2026-05-13-c148b9a5
One pipeline fire, in full · intel run of 2026-05-13 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-13/2026-05-13-c148b9a5.md.
Run telemetry
- Items returned
- 5
- Duration
- 7m 02s
- Tool calls
- 16 WebFetch5 WebSearch6 bridge
- Cited sources
- 7 of 17 in slice
- Items returned
- 8
- Duration
- 5m 24s
- Tool calls
- 9 WebFetch8 WebSearch5 bridge
- Cited sources
- 4 of 20 in slice
- Items returned
- 7
- Duration
- 9m 03s
- Tool calls
- 18 WebFetch18 WebSearch2 bridge
- Cited sources
- 8 of 19 in slice
- Items returned
- 4
- Duration
- 8m 59s
- Tool calls
- 17 WebFetch21 WebSearch4 bridge
- Cited sources
- 2 of 16 in slice
Verification
1 entry dropped by verification this run (recorded in the verification & coverage notes).
Deep dive
2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef
Entries published (this run)
- Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites; 8 TB / 11M files claimed incident high
- BWH Hotels (Best Western, WorldHotels, Sure Hotels) — 181-day unauthorised access to a guest-reservation web application, six EU brands in scope incident notable
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE vulnerability high
- CVE-2026-45185 — Exim "Dead.Letter" use-after-free in BDAT/CHUNKING on GnuTLS builds vulnerability high
- CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days) vulnerability high
- CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection vulnerability high
- CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area) vulnerability notable
- CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin) vulnerability notable
- Microsoft MDASH — multi-model agentic vulnerability-discovery harness finds 16 Windows CVEs in network-stack kernel components research notable
- TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot research notable
- NCSC-UK — "10 questions to ask when using AI models to find vulnerabilities" research notable
- Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions) threat high update
- Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom incident notable update
- PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13 vulnerability notable update
- Mini Shai-Hulud's GitHub Actions Pwn-Request → OIDC Token Theft Chain threat notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| bleepingcomputer covered via alternate · should NOT be in this list | https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday | webfetch → websearch | 403 transport-403 HTTP 403 Forbidden on default UA | WebSearch fallback + Tenable/ZDI/Rapid7 pivot for Patch Tuesday coverage |
| anssi-fr covered via alternate · should NOT be in this list | https://www.cert.ssi.gouv.fr/actualite/CERTFR-2026-ACT-021/ | bridge:url | 200 spa-empty-body HTML shell — bridge returned page structure only | CERT-FR RSS feed fetched; CERTFR-2026-AVI-0564 / 0572 advisory bodies via per-URL bridge:url |
| cert-eu | https://cert.europa.eu/publications/security-advisories/ | bridge:url | 200 spa-empty-body Listing returned navigation scaffold only | WebSearch fallback; no new in-window CERT-EU advisories beyond what national CERTs covered |
| cisa-kev covered via alternate · should NOT be in this list | https://www.cisa.gov/known-exploited-vulnerabilities-catalog | bridge:cisa-kev | 200 none bridge OK; catalog version 2026.05.08 — no new KEV additions in window | bridge:cisa-kev → 200 OK; no new entries |
| enisa-euvd covered via alternate · should NOT be in this list | https://euvd.enisa.europa.eu/ | bridge:enisa-euvd.recent | 200 spa-empty-body Direct page is SPA shell; bridge endpoint returned full data | bridge:enisa-euvd.recent → 200 OK (criticals, exploited); EUVD-2026-29824 Exim and EUVD-2026-29872 Thymeleaf surfaced |
