ctipilot.ch

2026-05-14-e05c6e6e

One pipeline fire, in full · intel run of 2026-05-14 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-14/2026-05-14-e05c6e6e.md.

Run telemetry

2026-05-14-e05c6e6e intel prompt v2.50
31m 17s duration 6 published 0 updates
Claude Opus 4.7 (claude-opus-4-7) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
7m 23s
Tool calls
14 WebFetch8 WebSearch11 bridge
Cited sources
3 of 27 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
7
Duration
6m 54s
Tool calls
13 WebFetch11 WebSearch7 bridge
Cited sources
3 of 30 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
9
Duration
13m 17s
Tool calls
25 WebFetch18 WebSearch0 bridge
Cited sources
0 of 62 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
16m 19s
Tool calls
24 WebFetch22 WebSearch3 bridge
Cited sources
3 of 23 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 · t=6 e=2 a=3 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=3 e=0 a=0 #3 NEEDS_FIXES · Claude Opus 4.7 · t=7 e=0 a=0 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=0 a=0

Deep dive

2026-05-14/famoussparrow-three-wave-intrusion-of-an-azerbaijani-energy

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:urlwebsearch403 transport-403
Cloudflare Managed Challenge — no UA bypass
WebSearch fallback
sec-disclosures-edgarhttps://efts.sec.gov/LATEST/search-index?q=%22Item+1.05%22&forms=8-K&dateRange=cwebfetch403 transport-403
HTTP 403 Forbidden on EDGAR full-text search
WebSearch fallback; no fresh 8-K Item 1.05 disclosures found in window
ico-ukhttps://ico.org.uk/action-weve-taken/enforcement/bridge:url200 spa-empty-body
JS-rendered enforcement listing; sitemap discovery returned top-level only
WebSearch confirmed no new ICO enforcement in window
inside-it-chhttps://www.inside-it.ch/bridge:urlwebsearch403 transport-403
Cloudflare Managed Challenge — bridge:url failed (no UA bypass); WebSearch fallback per spawn-message guidance
WebSearch fallback yielded no in-window items
bleepingcomputer
covered via alternate · should NOT be in this list
https://www.bleepingcomputer.com/news/security/bridge:urlwebfetch200
Listing returns article titles only; per-article SPA rendering
Recovered via THN/SecurityWeek/Bitdefender corroboration
trendmicro-researchhttps://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-foothowebfetch403 transport-403
HTTP 403 Forbidden — Trend Micro not on bridge allowlist
Recovered via BleepingComputer + The Hacker News paraphrase; item dropped out-of-window regardless
cert-eu
covered via alternate · should NOT be in this list
https://cert.europa.eu/publications/security-advisoriesbridge:urlwebfetch200 spa-empty-body
Angular SPA listing requires JS rendering
Fetched per-advisory URL (2026-006) directly via WebFetch
bsi-de
covered via alternate · should NOT be in this list
https://wid.cert-bund.de/portal/wid/securityadvisorybridge:bsi-rss200
RSS feed fetched; per-advisory HTML is Angular SPA
Cross-checked relevant items against prior_coverage
helpnetsecurityhttps://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypaswebfetch429 rate-limited
HTTP 429 Too Many Requests
MOVEit item out-of-window; recovered via THN

