enforcement actions).
Unmatched action items (migrated)
- Scope-lock
.npmrc and disable install scripts in CI/CD to close the dependency-confusion vector in § 1: route every internal @scope to the private registry explicitly, run npm install --ignore-scripts in pipelines, and grep lockfiles for implausible inflated versions (100.100.100, 99.99.99) on internal package names. Rotate any secrets exposed in the environment of a developer host or build agent that may have installed from the flagged aliases. - Review the IAM scope granted to PostHog's hosted infrastructure if you use its EU/US Cloud (§ 1): audit cross-account trust relationships to PostHog's AWS account and watch CloudTrail for unexpected key usage; self-hosters should confirm the ingestion endpoint is not unauthenticated-internet-reachable. The vector is undisclosed, so treat the integration boundary as your control point.
- Add Accessibility/overlay/ADB governance to Android MDM (§ 5): alert on Accessibility-Service grants and
SYSTEM_ALERT_WINDOW overlays from non-approved APKs, treat MTD-agent termination shortly after an APK install as high-confidence, disable ADB-over-network, and enforce Android Enterprise Fully Managed mode where the fleet handles sensitive material. - Hunt the browser→script ClickFix pattern (§ 3): alert on browser processes spawning
wscript.exe/mshta.exe/cmd.exe, short-lived .vbs/.bat creates in C:\ProgramData\, and NetSupport persistence pointing at non-standard install paths. - Otherwise, monitor. No item in this run met the emergency-action bar; the actions above are change-window hardening, not page-the-on-call work.
Migrated from briefs/2026-06-01.md (v2).