| bsi-de covered via alternate · should NOT be in this list | https://wid.cert-bund.de/portal/wid/securityadvisory | bridge:bsi-rss | 200 spa-empty-body Angular SPA portal returns navigation only; bridge RSS returned feed | bridge:bsi-rss → 200 OK; no new in-window KRITISCH items |
| advisories-ncsc-nl | https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-0380.json | bridge:ncsc-nl.csaf | 404 transport-404 speculative advisory-id 404 — no enumeration index available | none — coverage gap for NCSC-NL this run |
| databreaches-net | https://databreaches.net/ | webfetch → bridge:url → websearch | 403 robots-blocked Cloudflare Managed Challenge on every UA | bridge:url also blocked by Cloudflare Managed Challenge (documented for databreaches-net); WebSearch fallback — no unique in-window items |
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url → websearch | 403 robots-blocked Cloudflare Managed Challenge on every UA | bridge:url also blocked by Cloudflare Managed Challenge (documented for inside-it-ch); WebSearch fallback — no unique in-window items |
| ico-uk | https://ico.org.uk/sitemap.xml | bridge:url | 200 Sitemap returned; no in-window enforcement actions identifiable from lastmod | WebSearch fallback confirmed South Staffordshire (2026-05-12, prior brief) as freshest |
| sec-disclosures-edgar | https://www.sec.gov/cgi-bin/browse-edgar | webfetch | 503 transport-5xx HTTP 503 Service Unavailable | WebSearch fallback; Itron (Apr 2026, out-of-window) and West Pharma (2026-05-12, prior brief) confirmed as most-recent relevant 8-K Item 1.05; no new in-window |
| nltimes | https://nltimes.nl/2026/05/12/odido-rules-compensation-massive-cyberattack-affec | webfetch → bridge:url | 403 robots-blocked Cloudflare Managed Challenge; bridge fetcher does not allow-list nltimes.nl | Search-engine confirmed publication date and headline; primary unreadable; Odido item dropped from § 1 to § 7 as coverage gap |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 10 findings (truth=8, editorial=0, advisory=2) · Claude Opus 4.7 · 4m 22s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | active-threats | Foxconn — Nitrogen ransomware (TTP chain unsourced) malvertising → trojanised installer → Cobalt Strike → AD reconnaissance within 72 h | TTP chain not in any cited source | Removed unsourced TTP chain; replaced with generic hypervisor-recovery detection concepts tied to the Coveware decryptor-bug analysis fixed-clean |
| F4 hallucinated-fact | trending-vulnerabilities | CVE-2026-45185 Exim — EUVD-2026-29824 critical claim ENISA EUVD-2026-29824 lists the vulnerability as Critical | EUVD entry not confirmable from cited sources; verification SSL-failure on bridge re-fetch | Removed EUVD claim and enisa-critical Tags/Status; kept CVSS 9.8 per vendor disclosure fixed-degraded |
| F4 hallucinated-fact | trending-vulnerabilities | CVE-2026-41901 Thymeleaf — EUVD claim ENISA EUVD-2026-29872 | EUVD entry not confirmable; CSO Online cited is wrong CVE; GHSA dated 2026-04-29 (out of window) | Dropped entire Thymeleaf item from § 2, action items, CVE table, cves_seen.json, covered_items.json; documented in § 7 dropped-item |
| F3 claim-not-supported | trending-vulnerabilities | CVE-2026-41901 Thymeleaf — CSO Online citation CSO Online 2026-05-12 | CSO Online cite is April 17 and covers a different CVE | Subsumed into Thymeleaf drop dropped-item |
| F4 hallucinated-fact | trending-vulnerabilities | CVE-2026-41901 Thymeleaf — GHSA date 2026-05-12 GitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-05-12 | Actual GHSA publication 2026-04-29 | Subsumed into Thymeleaf drop dropped-item |
| F4 hallucinated-fact | research | NCSC-UK 10 Questions date 2026-05-12 | Actual publication 2026-05-11 (Ruth C, head of Vulnerability Management Group) | Corrected date in heading, prose and footer to 2026-05-11 fixed-clean |