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 11 findings (truth=6, editorial=2, advisory=3) · Claude Opus 4.7 · 2m 47s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
updatesThe Gentlemen RaaS — ZeroPulse C2 internals
ZeroPulse Ethereum-smart-contract-via-1rpc.io C2
Not in Check Point Research or BankInfoSecurityremoved claim from TL;DR and § 4 UPDATE; detection guidance rewritten without 1rpc.io DNS-signal fixed-clean
F4
hallucinated-fact
updatesThe Gentlemen RaaS — infrastructure
4VPS-hosted infrastructure was compromised
Not in either cited primaryremoved 4VPS specification; kept generic "infrastructure compromised" fixed-clean
F4
hallucinated-fact
updatesThe Gentlemen RaaS — victim geography
32% of victims European in Q1
Figure not in either cited primaryremoved "32%" claim from TL;DR and § 4 UPDATE fixed-clean
F4
hallucinated-fact
updatesThe Gentlemen RaaS — operator timezone
Moscow business hours
Not in Check Point Research articleremoved Moscow business-hours claim fixed-clean
F3
claim-not-supported
updatesCVE-2026-0300 false corroboration
SecurityWeek article cited as corroborating wave-2 delay
SecurityWeek article covers only Fortinet+Ivanti, not Palo Altoremoved SecurityWeek citation; added [SINGLE-SOURCE] flag to heading fixed-degraded
F4
hallucinated-fact
tldr-and-deep-diveFamousSparrow — Southern Gas Corridor specifics
12 Bcm/year; Italy 9 Bcm/year, Greece, Bulgaria
Specific Bcm figures and recipient list not in Bitdefender or THNreplaced with Bitdefender wording ("13 European countries incl. Germany and Austria") fixed-clean
F6
strengthen-primary-source
updatesPAN-OS vendor-only sourcing
PSIRT + Unit 42 (both Palo Alto-affiliated)
After dropping SecurityWeek, both remaining sources are Palo Alto Networks divisionsadded [SINGLE-SOURCE] flag to heading and § 7 entry; PSIRT + Unit 42 retained as best available fixed-degraded
F12
single-source-flag-missing
updatesPAN-OS UPDATE [SINGLE-SOURCE] flag
item heading
After F5/F6 resolution, heading needed [SINGLE-SOURCE] flagadded [SINGLE-SOURCE] to H3 heading fixed-clean
F11
editorial-advisory
researchGemStuffer 219/224 detail
219 of 224 published versions delisted
Figures not in Socket primaryrewritten to match Socket's actual framing ("most versions delisted") fixed-clean
F11
editorial-advisory
researchGemStuffer ATT&CK mapping attribution
T1583.001/T1027/T1567.004/T1552.001 implicit attribution
Mappings correct but should be tagged analyst-derivedprefixed mapping with "Analyst-derived ATT&CK mapping... (not cited in Socket's write-up)" fixed-clean
F11
editorial-advisory
deep-diveSalt Typhoon attribution source
Salt Typhoon (Microsoft taxonomy)
Salt Typhoon overlap mentioned in THN but not Bitdefender primaryattribution routed to THN explicitly in both Background and Named-clusters paragraphs fixed-clean

Iteration #2 NEEDS_FIXES · 3 findings (truth=3, editorial=0, advisory=0) · Claude Sonnet 4.6 · 4m 40s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
action-itemsGentlemen 1rpc.io detection sentence persisted in § 6
flag DNS/proxy queries to 1rpc.io ... Ethereum smart contracts
Iter1 removed from TL;DR + § 4 but missed § 6 instanceremoved entire 1rpc.io sentence from § 6 Gentlemen action item fixed-clean
F4
hallucinated-fact
action-itemsGentlemen Bedrock-Safeguard misattributed to Check Point
Check Point Research disclosure includes the leak of ... Bedrock-Safeguard/gentlemen-decryptor
Decryptor info in BankInfoSecurity, not Check Pointre-attributed § 6 action item to BankInfoSecurity primary; added that source to footer fixed-clean
F4
hallucinated-fact
tldr-and-active-threatsNMDL — Nova ransomware attribution
July 2025 Nova-ransomware breach / attributed to the Nova ransomware group
Nova not mentioned in IGJ primary or Computable secondaryremoved Nova attribution from § 0 TL;DR and § 1 body; added explicit note that cited primaries do not name the operator fixed-clean

