2026-05-19-2505c918
One pipeline fire, in full · intel run of 2026-05-19 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-19/2026-05-19-2505c918.md.
Run telemetry
- Items returned
- 6
- Duration
- 8m 24s
- Tool calls
- 8 WebFetch9 WebSearch9 bridge
- Cited sources
- 9 of 12 in slice
- Items returned
- 3
- Duration
- 8m 02s
- Tool calls
- 9 WebFetch18 WebSearch14 bridge
- Cited sources
- 9 of 13 in slice
- Items returned
- 4
- Duration
- 3m 39s
- Tool calls
- 12 WebFetch7 WebSearch9 bridge
- Cited sources
- 7 of 10 in slice
- Items returned
- 4
- Duration
- 9m 50s
- Tool calls
- 14 WebFetch11 WebSearch9 bridge
- Cited sources
- 8 of 12 in slice
Verification
Deep dive
2026-05-19/n8n-prototype-pollution-chain-cve-2026-42231-et-al-authentic
Entries published (this run)
- ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope incident high
- BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF threat high
- CISA contractor (Nightwing) exposed AWS GovCloud admin keys and internal credentials in public GitHub repo for ~6 months incident high
- 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic incident high
- INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown threat notable
- CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read vulnerability high
- Symantec / Carbon Black document Fast16 hook engine targeting LS-DYNA/AUTODYN nuclear-simulation codes; Kim Zetter corrects "pre-Stuxnet" framing to contemporaneous-and-simulation-sabotage research notable
- TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services threat high update
- Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected incident notable
- Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression vulnerability notable
- n8n prototype-pollution chain (CVE-2026-42231 et al.): authenticated-to-RCE on a workflow-automation platform that Swiss/EU agencies increasingly stand up as their integration bus vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url → websearch-fallback | 403 transport-403 WebFetch returned HTTP 403; known-403 blocking host with no bridge subcommand and no Wayback snapshot | bridge:url returned same 403 — known-blocking host; WebSearch fallback surfaced no unique in-window CH-specific items |
| cert-eu | https://cert.europa.eu/publications/security-advisories | webfetch → bridge:cert-eu.recent | 200 Source reachable (200) but no in-window advisories — newest item is 2026-006 dated 2026-05-06, outside the 36 h window | Bridge confirmed empty — coverage gap not a transport failure |
| databreaches-net | https://databreaches.net/feed/ | bridge:databreaches → wayback | 403 transport-403 HTTP 403 on bridge fetch; Wayback fallback returned empty | No usable content retrieved; coverage relied on Krebs/Gizmodo/SecurityWeek/Security Affairs instead |
| sophos-xops | https://news.sophos.com/en-us/category/x-ops/feed/ | webfetch → websearch | 503 transport-5xx Sophos X-Ops blog feed empty / 503; no in-window content found via WebSearch corroboration | WebSearch surfaced only Feb 2026 / pre-window items |
| trendmicro-research | https://www.trendmicro.com/en_us/research.html | webfetch → websearch | 500 spa-empty-body JavaScript-heavy SPA shell; no RSS feed found; WebSearch returned no in-window primary research | Rotation-priority retry exhausted; coverage gap stands |
| bright-talk-dbir covered via alternate · should NOT be in this list | https://www.brighttalk.com/webcast/15099/665415 | webfetch | 403 transport-403 BrightTalk webinar page 403; DBIR findings obtained via Verizon landing page + WebSearch summaries | Verizon landing page WebFetch + DBIR findings via search-aggregator summaries |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 10 findings (truth=4, editorial=1, advisory=3) · Claude Opus 4.7 · 4m 25s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | research-investigative | Symantec / Carbon Black confirm Fast16 is contemporaneous with Stuxnet | Brief attributed 'contemporaneous with Stuxnet' framing to Broadcom Symantec; sources show that correction is from Kim Zetter (ZERO DAY) only. | Reframed §3 H3 title and body to attribute the contemporaneous correction to Kim Zetter alone; Broadcom credited only with the LS-DYNA/AUTODYN technical analysi fixed-clean |
| F2 claim-not-supported | active-threats | ARWINI — LKA Niedersachsen attribution | Cited Ärzteblatt + Heise sources name Polizeidirektion Hannover as investigating authority, not LKA Niedersachsen. | Changed §1 lead paragraph attribution from 'LKA Niedersachsen' to 'Polizeidirektion Hannover'; removed LKA-advised-not-to-pay sentence (not in cited sources). fixed-clean |
| F3 claim-not-supported | active-threats | ARWINI — 'No actor named publicly' contradicted by Heise | Heise (cited additional source) names 'Kairos' ransomware group with 2.87 TB leak-site claim from 2026-05-11; brief said no actor named. | Added Kairos attribution and 2.87 TB leak-site claim to §1 H3 title, lead paragraph, TL;DR bullet; added Kairos line to Evidence field. fixed-clean |