| F4 hallucinated-fact | active-threats | Foxconn H3 — five sites Foxconn confirms Nitrogen ransomware crippled five North-American manufacturing sites | H3 says 'five' but body lists six locations | Removed numeric count from H3; reads "crippled North-American manufacturing sites" fixed-clean |
| F4 hallucinated-fact | updates | Canvas — Garbarino letter on extortion deadline On the 2026-05-12 ShinyHunters extortion deadline, … Garbarino sent a formal letter | Letter sent late on 2026-05-11; deadline was 2026-05-12; ransom paid before the deadline | Rewrote UPDATE para 1 with corrected timeline (letter 05-11, deadline 05-12) and corrected institution count (8,800 per The Register, ~9,000 per The Record surf fixed-clean |
| F11 editorial-advisory | updates | Canvas institution-count discrepancy ~275 million records across ~9,000 institutions | Source contradiction | Surfaced both figures inline (~8,800 per Register, ~9,000 per Record); added to § 7 contradictions list fixed-clean |
| F11 editorial-advisory | tldr | TL;DR Foxconn bullet Coveware programming bug insight | Paired with F4 #1 — flagged source quality only | Coveware insight retained; TTP-chain claim removed in body fix fixed-clean |
Iteration #2 NEEDS_FIXES · 5 findings (truth=1, editorial=3, advisory=1) · Claude Sonnet 4.6 · 3m 50s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 broken-url | trending-vulnerabilities | CVE-2026-44277 Fortinet FortiAuthenticator | Verifier WebFetch returned 403 (transient UA filter) | Fresh re-fetch returned 200 with full advisory; UA-filter transient; no source-list change; § 7 documents the verification re-fetch and notes vendor-canonical C fixed-clean |
| F3 claim-not-supported | trending-vulnerabilities | CERTFR-2026-AVI-0572 Centreon reflected / stored XSS findings; "RCE" | Bulletin lists "command injection" (MBI) and XSS only on Centreon Map; brief overstated | Replaced "RCE" with "command injection (effectively RCE in Centreon MBI)"; replaced "reflected / stored XSS" with "XSS (Centreon Map, CVSS 6.8)" fixed-clean |
| F5 missing-citation | active-threats | BWH Hotels Swiss claim Switzerland, Germany, France, Italy and other EEA jurisdictions | Switzerland not in cited sources | Removed Switzerland from country list fixed-clean |
| F10 missed-angle | trending-vulnerabilities | Centreon affected branches 24.10.x and 25.10.x branches | 24.04.x (MBI only) also patched by April 2026 bulletin | Added "24.04.x (MBI only), 24.10.x and 25.10.x" to affected versions fixed-clean |
| F11 editorial-advisory | deep-dive | Mini Shai-Hulud step 8 ATT&CK mapping T1647 Plist File Modification | T1647 is macOS persistence — wrong analogy for SLSA provenance forgery | Replaced with T1553.002 Subvert Trust Controls: Code Signing and explicit note that no current ATT&CK sub-technique precisely maps fixed-clean |
Iteration #3 NEEDS_FIXES cap-breach · 4 findings (truth=1, editorial=1, advisory=2) · Claude Opus 4.7 · 6m 14s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | trending-vulnerabilities | CVE-2026-44277 / CVE-2026-26083 CVSS vendor lists CVSS 9.8 | Fortinet PSIRT pages publish CVSS 9.1 for both; brief carried 9.8 in body, TL;DR, CVE table, and § 6 action item | Converged on 9.1 throughout § 0 / § 2 / § 6; updated CVE Summary Table footnote fixed-clean |
| F11 editorial-advisory | action-items | Exim action item Tags/Status Tags: vulnerabilities, pre-auth, rce, enisa-critical, patch-available · Status: enisa-critical, patch-available | iter-1 F4 fix removed enisa-critical from § 2 but the § 6 action item still carried it | Removed enisa-critical from § 6 Exim action item Tags + Status fixed-clean |
| F5 missing-citation | active-threats | BWH country list Germany, France, Italy and other EEA jurisdictions | Neither cited source enumerates per-country exposure | Replaced with "multiple EEA jurisdictions"; noted absence of per-country enumeration fixed-clean |
