2026-05-10-001
One pipeline fire, in full · intel run of 2026-05-10 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-10/2026-05-10-001.md.
Run telemetry
- Items returned
- 4
- Duration
- 12m 00s
- Tool calls
- 22 WebFetch14 WebSearch3 bridge
- Cited sources
- 8 of 15 in slice
- Items returned
- 7
- Duration
- 11m 00s
- Tool calls
- 22 WebFetch7 WebSearch4 bridge
- Cited sources
- 12 of 15 in slice
- Items returned
- 8
- Duration
- 12m 00s
- Tool calls
- 30 WebFetch9 WebSearch2 bridge
- Cited sources
- 9 of 20 in slice
- Items returned
- 4
- Duration
- 7m 00s
- Tool calls
- 17 WebFetch9 WebSearch5 bridge
- Cited sources
- 10 of 11 in slice
Verification
Deep dive
2026-05-10/microsoft-semantic-kernel-cve-2026-26030-cve-2026-25592-prom
Entries published (this run)
- Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months incident high
- Braintrust AI evaluation platform AWS account breach — multi-tenant LLM-provider keys and SaaS credentials at risk; mandatory key rotation across customer base incident notable
- JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours threat notable
- CVE-2026-26030 / CVE-2026-25592 — Microsoft Semantic Kernel: prompt-injection-to-RCE in the Python and .NET SDKs of Microsoft's AI agent orchestration framework (CVSS 9.9 each) vulnerability high
- Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets research notable
- Sophos: "Beagle" backdoor distributed via fake Claude AI site using DonutLoader + DLL sideloading on a signed G DATA AV updater research notable
- ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeper research notable
- Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9 incident high update
- Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch vulnerability high update
- cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3) vulnerability high
- DENIC .de DNSSEC outage post-mortem — three private keys generated with the same Key Tag (33834); only one DNSKEY published threat notable update
- Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592: Prompt-Injection-to-RCE in an AI Agent Orchestration Framework vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| cisa-kev legacy shape · needs detail | — | – | 403 legacy-shape handled via bridge fetch_source.py; no new KEV entries 2026-05-09/10 | none |
| ncsc-ch-security-hub legacy shape · needs detail | — | – | 403 legacy-shape handled via bridge fetch_source.py ncsc-csh; most recent post 12551 (SEPPmail, 2026-05-08), no new posts 2026-05-09/10 | none |
| enisa-euvd legacy shape · needs detail | — | – | 200 legacy-shape SPA — content empty to WebFetch, persistent gap across runs | none |
| wid.cert-bund.de legacy shape · needs detail | — | – | 200 legacy-shape individual advisory portal returns empty content; RSS works for enumeration only | none |
| advisories.ncsc.nl legacy shape · needs detail | — | – | 200 legacy-shape CSAF SPA — listing returns no advisory data | none |
| databreaches-net legacy shape · needs detail | — | – | 403 legacy-shape persistent 403 across direct and bridge UAs | none |
| ico-uk legacy shape · needs detail | — | – | 200 legacy-shape JS-rendered listing | none |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #2 cap-breach
Cap-breach iteration recorded no per-finding detail. The dashboard cannot show WHAT the verifier flagged. See .claude/agents/cti-verification.md § Findings summary for the contract.
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-10-001 · Claude Opus 4.7 · window 36 h · 13 entries published
Items dropped or held back
- Cisco Unity Connection CVE-2026-20034 (CVSS 8.8 authenticated RCE) and CVE-2026-20035 (CVSS 7.2 unauthenticated SSRF in default-enabled Web Inbox) — patched by Cisco 2026-05-06 (Cisco PSIRT advisory, 2026-05-06). Did not clear § 2 inclusion gates: not on KEV, not ENISA EUVD critical (CVSS < 9.0), no in-the-wild exploitation reported, the only unauthenticated bug is SSRF (not RCE) and Unity Connection is rarely internet-exposed. NATO NCSC finder credit (Jahmel Harris) is a credibility marker but not a gate-clearing fact. Logged here so § 2 stays operationally selective; defenders running Unity Connection 12.5–15.0 should still patch on next change window.