Iteration #3 NEEDS_FIXES · 7 findings (truth=7, editorial=0, advisory=0) · Claude Opus 4.7 · 3m 17s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
active-threatsNMDL — iter2 disclaimer was itself unsupported (Computable does name Nova)
Neither IGJ nor Computable attributes the breach to a named ransomware operator in the cited primaries
Computable in fact names Nova; iter2 remediation introduced a false assertionrestored Nova attribution citing Computable; dropped the disclaimer sentence fixed-clean
F2
claim-not-supported
deep-diveFamousSparrow wave attribution inverted
Wave 3 loader gates payload behind LogMeIn Hamachi export call graph
Bitdefender places Hamachi sideloading in Wave 1 (Deed RAT), USOShared in Wave 2 (TernDoor), Modified Deed RAT + updated C2 in Wave 3re-mapped W1/W2/W3 attributions in TL;DR + § 5 background + § 5 exploitation-chain bullets fixed-clean
F3
claim-not-supported
deep-diveWave-3 technique characterisation overstated
inspects the runtime export call graph of the legitimate Hamachi host binary
Bitdefender describes Init + ComMain export override + StartServiceCtrlDispatcherW patch; THN says overrides two specific exported functionsrewrote technique paragraph to specify Init/ComMain export override + StartServiceCtrlDispatcherW patch; reframed as Wave 1 fixed-clean
F4
claim-not-supported
deep-diveWave 2 description wrong
Wave 2: TernDoor + modified Deed RAT
Bitdefender W2 = TernDoor via USOShared only; modified Deed RAT is W3rewrote W2 bullet to TernDoor-via-USOShared; W3 bullet now correctly cites Modified Deed RAT + updated C2 fixed-clean
F5
claim-not-supported
updatesGentlemen 1,570 attribution wrong source
affiliate s exposed C2 server revealed 1,570+ victim entries
Check Point attributes 1,570 to a SystemBC C&C server; 332 is public victims in first 5 months 2026; full comparison adds 412 total DLS listingsrewrote § 4 paragraph + § 0 TL;DR to attribute 1,570 to SystemBC C&C; 332 clarified as first 5 months 2026 fixed-clean
F6
hallucinated-fact
researchGemStuffer 2026-05-12 suspension date
preceded RubyGems 2026-05-12 temporary signup suspension
Neither Socket nor THN gives 2026-05-12 specificallyremoved specific date; reframed to Socket s own phrasing about new-account registration suspension fixed-clean
F7
hallucinated-fact
researchGemStuffer version-rotation / hash-IOC claim
version-rotation pattern, most published versions later delisted, defeating hash-based IOCs
Not in Socket or THNremoved entire version-rotation sentence from § 3 fixed-clean

Iteration #4 NEEDS_FIXES cap-breach · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 17s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
deep-diveFamousSparrow Wave 2 sideloading host misidentified
Wave 2: TernDoor deployed via DLL sideloading against `USOShared`
Bitdefender names host as deskband_injector64.exe renamed USOShared.exe in C:\ProgramData\USOShared\; brief implied USOShared was a Microsoft-signed binaryrewrote § 5 W2 exploitation bullet + detection paragraph to specify deskband_injector64.exe and C:\ProgramData\USOShared\winmm.dll fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-14-e05c6e6e · Claude Opus 4.7 · 6 entries published

Recency window. window_hours = 36 (gap 24 h since briefs/2026-05-13.md + 12 h safety overlap); developing_window_hours = 72. Items whose primary source is older than 36 h are dropped from main sections unless they carry a fresh in-window development (UPDATE rule) or appear as deep-dive Background.

Items dropped — already covered last 7 days (PD-8): S2's findings on Mini Shai-Hulud / TanStack npm worm (last_covered 2026-05-13 deep dive — campaign:mini-shai-hulud); SEPPmail CVE-2026-44128 cluster (incident covered 2026-05-09 deep dive + § 2); Fortinet FortiAuthenticator / FortiSandbox (CVE-2026-44277 / CVE-2026-26083 in yesterday's § 2); SAP May 2026 Patch Day (CVE-2026-34260 / CVE-2026-34263 in yesterday's § 2); Microsoft May 2026 Patch Tuesday (CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 in yesterday's § 2); Europol IOCTA 2026 (annual-report covered 2026-05-10). Each lacks an in-window material delta sufficient to open § 4 UPDATE.