| F11 editorial-advisory | updates | Canvas via support-ticket access via support-ticket access | Specifier not surfaced in either cited source | Removed the "via support-ticket access" specifier from the Canvas UPDATE fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-13-c148b9a5 · Claude Opus 4.7 · 15 entries published
- Dropped items / coverage gaps:
- CVE-2026-41901 — Thymeleaf SSTI sandbox bypass. Initially surfaced by S2 (research returning ENISA EUVD-2026-29872 hit and CSO Online corroborating link) and composed into § 2. Phase 5.7 verifier flagged the source dates: the GitHub Security Advisory GHSA-c9ph-gxww-7744 is dated 2026-04-29 (not 2026-05-12), placing the disclosure 14 days outside the 36-hour recency window; the CSO Online article cited as corroborating is dated 2026-04-17 and concerns a different Thymeleaf CVE (CVE-2026-40478). Per PD-7 the item is dropped from § 2; the ENISA EUVD claim could not be independently re-verified in this iteration (EUVD direct fetch is SPA-only and the bridge fetcher hit an SSL cert-validity error during the verification pass). Operators with Spring Boot Java applications should patch Thymeleaf to 3.1.5.RELEASE in line with the April GHSA. — Source: GitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-04-29 · Tags: vulnerabilities, rce, patch-available · Region: global · CVE: CVE-2026-41901 · CVSS: 9.0 · Vector: user-interaction · Auth: pre-auth · Status: patch-available
- Odido (Netherlands) compensation refusal, Dutch DPA / criminal investigation, CUIC class action (NL Times, 2026-05-12). Surfaced by S4 but the primary URL
https://nltimes.nl/2026/05/12/odido-rules-compensation-massive-cyberattack-affecting-62-million-accountsis behind Cloudflare's Managed Challenge and could not be fetched in-run by either the routine UA or the bridge fetcher (nltimes.nlis not in the bridge allow-list). Search-engine snippets confirmed the publication date, headline and key facts (CEO Søren Abildgaard, ShinyHunters vishing of Salesforce, 6.2M accounts, 350k registered for CUIC class action, Dutch Public Prosecution Service criminal investigation, AP / ILT investigations), but PD-2 requires that every cited URL be one the agent actually fetched. Dropped from § 1 rather than carry an unverifiable primary; will re-attempt next run via WebSearch fallback content or alternative outlet — Source: Techzine, 2026-02-16 · The Register, 2026-02-27 · Tags: data-breach, identity · Region: europe · Sector: telco - Kaspersky State of Ransomware 2026 (Securelist, 2026-05-12). PD-9 annual report. Surfaced by S3 with novel headline (PE32 ransomware using ML-KEM/Kyber1024 post-quantum KEM; encryptionless extortion now dominant; Qilin displaces RansomHub; RDWeb portal targeting overtakes phishing). Not promoted to § 3 / § 5 in this brief — yesterday's brief (2026-05-12) already absorbed the annual-report deep-dive slot (GTIG AI Threat Tracker) and PD-3 demotes the same category one rank when in the last-7-day window. Will pick up the PE32 / post-quantum element as a § 3 research item in a later brief if it gains corroborating independent analysis — Source: Securelist (Kaspersky), 2026-05-12 · Tags: ransomware, supply-chain · Region: global · Sector: public-sector
- CVEs from Microsoft May Patch Tuesday not surfaced in § 2. ~30 Critical CVEs landed in this cycle; § 2 cherry-picked the four most operationally significant (Netlogon, DNS Client, SSO Plugin, Dynamics 365) plus the four Word Preview Pane RCEs. The remaining MDASH-discovered network-stack CVEs are referenced indirectly in § 3 (MDASH article). Operators should review the full Tenable / ZDI breakdowns for their environment.
- Single-source items:
- NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — flagged
[SINGLE-SOURCE]in § 3; national-CERT carve-out applies (NCSC-UK is primary disclosing party for its own guidance).
- NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — flagged
- Contradictions:
- CVE-2026-26083 (FortiSandbox) CVSS — NCSC-CH cites 9.1 per Fortinet's own PSIRT, NVD's initial assignment is 9.8. Both indicate Critical; brief lists both ("9.1 (NCSC-CH per the vendor advisory) and 9.8 (NVD's initial assignment)"). Operators should treat as critical pending convergence; per-CVE breakdown carried in § 2 footer.
- Microsoft May Patch Tuesday CVE count — Tenable reports 118, BleepingComputer reports 120, ZDI / The Register reports up to 138 depending on whether developer-tools and Azure-only items are included. Brief uses "120+" as a conservative summary.
- Canvas affected-institution count — The Register cites ~8,800 colleges, universities and K-12 schools; The Record cites ~9,000. Brief uses 8,800 (per The Register, the primary cited) with The Record's figure surfaced inline.
- Reduced-confidence items: None this run beyond the dropped Odido entry above.
- Verification iteration 1 disposition (Opus): Eight F3/F4 truth findings applied as remediations — corrected NCSC-UK date (2026-05-12 → 2026-05-11), corrected Canvas narrative (Garbarino letter 2026-05-11 ahead of 2026-05-12 deadline), corrected Foxconn site-count phrasing, removed unsourced Nitrogen initial-access TTP chain, removed unverifiable ENISA EUVD claims on Exim and Thymeleaf, dropped Thymeleaf as out-of-window. Two F11 advisory findings (Foxconn TTP-chain advisory paired with the F4 fix; Canvas-institution-count) addressed.
- Verification iteration 2 disposition (Sonnet rotation): Five findings (1 truth, 3 editorial, 1 advisory) — (a) F1 broken-URL flag on
https://fortiguard.fortinet.com/psirt/FG-IR-26-128: fresh re-fetch in this iteration returned 200 with the full advisory body (CVE-2026-44277, CVSS 9.1 per vendor, fixed in 6.5.7 / 6.6.9 / 8.0.3+, internal-audit discovery) — the verifier's 403 was a transient UA-filter on the host; no source-list change required. (b) F3 Centreon wording corrected: "command injection (effectively RCE in Centreon MBI)" instead of "RCE"; "XSS (Centreon Map, CVSS 6.8)" instead of "reflected / stored XSS". (c) F5 BWH Switzerland claim removed (sources do not call out Swiss properties specifically). (d) F10 Centreon 24.04.x branch added to affected versions (MBI only per the vendor bulletin). (e) F11 advisory ATT&CK mapping in § 5 step 8 corrected fromT1647 Plist File ModificationtoT1553.002 Subvert Trust Controls: Code Signing, with an explicit note that no current sub-technique precisely maps to SLSA-L3 provenance forgery via OIDC abuse. - Verification iteration 3 disposition (Opus rotation): Four findings (1 truth, 1 editorial, 2 advisory) at
truth + editorial = 2and no F1/F4 — early-exit threshold reached per v2.50. Remediations applied before publish: (a) F3 CVE-2026-44277 / CVE-2026-26083 CVSS converged on vendor PSIRT canonical value 9.1 throughout § 0 / § 2 / § 6 (iter-2 had left 9.8 in the body even after § 7 noted the discrepancy); CVSS table footnote re-worded; (b) F11a Exim § 6 Action Item Tags / Statusenisa-criticalflag removed (iter-1 F4 fix propagated to § 6); (c) F5 BWH country list (Germany, France, Italy) replaced with "multiple EEA jurisdictions" — neither cited source enumerates per-country exposure; (d) F11b advisory: Canvas UPDATE removed the "via support-ticket access" specifier — neither re-fetched source confirms that detail. Final iteration verdict: NEEDS_FIXES (truth=1 + editorial=1 = 2 ≤ early-exit threshold). Three iterations, model-rotated (Opus / Sonnet / Opus). Brief publishes with the four iter-3 remediations applied; no residual findings carried beyond what § 7 already documents. - Sub-agents: S1, S2, S3, S4 all returned within budget. No stalled sub-agents.
