ctipilot.ch

2026-05-06-migrated

One pipeline fire, in full · intel run of 2026-05-06 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-06/2026-05-06-migrated.md.

Run telemetry

2026-05-06-migrated intel prompt v2.19
duration 0 published 0 updates
unknown (unknown) main agent
S1 absent

No record for this sub-agent.

S2 absent

No record for this sub-agent.

S3 absent

No record for this sub-agent.

S4 absent

No record for this sub-agent.

Verification

0 iterations · 0 residuals (legacy scalar · per-iteration breakdown not recorded)

Deep dive

Entries published (this run)

Empty run · no new verified signal; only the run record was published (a healthy outcome).

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-06-migrated · unknown · 0 entries published

Items verified multi-source: CVE-2026-31431 (CERT-EU, Microsoft, Unit 42, Ubuntu, BSI, THN); CVE-2026-4670/5174 (Help Net Security, THN, CERT-FR, NVD); CVE-2026-41940 (watchTowr, Rapid7, CyberScoop, Help Net Security, Shadowserver telemetry); CVE-2026-23918 (THN, CERT-FR); CVE-2026-32305 (NVD, CERT-FR); ScarCruft/BirdCall (ESET, THN, BleepingComputer); UAT-8302 (Cisco Talos, THN); TeamPCP SAP npm worm (SANS ISC, Sophos X-Ops, Check Point); DigiCert support portal (Help Net Security, SecurityWeek); Instructure (BleepingComputer, TechCrunch, SecurityWeek); Trellix (BleepingComputer, THN); ADT (ADT newsroom, SEC 8-K); Mediaworks Hungary (The Record, Security Boulevard, company statement); Germany .de DNSSEC outage (IP.network, SecurityWeek, heise Security).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]:

  • NCSC Switzerland "Double Phishing" advisory (§ 2) — single source: NCSC Switzerland Im Fokus, 2026-05-05.
  • CERT-FR batch advisories (§ 2) — single source per advisory: ANSSI/CERT-FR cert.ssi.gouv.fr; CVE identifiers for PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run — administrators must consult the CERT-FR advisories directly for full CVE listings.
  • Europol IOCTA 2026 (§ 4) — single source: Europol / EC Migration & Home Affairs, 2026-04-28.

Items marked [SINGLE-SOURCE-OTHER]:

  • Microsoft AiTM "Code of Conduct" phishing campaign (§ 4) — single source: Microsoft Threat Intelligence blog, 2026-05-04. No independent corroboration retrieved.
  • Microsoft Edge cleartext passwords (§ 4) — single source: SANS ISC Diary, 2026-05-04. No independent corroboration retrieved.

Items dropped:

  • Fiserv / Everest group: Everest ransomware group listed Fiserv on its leak site approximately 2026-05-03. Fiserv has issued no public statement. Dropped per Prime Directive 6 (ransomware leak-site claim without victim confirmation or HIGH-reliability journalism corroboration).
  • Medtronic / ShinyHunters: ShinyHunters claimed a Medtronic breach (alleged 9 million records) on 2026-05-04. Medtronic has issued no public statement. Dropped pending victim confirmation.

Unconfirmed vector noted: ADT breach vector (vishing attack on Okta SSO account, followed by Salesforce exfiltration) was claimed by the ShinyHunters threat actor. ADT's official disclosures do not confirm this vector. Reported in § 3 with clear attribution to the attacker's claim.

Recency window notes:

  • Europol IOCTA 2026 (§ 4) was published 2026-04-28 — eight days before this brief, outside the standard 72-hour recency window (and outside an extended 72-hour window for actively developing items). Included as first coverage for this brief series given its high relevance to the EU public-sector audience; will not be re-summarised in subsequent briefs per Prime Directive 9.
  • France ANTS breach: primary breach event (detected 2026-04-13, citizen notification 2026-04-22) falls outside the 72-hour window. Included because the suspect detention (2026-04-25) was widely reported as a material new development during this reporting window (coverage 2026-05-04), and this is a high-relevance ongoing story at a peer EU government identity registry.
  • CVE-2026-31431 CERT-EU advisory was published 2026-04-30 (outside 72h); the BSI Germany advisory update on 2026-05-04 and the CISA KEV listing with a 2026-05-15 deadline confirm this as an actively developing item within the window.

Source failures (consecutive_failures incremented in sources.json):

  • CISA.gov (cisa-kev, cisa-advisories, cisa-news, cisa-directives): HTTP 403 on direct fetches. KEV and advisory data obtained via corroborating secondary sources.
  • inside-it.ch: HTTP 403.
  • CSIRT Italia / csirt-acn-it: HTTP 403.
  • PRODAFT / prodaft: HTTP 403.
  • UK ICO / ico-uk: HTTP 403. UK ICO breach notifications not covered in this run.
  • Cisco Talos / talos: HTTP 403 on direct fetch; UAT-8302 content obtained via The Hacker News corroboration.

Sources with no qualifying items in the reporting window (fetched, no failures): NCSC UK, CERT Polska, Tenable Research, Rapid7 (no new in-window posts beyond cPanel ETR), watchTowr Labs (no new in-window posts beyond cPanel), ZDI, VulnCheck, GreyNoise, Shadowserver (telemetry used via secondary reporting), Volexity, The DFIR Report, Krebs on Security, Sekoia.io, Citizen Lab, CNIL France, EDPB.

Coverage gaps: CCN-CERT Spain (not fetched, sub-agent budget limit); GovCERT.ch advisory archive (navigation page only); CERT.at and GovCERT Austria (navigation pages only, no dated advisory content returned); NCC Group Research, WithSecure Labs, Dragos, SANS ICS, Cloudflare Cloudforce One, Akamai SIRT, Elastic Security Labs, Group-IB, Secureworks CTU, Red Canary, Huntress, Sygnia — not fetched in this run.

Migrated from briefs/2026-05-06.md (v2).

← Operations dashboard · day page 2026-05-06 · run-record contract: docs/pipeline.md