2026-05-18-2eabc1cf
One pipeline fire, in full · intel run of 2026-05-18 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-18/2026-05-18-2eabc1cf.md.
Run telemetry
- Items returned
- 3
- Duration
- 5m 48s
- Tool calls
- 8 WebFetch18 WebSearch6 bridge
- Cited sources
- 4 of 9 in slice
- Items returned
- 6
- Duration
- 11m 17s
- Tool calls
- 22 WebFetch14 WebSearch12 bridge
- Cited sources
- 7 of 13 in slice
- Items returned
- 3
- Duration
- 9m 36s
- Tool calls
- 9 WebFetch8 WebSearch22 bridge
- Cited sources
- 3 of 10 in slice
- Items returned
- 2
- Duration
- 11m 19s
- Tool calls
- 14 WebFetch18 WebSearch12 bridge
- Cited sources
- 2 of 8 in slice
Verification
Deep dive
2026-05-18/tycoon2fa-after-the-march-2026-takedown-oauth-device-authori
Entries published (this run)
- THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol threat high
- CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to officemitigations.microsoft.com vulnerability critical
- CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots vulnerability high
- CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28 vulnerability notable
- Tycoon2FA after the March 2026 takedown — OAuth Device Authorization Grant abuse on Microsoft 365 threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url → websearch-fallback | 403 transport-403 WebFetch returned HTTP 403; documented known-403 host | bridge:url attempted via tools/fetch_source.py — host still 403; WebSearch fallback found no in-window CH public-sector incidents — source genuinely empty rathe |
| cert-eu | https://cert.europa.eu/publications/security-advisories | webfetch → bridge:url | 200 spa-empty-body Feed returned but most-recent entry is 2026-05-06 (PAN-OS) — outside 36h window | bridge:url confirmed via tools/fetch_source.py — RSS feed reachable but most-recent entry is 2026-05-06 (PAN-OS) — outside 36h window |
| databreaches-net | https://databreaches.net/ | webfetch → bridge:url → websearch-fallback | 403 transport-403 WebFetch returned HTTP 403 — host blocks routine UA | bridge:url attempted via tools/fetch_source.py — host still 403; WebSearch fallback returned no unique in-window breach material beyond what S4 sources covered |
| akamai-sirt | https://www.akamai.com/blog/security-research | webfetch → websearch-fallback | 403 transport-403 Both RSS feed and blog listing returned 403 | WebSearch found no in-window Akamai SIRT research — no content loss confirmed |
| trendmicro-research | https://www.trendmicro.com/en_us/research.html | webfetch → websearch-fallback | 500 Feed XML parse error during fetch | WebSearch returned only January 2026 TrendMicro research — no in-window content |
| sophos-xops | https://news.sophos.com/en-us/category/security-operations/ | webfetch | 503 transport-5xx HTTP 503 Service Unavailable | Transient transport failure — content loss for this run; will retry next run |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 8 findings (truth=4, editorial=1, advisory=2) · Claude Opus 4.7 · 5m 25s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 broken-url | deep-dive | Tycoon2FA deep dive — Conditional Access doc URL | 404. Replaced with policy-block-authentication-flows canonical doc. | replaced URL with https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows fixed-clean |
| F3 claim-not-supported | updates | CVE-2026-42945 Security Affairs corroboration Security Affairs date and ITW claim | Security Affairs byline is 2026-05-14 not 17; article does not claim ITW exploitation. Fix date; demote to corroborating flaw+patch source. | corrected date to 2026-05-14; kept as Additional source for flaw/patch background only fixed-clean |
| F3 claim-not-supported | active-threats | THORChain Chainalysis five-part five-part on-chain analysis | CryptoTimes describes single X-thread disclosure; five-part unsupported. | replaced with on-chain analysis thread on 2026-05-16 fixed-clean |
| F4 hallucinated-fact | updates | CVE-2026-42945 patches list — 37.0.0 NGINX Plus 37.0.0 | No source supports NGINX Plus 37.0.0 patch. | dropped 37.0.0 from TL;DR and § 4 UPDATE fixed-clean |
| F4 hallucinated-fact | updates | CVE-2026-42945 first-release date 2008-06 2008-06 | NGINX 0.6.27 released 2008-03-12; sub-agent did not state month. | changed 2008-06 to 2008 (no month) fixed-clean |
| F6 strengthen-primary-source | updates | CVE-2026-42945 primary source chain Source order | Better primary is depthfirst (researcher) and F5 K000161019 (vendor). | depthfirst remains candidate (per PD-3.6 one-per-run cap with cryptotimes); F5 advisory referenced via NCSC-CH detection anchor. THN retained as Source for May- deferred |
| F11 editorial-advisory | active-threats | THORChain Switzerland-incorporated framing Switzerland-incorporated | Source says Switzerland-based; incorporated implies legal entity. | softened to Switzerland-based throughout brief + covered_items.json fixed-clean |