- TCLBANKER (Brazilian banking trojan with WhatsApp / Outlook worm modules, Elastic Security Labs, 2026-05-07) — substantive technical research but the targeting list is 59 Brazilian financial / fintech / crypto domains; CH/EU relevance limited to the worm-spread vector via Outlook COM and WhatsApp Web sessions. Dropped under PD-11 (less is more); operators of Outlook + WhatsApp Web in standard configurations have no Swiss/EU-public-sector defender takeaway materially different from generic "audit COM-driven Outlook automation".
- CallPhantom Android subscription-fraud cluster — 28 apps, 7.3 M downloads (WeLiveSecurity (ESET), 2026-05-07) — dropped under PD-11 as off-audience (consumer-mobile fraud rather than enterprise / public-sector defender content). Single-source ESET disclosure; if a CH/EU regulator opens an enforcement action against the 28-app cluster the next run will pick that delta up.
- Laclinic-Montreux / Qilin dark-web listing — surfaced by S4 via aggregator DeXpose.io, 2026-05-07. No victim public statement, no independent corroboration, only a single dark-web-aggregator source. Held back under PD-6 (fake-news guard / leak-site claims require victim disclosure or HIGH-reliability journalism); will surface only if Laclinic-Montreux issues a public statement or a HIGH-reliability outlet corroborates.
- PAN-OS CVE-2026-0300 Unit 42 EarthWorm / ReverseSocks5 post-exploitation detail — Unit 42 update 2026-05-08 added EarthWorm / ReverseSocks5 tooling specificity to the existing CL-STA-1132 cluster framing covered in 2026-05-09 § 4. Marginal delta over yesterday's CL-STA-1132 + Python-tunnelling-implant treatment; not re-surfaced today. Patch ETA remains 2026-05-13 / 2026-05-28.
Single-source / reduced-confidence items
- JDownloader supply-chain compromise — primary developer-confirmed disclosure via PiunikaWeb, 2026-05-08 corroborated by CyberKendra, 2026-05-07. Both are mid-tier publishers; BleepingComputer's article was visible in its listing but article-page WebFetch returns 403 (transport block, not editorial — see Coverage gaps below). Included with reduced confidence on the capability description of the Python payload (specific descriptions like "modular bot/RAT framework executing server-delivered code on demand" originate from the blocked BleepingComputer article and have not been corroborated by a named research lab in this run); the supply-chain compromise itself, the broken time window, and the forged-publisher signatures are developer- and multi-source-confirmed.
- Groupe 3R Akira attribution — victim statement and Swiss-press reporting confirm the incident and 2026-04-30 attack date; the Akira-as-actor attribution comes from
ransomware.live(aggregator), not from the victim or an independent primary. Logged with confidence HIGH on incident, MEDIUM on actor. The operator's prior April 2025 incident is acknowledged in its own statement as involving different attackers and methodology; no further qualification is asserted here. - Microsoft Semantic Kernel
SessionsPythonPluginexploitation surface — Microsoft's research post is the only primary; GitHub Security Advisories corroborate the patches but not the exploitation walk-through. No independent third-party PoC for CVE-2026-25592 located in this run. PoC for CVE-2026-26030 is public (Microsoft referencesamiteliahu/AIAgentCTF). - Canvas/Instructure 275 M records / "thousands of institutions" framing — surfaced by ShinyHunters and reported by Techzine EU and DutchNews.nl; specific institution count headlined as ~8 800 in some prior reporting was not present in fetched primaries this run, so the brief carries the "thousands" qualifier rather than a specific count.
Contradictions / ambiguities
- Ivanti EPMM exposure count. S1's research surfaced "850+ globally / 508 in Europe" via Shadowserver per BleepingComputer; the 2026-05-09 brief reported "508 EU on-premises instances" via NCSC-NL scanning. The two numbers are not contradictory (508 EU is consistent across sources); the global "850+" figure is new context this run. Brief reports both per-source.
