Verification & coverage notes
Standard daily fire — gap ≈ 24 h from the previous run 2026-07-15T0409Z-intel (which published cleanly), window 26 h. No scheduler outage, so no research-blog backfill sweep. No closed-source intel drops (intel/ carried only its README) — no S5 spawned. Product/supplier watchlists are unconfigured in this deployment, so both sweeps are no-ops and no Watchlist: line is emitted.
Fifteen candidate items surfaced across S1–S4; 7 published (5 new + 2 updates), 8 dropped. All published entries cleared the relevance/actionability gate and the completeness sweep re-read every returned item (including the borderline-flagged ones) before finalising.
Published (new):
CVE-2026-46817 Oracle E-Business Suite / Payments pre-auth RCE — CISA KEV 2026-07-15 (in-window trigger), ITW since 2026-06-27; high. First dedicated per-CVE entry (the 2026-07-05 weekly mentioned it only in prose, cves: [] — no dedup collision).CVE-2023-4346 KNX building-automation account-lockout DoS — newly KEV-listed 2026-07-15, no software patch; notable. CVE new to the store.- IWB Basel third-party-provider breach — home-region CI/public-sector incident (S2 + S4 merged); notable.
- TELEPUZ modular Windows RAT/MaaS (Elastic) — ClickFix-Vidar delivery, indirect syscalls from patched trusted DLLs; notable.
- World Leaks / Kudankulam nuclear-contractor third-party-hosting breach — out-of-nexus, cleared the breach gate on (a) global CI significance + (d) transferable third-party-hosting lesson for energy-CI operators; notable.
Published (updates):
- AsyncAPI npm compromise —
update_of 2026-07-14: Microsoft's forensic timeline shows the trojanized versions carry valid npm/OIDC provenance attestations (provenance verifies which pipeline built an artifact, not that the triggering commit was authorized) and the payload triggers at import time; notable. - Nayax / The Syndicate —
update_of 2026-07-09: board refuses the extortion demand, narrows disclosed scope, confirms remediation; routine.
borderline-drop: Veeam appliance updater LPE (CVSS 8.4, no CVE) — local-to-root (AV:L, PR:H), no exploitation, no public PoC, auto-patching; routine patch-cycle item that does not clear the beyond-patch-cycle vulnerability bar despite backup-infra sensitivity.
borderline-drop: TuxBot v3 LLM IoT botnet (Unit 42) — single-source; generic IoT-botnet detection value; the AI-written-malware angle is already saturated in-store; no material detection improvement for the constituency.
borderline-drop: OkoBot crypto-theft framework (Kaspersky) — off-nexus (targets individual cryptocurrency holders, no CI/gov/CH-EU concentration); the reusable techniques are known classes.
borderline-drop: Lidl third-party breach (DE/BE/NL) — breach inclusion gate not cleared: retail/consumer sector (not profiled), no new/evolved TTP, no named actor targeting the constituency, no imminent shared threat.
borderline-drop: D1R vs Bosch/Synopsys — unconfirmed leak-site claim disputed by the named vendor (Synopsys found no evidence); posted "proof" is an already-public user manual; fails the fake-news guard for standalone publication.
borderline-drop: AiLock claims Ferrovial — single-source leak-site claim only (Ransomware.live / HudsonRock telemetry); no victim disclosure, no regulator filing, no A/B journalism; fails the breach/verification gate. S4 itself recommended against publication.
out-of-window: xAI Grok Build CLI repo/secrets over-upload — freshest primary (The Hacker News 2026-07-14) predates the previous run (2026-07-15T04:09Z), which already triaged it (it registered incident:xai-grok-build-cli-repo-exfiltration-2026-07 but did not publish); outside window_hours=26 and not a fresh in-window delta.
Single-source items: KNX (single-source-national-cert — CISA is the disclosing authority); TELEPUZ (single-source Elastic research lab, with public YARA + ATT&CK); Kudankulam (single Reuters wire relayed by The Week; Reliance confirmed the breach, and the leaked files' authenticity is not established in the cited reporting); Nayax (single-source-victim — Nayax's own press release).
Deep dive: none. No candidate cleared the Phase 3 bar — Oracle EBS is actively exploited but public technical detail is thin (no full kill chain / PoC); TELEPUZ is technically rich but single-source commodity MaaS, not ITW exploitation against the constituency. deep_dives_today was 0; depth was not manufactured to fill the slot.
CVE id provenance: CVE-2026-46817 and CVE-2023-4346 both confirmed against the CISA KEV alert and their owning advisories (Oracle May 2026 CPU; CISA ICSA-23-236-01) and cross-checked on NVD.
Coverage gaps: cert-eu (feed current per its own cadence, newest advisory 2026-06-10, no in-window item); ncsc-uk, truesec, withsecure-labs, enisa, govcert-at (cookie-consent/JS-shell listing pages surfaced no in-window content via reader — recipe review candidates); intel471, cloudflare-cf1, kela-cyber, group-ib, depthfirst (reachable, no in-window qualifying content); databreaches-net, inside-it-ch (article pages 403 — routed via RSS feed / search-snippet corroboration).