Items dropped — out-of-window (PD-7). S3 returned a structured "developing-window" set whose primary sources are all older than 36 h. Drop list with primary-source dates: QLNX / Quasar Linux RAT (Trend Micro 2026-05-05, BleepingComputer 2026-05-05); TCLBANKER / REF3076 (Elastic Security Labs 2026-05-07); UAT-8302 (Cisco Talos 2026-05-05); Cline CVE-2026-44211 (Oasis Security 2026-05-07); AiTM "code of conduct" phishing campaign (Microsoft Security Blog 2026-05-04); Progress MOVEit Automation CVE-2026-4670 / CVE-2026-5174 (Progress / Airbus SecLab 2026-04-30 / The Hacker News 2026-05-04). Reason in every case: out-of-window: primary source <date>, window_hours=36. None carry a fresh in-window development that would qualify under PD-7 carve-outs (a/b/c).

Items dropped — § 2 inclusion gate not cleared. HPE ArubaOS May 2026 multi-CVE batch (HPE Aruba HPESBNW05048 / HPESBNW05049, CERT-FR CERTFR-2026-AVI-0573, 2026-05-13) — highest issue CVE-2026-23819 is CVSS 8.8 stored-XSS post-auth, with several CVSS 7.2 authenticated command-injection findings and CVSS 7.5 unauthenticated DoS on the PAPI port. No ITW exploitation, no public PoC, no pre-auth RCE on widely-deployed internet-exposed software — neither CISA-KEV nor ENISA-EUVD critical band nor § 2 catch-all gate (a–e) is cleared. Notable for CH / EU public-sector wireless infrastructure (cantonal government, education, healthcare) but operationally a routine patch cycle. Coverage gap consequence: zero.

Items dropped — single-source dark-web only. Anubis ransomware listing for A.R.Ge.Co (France) (Malware.news, 2026-05-13) — leak-site claim only, no victim confirmation, no HIGH-reliability journalism corroboration, per PD-6 fake-news guard on leak-site claims.

Single-source items (PD-5 carve-out applied). One § 4 item: the PAN-OS CVE-2026-0300 UPDATE on the wave-2 patch delay relies on Palo Alto-affiliated primaries only (Palo Alto Networks PSIRT advisory + Unit 42 research blog) after Phase 5.7 iteration 1 flagged a false-corroboration SecurityWeek citation that did not in fact mention Palo Alto. Independent corroboration for the wave-2 build list (ETA 2026-05-28) was not located in HIGH-reliability third-party coverage within the 36-h window; item is flagged [SINGLE-SOURCE] in its heading and the wave-2 build list should be re-verified against the live PSIRT entry. Active-exploitation status itself remains multi-source (Unit 42 + CISA KEV listing + prior briefs' coverage).

Phase 5.7 verifier remediations applied (four iterations, model-rotated). Iteration 1 (Opus): NEEDS_FIXES truth=6 editorial=2 advisory=3 — § 4 Gentlemen UPDATE attributed four claims to Check Point Research the article does not support (ZeroPulse-via-Ethereum-smart-contracts-via-1rpc.io for C2 resolution; 4VPS as hosting provider; "32% of victims were European in Q1"; Moscow business-hours timestamp clustering) — all four removed and detection guidance rewritten. § 4 PAN-OS UPDATE's SecurityWeek 2026-05-13 corroboration was false (the article covers only Fortinet + Ivanti) — citation removed, item flagged [SINGLE-SOURCE]. § 5 deep dive's specific "Bcm/year" figures and Italy/Greece/Bulgaria recipient list replaced with Bitdefender's actual framing ("13 European countries, including new deliveries to Germany and Austria"). Advisories (F11): GemStuffer's "219 of 224 versions" detail rewritten to match Socket; ATT&CK mapping tagged as analyst-derived; Salt Typhoon attribution routed to THN explicitly.

Iteration 2 (Sonnet): NEEDS_FIXES truth=3 — leftover instances of iter-1 issues that hadn't been remediated in non-TL;DR locations. § 6 Gentlemen action item still carried the 1rpc.io detection sentence (removed); § 6 misattributed Bedrock-Safeguard/gentlemen-decryptor to Check Point Research instead of BankInfoSecurity (re-attributed); "Nova ransomware" attribution to NMDL breach removed from § 0 + § 1.