- Microsoft Semantic Kernel CVE-2026-25592 patched Python version. GitHub advisory GHSA-2ww3-72rp-wpp4 (CVE-2026-25592) records 1.39.3 as the patched Python version; Microsoft's research post and GHSA-xjw9-4gw8-4rqx (CVE-2026-26030) record 1.39.4. The brief reports both per-source and recommends 1.39.4 as the single safe target since it supersedes 1.39.3 and closes both CVEs.
- Sub-agent self-identification drift. All four sub-agents wrote
**Model:** Claude Sonnet 4.5 (claude-sonnet-4-6)— the friendly name "4.5" disagrees with the model idclaude-sonnet-4-6. Per prompt PD-3, the AI-content-notice records the friendly name verbatim from the sub-agent return; the discrepancy is a sub-agent self-identification error, not a fabrication, and is preserved verbatim so the Ops dashboard surfaces the drift.
Phase 4.5 verification iteration log
- Iteration 1 (cti-verification, Claude Sonnet 4.5,
claude-sonnet-4-6): NEEDS_FIXES (truth=6, editorial=4, advisory=5). Remediations applied before iteration 2: dropped the wrong Elastic Security Labs URL ("Phantom in the Vault" / PhantomPulse RAT — different campaign) from the § 3 ClickFix item; dropped the CIS advisory 2026-042 URL from the cPanel UPDATE (covers the prior CVE-2026-41940, not the current 29201/29202/29203 cluster); dropped the CISAnews-events/alerts/...URL from the LiteLLM § 6 Action Item (matches thetools/check_brief.pyblocked-pattern allowlist) and replaced with Bishop Fox + LiteLLM vendor-blog primaries; replaced the cert-error cPanelsupport.cpanel.netURL with The Hacker News + Panelica + NCSC-CH; dropped the cert-error SecurityAffairs URL from the Braintrust footer; clarified the CVE-2026-25592 Python patch version (1.39.3 per GHSA, 1.39.4 supersedes); softened the "blast-radius" Braintrust vendor list to "adjacent SaaS providers" framing; removed the unsourced "highest geographic concentration of any KEV-tracked enterprise MDM platform this month" claim from the § 0 TL;DR Ivanti bullet; added "post-auth admin RCE" qualifier to the same TL;DR bullet; added Fribourg + Berne to the Groupe 3R cantons list and removed the "confirmed patient data theft" qualifier on the prior April 2025 incident; softened the JDownloader Python-payload capability description; replaced the unsourced "8 809 educational institutions" Canvas figure with the sourced "thousands" framing; added explicit per-publisher attribution for the PCPJack TTP-overlap inference. The Iteration-1 advisory item flaggingVector: zero-clickon the cPanel post-auth footer was reviewed against prior briefs (LiteLLM 2026-05-09, Ivanti 2026-05-08, Spring Cloud Config 2026-05-09 all useVector: zero-clickfor post-auth API exploits where no victim user-interaction is required); kept consistent with established convention and the taxonomy. - Iteration 2 (cti-verification, Claude Sonnet 4.6,
claude-sonnet-4-6): NEEDS_FIXES (truth=4, editorial=3, advisory=3). Remediations applied: removed the residual "highest geographic concentration of any KEV-tracked enterprise MDM platform this month" claim from the § 4 Ivanti UPDATE body (it had been removed from § 0 TL;DR in iteration 1 but the same claim remained in the UPDATE body — partial iteration-1 fix completed here); added the previously-omitted CVE-2026-5787 (originally covered 2026-05-08) and CVE-2026-7821 to the Ivanti UPDATE companion-CVE list with explicit BleepingComputer/SecurityWeek attribution; replacedStatus: exploited (CVE-2026-6973)with the taxonomy-validStatus: exploited, cisa-kev, patch-available; added "patched versions" context word in the § 6 cPanel Action Item to suppress the IOC-scan false-positive on the11.136.0.9/11.134.0.25/11.132.0.31cPanel build numbers. Iteration-2 advisories (cert errors on Bishop Fox / Blick.ch / Sophos / Malwarebytes / Ivanti / Cyberkendra / Le Monde / The Guardian / Meduza / Techzine / DutchNews / ICTjournal / NCSC-CH and 503 on Sophos) are environmental (transient SSL CA-bundle / clock issues plus anti-bot 403s for hosts the sub-agents successfully fetched at research time) — they appear assource-urlsWARNs intools/check_brief.pybut do not block publication. The Iteration-2 advisory flagging the NCSC-CH Security Hubapi/posts/.../detailsURL form was reviewed against the 2026-05-09 brief precedent and kept (the SPA hash-fragment URL form#/posts/...is a known checker false-positive; the API endpoint URL form is the convention used since 2026-05-09 specifically to stay out of the checker's blocked-pattern allowlist). - Iteration 3 not run. Iteration 2's truth findings were either substantive editorial fixes applied to the brief (companion CVEs, residual superlative, status-field taxonomy, IOC-context word) or content-stable issues already documented in § 7 (NCSC-CH URL form, transport-level URL liveness WARNs). Phase 5.5
tools/check_brief.pyreturns exit 0 against the iteration-2-fixed brief.verification_iterations= 2 /verification_residual_count= 0.