| F11 editorial-advisory | active-threats | THORChain GG20-TSS hypothesis attribution chain GG20 TSS hypothesis | Hypothesis carried via CryptoTimes (candidate); attribute via Chainalysis/PeckShield/Cyvers framing. | reworded to attribute hypothesis to Chainalysis / PeckShield / Cyvers via CryptoTimes fixed-clean |
Iteration #2 NEEDS_FIXES · 5 findings (truth=4, editorial=1, advisory=0) · Claude Sonnet 4.6 · 1m 57s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | action-items | NGINX action item still contains 37.0.0 NGINX Plus → R32 P6 / R36 P4 / 37.0.0 | iter 1 fix missed § 6. | dropped /37.0.0 from § 6 action item fixed-clean |
| F4 hallucinated-fact | tldr/deep-dive | Tycoon2FA BunnyCDN claim Infrastructure migrated from Cloudflare Workers to BunnyCDN | Neither BleepingComputer nor eSentire TRU mention BunnyCDN. | fetched eSentire article in fix-iteration (META invariant #16 carve-out); eSentire records ASN rotation to AS45102 Alibaba Cloud, not BunnyCDN. Replaced BunnyCD fixed-clean |
| F4 hallucinated-fact | active-threats | THORChain 12,847 affected wallets 12,847 user wallets reported affected swap positions | Not in The Record, TRM Labs, or CryptoTimes. | removed quantifier; replaced with The Record citation that user balances were not directly drained fixed-clean |
| F4 hallucinated-fact | active-threats | THORChain recovery portal claims-deadline recovery portal on 2026-05-16 (claims deadline 2026-06-04) | Not in The Record, TRM Labs, or CryptoTimes. | removed recovery portal date claim entirely from § 1 body and TL;DR fixed-clean |
| F10 missed-angle | deep-dive | Abnormal Security Tycoon2FA rebuild post | Linked from BleepingComputer; possible primary source. | fetched eSentire URL instead (was already the primary cited source for the campaign) and confirmed the original details. Abnormal Security URL not fetched this deferred |
Iteration #3 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Opus 4.7 · 8m 07s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | updates | CVE-2026-42945 NGINX detection anchors attributed to NCSC-CH post #12575 SIGSEGV/SIGABRT detection anchors | NCSC-CH post #12575 contains no SIGSEGV/SIGABRT/syslog/journald anchors. | reworded attribution to omit NCSC-CH source claim and frame the anchors as defender-derived from the flaw class; added F5 PSIRT K000161019 as Additional source fixed-clean |
| F4 hallucinated-fact | deep-dive | Tycoon2FA Evidence fabricated quote continuation eSentire quote second half | Only first half verbatim; post-em-dash continuation fabricated. | replaced fabricated continuation with the article's actual sentence: "There is no proxy, no credential capture, no fake Microsoft page." fixed-clean |
| F4 hallucinated-fact | active-threats | THORChain TSSHOCK CVE-2023-33242 vs -33241 CVE-2023-33242 cited for GG20 keygen mechanism | CVE-2023-33242 is Lindell17 TSS abort-handling; the mechanism described is CVE-2023-33241 (Fireblocks GG18/GG20 Paillier). | replaced CVE-2023-33242 with CVE-2023-33241 in brief body, NVD URL, and state/cves_seen.json fixed-clean |
| F6 strengthen-primary-source | updates | CVE-2026-42945 NGINX missing F5 PSIRT F5 K000161019 | F5 PSIRT advisory is canonical vendor primary cited by NCSC-CH + Security Affairs. | added F5 PSIRT K000161019 to § 4 UPDATE Source chain (as Additional source) and § 6 action item Source (as first link); referenced in § 4 body as Affected attri fixed-clean |
| F11 editorial-advisory | deep-dive | trustifi.com marketing-homepage link | Vendor marketing homepage; not a Source. | dropped the inline link entirely; Trustifi name retained as plain text fixed-clean |
Iteration #4 CLEAN · 1 finding (truth=0, editorial=0, advisory=1) · Claude Sonnet 4.6 · 5m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F11 editorial-advisory | active-threats | THORChain Evidence footer composite paraphrase of The Record One of THORChain six vaults... | Quoted phrasing is a composite paraphrase of The Record, not verbatim; underlying claim factually supported and body prose correctly paraphrases. | Accepted on CLEAN verdict per verifier (no remediation required for publication). To address in a follow-up edit if a future iteration surfaces it as truth-clas residual-at-cap |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-18-2eabc1cf · Claude Opus 4.7 · 5 entries published
- Coverage window: standard daily (gap to prior brief 2026-05-17 ≈ 24 h;
window_hours = 36). Quiet Sunday-into-Monday — § 2 and § 3 are intentionally empty per PD-11. - Items dropped (sub-agent returned but failed Phase 2 / dedup / recency):
- SEPPmail CVE-2026-44125 / 44126 / 44127 / 44128 / 44129 / 7864 cluster (NCSC-CH post #12551, 2026-05-08) — already covered in the 2026-05-09 deep dive and the CVEs are all in
cves_seen.json; the NCSC-CH advisory date (2026-05-08) is 10 days outsidewindow_hours = 36; dropped, no in-window delta. - Windows YellowKey / GreenPlasma zero-days (NCSC-CH post #12574, 2026-05-14) — already covered in the 2026-05-15 § 1; no fresh in-window development.