Iteration 3 (Opus): NEEDS_FIXES truth=7 — iter-2's "Neither IGJ nor Computable attributes the breach to a named ransomware operator" was itself an unsupported assertion (Computable does name Nova) — Nova attribution restored citing Computable. FamousSparrow wave attribution inverted in deep dive — Bitdefender's actual wave map is W1 = Deed RAT via Hamachi sideloading with Init/ComMain export override + StartServiceCtrlDispatcherW patch, W2 = TernDoor via separate sideloading host, W3 = Modified Deed RAT + updated C2; brief had Hamachi as W3. § 0 TL;DR, § 5 heading, § 5 background paragraph, § 5 exploitation-chain bullets, and § 5 detection paragraph all rewritten. "Runtime export call graph inspection" framing overstated the technique — tightened to "two specific exported functions overridden". Gentlemen 1,570 figure was attributed to "an affiliate's exposed C2 server" but Check Point in fact attributes it to a SystemBC C&C server; 332 = first five months of 2026 (CP's full comparison cites 412 cumulative DLS listings) — § 0 TL;DR + § 4 paragraph rewritten. GemStuffer "2026-05-12 signup suspension" date not in cited primaries — removed; version-rotation / hash-IOC paragraph not in Socket — removed.

Iteration 4 (Sonnet): NEEDS_FIXES truth=1 editorial=0 advisory=0 — single F3 finding: § 5 Wave 2 sideloading host was described as USOShared (implying a legitimate Microsoft-signed binary). Bitdefender actually names the host as deskband_injector64.exe renamed to USOShared.exe and placed in C:\ProgramData\USOShared\; the malicious loader is winmm.dll in the same directory. The directory name reuses "USOShared" for camouflage; no legitimate Microsoft USOShared signed binary is involved. § 5 exploitation-chain bullet + detection paragraph rewritten to specify deskband_injector64.exe and the C:\ProgramData\USOShared\ path. Early-exit on low-defect convergence (v2.50): with truth + editorial = 1 and no F1 / F4 findings, iteration 4 qualifies as the early-exit point per prompt § Phase 5.7 — remediation applied, residual logged, brief published without spawning iteration 5. verification_residual_count = 1.

Model rotation across the verification loop: iter 1 / iter 3 = Claude Opus 4.7 (cti-verification), iter 2 / iter 4 = Claude Sonnet 4.6 (cti-verification-alt). Both verifier definitions carry the identical operational system prompt; the rotation surfaces model-specific blind spots — Sonnet caught the Nova-attribution false disclaimer in iter 2 that Opus had introduced in iter 1's remediation; Opus caught the wave-attribution inversion in iter 3 that Sonnet's iter 2 had not flagged.

Sub-agent stalls. None. All four sub-agents returned within the 30-min wall-clock cap: S1 (443 s, Claude Sonnet 4.6), S2 (414 s, Claude Sonnet 4.6), S3 (797 s, Claude Sonnet 4.6), S4 (979 s, Claude Sonnet 4.6).

Fetch failures (consolidated across sub-agents). databreaches-net 403 (Cloudflare Managed Challenge — bridge + WebSearch fallback documented per source spec); sec-disclosures-edgar 403 on EDGAR full-text search (S4) — no fresh 8-K Item 1.05 disclosures recovered for the May 12-14 window; ico-uk SPA-empty body even via bridge; inside-it-ch Cloudflare-blocked across all attempts (no in-window stories surfaced via WebSearch fallback); bleepingcomputer SPA-rendering on article level (recovered via THN/SecurityWeek corroboration); trendmicro-research 403 on direct WebFetch (recovered via BleepingComputer / The Hacker News paraphrase — Trend Micro is HIGH-reliability primary attribution); cert-eu SPA-empty on listing, recovered via per-advisory URL; helpnetsecurity 429 (recovered via THN); community.progress.com (SPA empty body); bsi-de per-advisory SPA (RSS feed cross-checked); forums.ivanti.com Salesforce SPA (recovered via Ivanti vendor blog).