- Fetch failures / bridges used:
tools/fetch_source.pybridge used by S1, S2, S3, S4 forncsc-csh recent / post(NCSC-CH SPA),cisa-kev,enisa-euvd recent,bsi-rss, andurlfor CERT-FR / BleepingComputer / Centreon.databreaches-net,inside-it-chand parts ofbleepingcomputerreturned 403 (Cloudflare Managed Challenge) on every UA per the documented host behaviour — WebSearch fallback used.advisories-ncsc-nlreturned 404 on the speculative ID (NCSC-NL CSAF advisory ID guessing not viable without a fresh index); coverage gap for that source this run.ico-uksitemap fetched but no in-window enforcement actions found; freshest enforcement (South Staffordshire) already covered 2026-05-12. ENISA EUVD direct fetch hit SSL cert-validity error in the verification iteration — bridge worked for the sub-agents but not at verifier time. - Coverage gaps: databreaches-net (Cloudflare-blocked, WebSearch fallback only); inside-it-ch (Cloudflare-blocked, WebSearch fallback only); advisories-ncsc-nl (CSAF advisory-ID enumeration failed, no in-window items surfaced); ico-uk (no in-window enforcement); nltimes.nl (Cloudflare-blocked, dropped Odido item logged above).
Unmatched action items (migrated)
- Patch Fortinet FortiAuthenticator and FortiSandbox now. Pre-auth RCEs in two appliance classes that anchor public-sector identity and SOC pipelines. Update FortiAuthenticator to 6.5.7 / 6.6.9 / 8.0.3; update FortiSandbox to 4.4.9 / 5.0.2 / Cloud 5.0.6. Cloud 23 and 24 require migration, not in-place patching. Even after patching, restrict the management interface to admin / SOC source IPs at the perimeter — Fortinet's PSIRT explicitly notes this as the residual hardening. See § 2
- Audit npm / pnpm lockfiles for Mini Shai-Hulud impact. Search every CI/CD pipeline and developer workstation for malicious versions across
@tanstack/*,@uipath/*,@mistralai/*,@opensearch-project/opensearch,@squawk/*,@draftlab/*,@tallyui/*per the StepSecurity / Wiz manifests. UiPath impact is the highest-priority public-sector signal. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — the worm'sgh-token-monitortriggersrm -rf ~/on revocation. Pin allpull_request_targetworkflows to SHA-locked action versions; gate fork-reachable workflows away fromactions/cachewrites. See § 4 / § 5 - Patch Exim on every Debian / Ubuntu mail relay. Run
exim -bV | grep GnuTLSon each MTA — if present, upgrade to Exim 4.99.3. Interim workaround if patching is delayed: setCHUNKING_ADVERTISE_HOSTS =(empty) inexim4.confto suppress BDAT. Expect public exploit-tooling within days; XBOW's disclosure includes full chain traces. See § 2 - Upgrade SPIP to 4.4.14 and apply the Centreon April 2026 monthly bulletin. SPIP RCE affects French and francophone Swiss-canton CMS deployments — gate
ecrire/to a known admin source set at the reverse proxy. Centreon update queue: any NOC running 24.10.x / 25.10.x Infra Monitoring with Anomaly Detection / Auto Discovery / AWIE / BAM / DSM / License Manager / MAP / MBI / Open Tickets. See § 2 - Hunt for Foxconn-Nitrogen-style precursor patterns on Windows servers and ESXi. Detection concepts in § 1: unsigned installers spawning
cmd.exe/powershell.exe -encfrom%TEMP%/%APPDATA%on Windows servers;vmkfstools/esxcliinvocations from non-administrator sessions on ESXi/var/log/shell.log. Treat the Nitrogen ESXi decryptor bug as a strategic backup-integrity test — hypervisor-layer recovery from Nitrogen is mathematically impossible regardless of ransom posture. See § 1
Migrated from briefs/2026-05-13.md (v2).
← Operations dashboard · day page 2026-05-13 · run-record contract: docs/pipeline.md