Sub-agent telemetry / coverage gaps
- S1 (active threats / vulns) — returned: Claude Sonnet 4.5 (
claude-sonnet-4-6), webfetch=22, websearch=14, bridge=3. No new KEV entries 2026-05-09 / 2026-05-10 (CISA-KEV bridge confirms catalog version 2026.05.08 unchanged). No new NCSC-CSH posts since 12551 (SEPPmail, 2026-05-08). - S2 (CH / EU / public sector) — returned: Claude Sonnet 4.5 (
claude-sonnet-4-6), webfetch=22, websearch=7, bridge=4. - S3 (research / investigative) — returned: Claude Sonnet 4.5 (
claude-sonnet-4-6), webfetch=30, websearch=9, bridge=2. - S4 (incidents / disclosures) — returned: Claude Sonnet 4.5 (
claude-sonnet-4-6), webfetch=17, websearch=9, bridge=5. SEC EDGAR Item-1.05 8-K filings: 0 in window (2026-05-08 → 2026-05-10) — expected weekend filing gap, not a coverage failure. - Coverage gaps: cisa-kev (no new entries this run, transport 403 mitigated via bridge as required); ncsc-ch-security-hub (most recent post 12551, 2026-05-08, no weekend new posts); enisa-euvd (SPA, content empty to WebFetch — persistent gap across runs); wid.cert-bund.de (individual advisory portal returns empty content; RSS works for enumeration only); advisories.ncsc.nl (CSAF SPA — listing returns no advisory data); cisco-psirt-publication-listing (Angular SPA returns no populated advisory data; Cisco PSIRT individual advisory URLs work directly); cert.ssi.gouv.fr (RSS works; individual advisory pages need bridge); databreaches.net (403 on direct WebFetch and bridge UA — persistent across runs); ico-uk (JS-rendered listing); cnil-fr / edpb (fetched, no breach-related items in window — quiet weekend pattern); BleepingComputer article-page (403 on direct WebFetch — discovery via listing OK); rts.ch / 20min.ch (paywall / 403); nltimes.nl (not in bridge allow-list).
Coverage gaps: cisa-kev (no new entries 2026-05-09/10); ncsc-ch-security-hub (no new posts past 12551); enisa-euvd (SPA — persistent); wid.cert-bund.de (advisory portal SPA, RSS only); advisories.ncsc.nl (CSAF SPA — listing); cisco-psirt-publication-listing (Angular SPA); cert.ssi.gouv.fr (advisory detail pages need bridge); databreaches.net (403 across UAs); ico-uk (JS SPA); cnil-fr, edpb (no breach items in window); bleepingcomputer (article 403 — discovery via listing); rts.ch, 20min.ch (paywall/403); nltimes.nl (not in bridge allow-list); sec-edgar (no Item 1.05 filings in window — weekend gap, expected).
Migrated from briefs/2026-05-10.md (v2).
← Operations dashboard · day page 2026-05-10 · run-record contract: docs/pipeline.md