Contradictions / reduced-confidence flags. None this run. Two distinct sub-agents (S1 + S2) independently arrived at the CVE-2026-0300 second-patch-wave delta from different discovery paths (CISA KEV listing notes vs. NCSC-CH Patch Tuesday compilation); both led to the same primary Palo Alto PSIRT advisory.

Coverage gaps: databreaches-net (Cloudflare Managed Challenge, no UA bypass — WebSearch fallback only); sec-disclosures-edgar (EDGAR full-text feed 403 on routine UA — no fresh 8-K Item 1.05 disclosures recovered in window); ico-uk (SPA + sitemap discovery insufficient to surface in-window enforcement actions); inside-it-ch (Cloudflare Managed Challenge); trendmicro-research (403 — recommend bridge allow-list addition for desktop-Chrome UA, would have unlocked direct fetch on two QLNX / InstallFix items even if those were out-of-window today).

Self-evolution candidate (source list). No new candidate added this run; the active list is already at 94 sources and recent rotation-priority gaps are transport-blocking rather than coverage-gap caused. Recommend tracking trendmicro-research as a bridge allow-list addition in a future tooling commit (separate from this brief commit).

Unmatched action items (migrated)

  • Continue PAN-OS Captive Portal interim mitigation on the eight "ETA 05/28" build streams until 28 May. Disable User-ID Authentication Portal on untrusted-zone interfaces or restrict it to trusted zones only; for Threat Prevention subscribers, ensure Threat ID 510019 is enabled (PAN-OS 11.1+). CL-STA-1132 in-the-wild exploitation is ongoing; the FCEB KEV deadline has no jurisdictional weight in CH / EU but the active exploitation does. See § 4.
  • For active Gentlemen ransomware incidents — attempt decryption before negotiation. BankInfoSecurity's 2026-05-11 reporting identifies the Bedrock-Safeguard/gentlemen-decryptor GitHub release as the recovery path; Check Point Research's 2026-05-13 backend-leak analysis additionally maps the EDR-suppression toolchain (EDRStartupHinder, gfreeze, glinker — custom binaries, not commodity) and the CertiHound AD CS abuse utility. Hunt those tool names on hosts in scope; monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers / templates) consistent with CertiHound. See § 4.
  • Verify Exchange ProxyNotShell remediation completeness with HealthChecker.ps1, not CU-level alone. FamousSparrow re-exploited the same CVE-2022-41040 / CVE-2022-41082 chain across three intrusion waves at one victim despite remediation attempts — patch-rollback or surviving persistence is the structural cause. Run Microsoft's HealthChecker.ps1 on every on-premise Exchange server; audit FrontEnd\HttpProxy\owa\auth\ and FrontEnd\HttpProxy\ecp\auth\ for files modified post-patch. See § 5.
  • Hunt outbound gem push (and npm publish / pip upload) from build agents and dev workstations that lack a publisher role. GemStuffer's structural innovation is exploiting the inbound-monitoring-only blind spot of most CI/CD security tooling. Flag new RubyGems publisher accounts with >10 versions/day on freshly created packages; inspect outbound POSTs to rubygems.org from non-publisher contexts. The same monitoring asymmetry exists across npm and PyPI. See § 3.
  • For Swiss healthcare entities — schedule the EPDG-equivalent NEN 7510 audit; do not wait for the regulator. The IGJ ruling on Clinical Diagnostics / NMDL specifically cites absence of third-party security audit and absence of periodic risk assessment as the structural failures behind a 941,000-record breach. Swiss cantonal supervisors track the same hygiene baselines via the EPDG profile; equivalent compliance gaps in Swiss healthcare carry equivalent regulatory exposure under FINMA and cantonal data-protection authorities. See § 1.

Migrated from briefs/2026-05-14.md (v2).

← Operations dashboard · day page 2026-05-14 · run-record contract: docs/pipeline.md