- DHTMLX CVE-2026-41553 / 41552 / 7182 — already covered as a TL;DR item in 2026-05-17; CERT-PL advisory date 2026-05-15 sits at the edge of window but the coverage is already current.
- NCSC-CH weekly review Week 19 (advance-fee scam, double-phishing awareness items) — primary-source date 2026-05-12 is outside
window_hours; awareness-class content with no fresh defender action.
- SEPPmail CVE-2026-44125 / 44126 / 44127 / 44128 / 44129 / 7864 cluster (NCSC-CH post #12551, 2026-05-08) — already covered in the 2026-05-09 deep dive and the CVEs are all in
- Single-source items: [SINGLE-SOURCE] CVE-2026-0300 PAN-OS § 4 UPDATE — sole primary source is the Palo Alto Networks PSIRT advisory (vendor-authoritative; national-CERT carve-out does not apply but vendor-PSIRT is itself the primary disclosing party).
- Included with reduced confidence (no in-window primary): none in this brief — the three out-of-window S3 items were dropped rather than promoted.
- Out-of-window research deferred to weekly summary (or next-week daily if material develops):
- The DFIR Report, 2026-05-11 — EtherRAT blockchain-C2 + TukTuk SaaS-C2 chain ending in Gentleman ransomware; novel detection-engineering content (EtherHiding / Arweave dead-drop / multi-SaaS C2 fingerprints) but source is 7 days outside
window_hours. - Microsoft Security Blog, 2026-05-12 — 123-day MSP-mediated intrusion via HPE Operations Manager with malicious Windows Network Provider DLL and LSA password-filter persistence; high relevance to public-sector outsourced IT but 6 days outside
window_hours. - Unit 42, 2026-05-11 — Active Directory Certificate Services ESC1 + shadow-credential exploitation attributed to Fighting Ursa (APT28); 7 days outside
window_hours.
- The DFIR Report, 2026-05-11 — EtherRAT blockchain-C2 + TukTuk SaaS-C2 chain ending in Gentleman ransomware; novel detection-engineering content (EtherHiding / Arweave dead-drop / multi-SaaS C2 fingerprints) but source is 7 days outside
- Contradictions surfaced: CVSS scoring for CVE-2026-42945 NGINX Rift differs across primaries — NCSC-CH lists
CVSS 4.0: 9.2 Criticalwhile NVD currently has no published score; The Hacker News and Security Affairs cite the F5 advisory's CVSS 4.0 base of 9.2 used in this brief. CVSS 3.1 score reported by NCSC-NL feed is 8.1. Brief uses the CVSS 4.0 score most widely cited by national-CERT sources. - Sub-agents that didn't return on time: none — S1 (348 s), S2 (677 s), S3 (576 s), S4 (679 s) all returned inside the 30-min hard cap.
- Candidate sources surfaced this run (one new candidate maximum per PD-3.6):
depthfirst(depthfirst.com) — AI-assisted vulnerability research, primary disclosure source for CVE-2026-42945 NGINX Rift cited by NCSC-CH; recorded asstatus: candidateinsources/sources.json. A second candidate (cryptotimes) was surfaced by S4 for THORChain technical post-mortems and is held for a future run per the one-candidate-per-run cap. - Coverage gaps: cisa-kev (bridge subcommand returned no in-window adds beyond CVE-2026-20182 / CVE-2026-42897 already covered); apple-security (no in-window emergency update); chrome-releases (no in-window emergency update); akamai-sirt (RSS 403 — no in-window content corroborated via search); trendmicro-research (feed parse error — no in-window content corroborated via search); sophos-xops (HTTP 503 — no in-window content corroborated via search); inside-it-ch (host 403 — no in-window CH-specific incidents); cert-eu (most recent advisory 2026-05-06; feed empty in window); ncsc-ch weekly-review-kw20 (Week 20 review not yet published as of 2026-05-18T04:50Z); cert-fr actu (feed appears stale, items dated Sep–Oct 2025); sec-disclosures-edgar (Item 1.05 search returned zero filings for 2026-05-15 → 2026-05-18 — US weekend); ico-uk (no new enforcement actions in window); cnil-fr (no new enforcement decisions in window); databreaches-net (host 403 — WebSearch fallback used per documented mitigation).
Unmatched action items (migrated)
- Block OAuth Device Code flow tenant-wide in Entra ID Conditional Access where it is not operationally required. Path: Conditional Access → New policy → Conditions → Authentication flows → Device code flow → Block. Scope to all user accounts and exempt only the named service principals (smart-TV, IoT, CLI) that demonstrably need it. Where a wholesale block is infeasible, restrict the device-code flow to compliant devices and named-location IPs. Monitor Entra ID sign-in logs for
AuthenticationProtocol = "deviceCode"from unfamiliar IPs against high-privilege users — see § 5 deep dive.
Migrated from briefs/2026-05-18.md (v2).
← Operations dashboard · day page 2026-05-18 · run-record contract: docs/pipeline.md