| F4 analytical-link-as-fact | active-threats | 7-Eleven — CoinbaseCartel framing not in 7-Eleven sources | SecurityWeek + Security Affairs articles on 7-Eleven do not mention CoinbaseCartel; the link only appears in separate Grafana coverage. | Removed CoinbaseCartel from 7-Eleven TL;DR bullet and §1 H3 + Why-it-matters paragraph; kept ShinyHunters attribution which the sources do support. fixed-clean |
| F5 missing-citation | trending-vulnerabilities | n8n — CCB Belgium advisory asserted without inline URL TL;DR / §2 / §5 | Three assertions of CCB Belgium emergency advisory; sub-agent confirmed via WebSearch only — no advisory URL retrieved. | Removed CCB Belgium emergency-advisory phrasing from TL;DR / §2 / §5 / §6; reframed as 'expect downstream national-CERT advisories' without specific attribution fixed-degraded |
| F6 analytical-link-as-fact | tldr-and-updates | TeamPCP — 'Datadog's forecast validated within 48h' framing TL;DR bullet 6 + §4 UPDATE lead | Datadog 2026-05-15 was analysis of leaked worm architecture, not forecast of copycats; '48h' quantifier off (5/15 → 5/17 = ~4 days). | Removed 'forecast validated within 48h' phrasing from TL;DR and §4 UPDATE lead paragraph; reframed as factual chronology (Datadog analysed 5/15 → OX surfaced cl fixed-clean |
| F8 editorial-advisory | active-threats | BBB Why-it-matters — T1090 misuse §1 BBB Why-it-matters paragraph | T1090 is C2 proxying, not SSRF; the SSRF technique class belongs under T1190 chained with internal-reach. | Replaced 'T1090 (Proxy / SSRF for internal access)' with 'the SSRF maps to T1190 (Exploit Public-Facing Application) chained with internal-network reach'. fixed-clean |
| F10 editorial-advisory | deep-dive | n8n deep-dive — child_process.spawn function-name specificity §5 Vulnerability class and component paragraph | GHSA confirms 'Git node's SSH operations' lead to RCE but doesn't name child_process.spawn. | Softened to 'the Git node's SSH invocation path consumes attacker-controlled values and achieves RCE' — drops the function-name specificity. fixed-clean |
| F11 editorial-advisory | active-threats | BBB CVE-2026-46404 — meeting-organiser inference §1 BBB lead paragraph | GHSA states generic 'Privileges Required: High'; 'meeting-organiser-level' was an interpretive specificity. | Replaced 'meeting-organiser-level attacker' with 'high-privilege authenticated attacker' (matches GHSA wording). fixed-clean |
| F12 quantifier-without-source | research-investigative | Fast16 — 'first publicly-documented use' quantifier §3 Fast16 paragraph end | 'first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine' is brief's own analytical novelty claim, not in sources. | Hedged to 'Broadcom appears to describe the first publicly-documented use' — explicit attribution to the cited source's framing without asserting it as fact. fixed-degraded |
Iteration #2 NEEDS_FIXES · 2 findings (truth=0, editorial=2, advisory=0) · Claude Sonnet 4.6 · 2m 04s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 analytical-link-as-fact | action-items | §6 Salesforce audit — 'ShinyHunters / CoinbaseCartel pattern hitting 7-Eleven' | Iter-1 F4 remediation missed §6 — CoinbaseCartel still appeared in the Salesforce audit action item sentence sourced to SecurityWeek. | Rewrote action-item sentence to 'ShinyHunters Salesforce-targeting pattern' — CoinbaseCartel removed from §6. fixed-clean |
| F2 editorial-advisory | verification-notes | §7 reduced-confidence note still named 'LKA Niedersachsen' §7 Verification Notes reduced-confidence bullet | Iter-1 F2 remediation updated §1 lead + TL;DR but left §7 reduced-confidence note inconsistent (still LKA). | Changed §7 reduced-confidence bullet to 'investigating-authority statement (Polizeidirektion Hannover)' — internal consistency restored. fixed-clean |
Iteration #3 NEEDS_FIXES · 7 findings (truth=4, editorial=0, advisory=1) · Claude Opus 4.7 · 8m 56s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | trending-vulnerabilities | n8n CVE Summary Table + §5 — patched versions for CVE-2026-44789/-44790/-44791 Patched in n8n 1.123.32, 2.17.4, and 2.18.1. | Verifier confirmed three of five CVEs are patched in 1.123.43 / 2.20.7 / 2.22.1, not the initial 1.123.32 / 2.17.4 / 2.18.1 train. High-impact patch-action defect. | Split the patch advice into two trains: -42231/-42232 in 1.123.32 / 2.17.4 / 2.18.1; -44789/-44790/-44791 in 1.123.43 / 2.20.7 / 2.22.1. Updated CVE Summary Tab fixed-clean |
| F2 claim-not-supported | trending-vulnerabilities | n8n GHSA-to-CVE mapping and per-CVE descriptions CVE-2026-44790, GHSA-wrwr-h859-xh2r | Verifier confirmed: -44789=GHSA-c8xv-5998-g76h=HTTP Request Node Pagination; -44790=GHSA-57g9-58c2-xjg3=Arbitrary File Read via Git Node (file-read, not SSH RCE); -44791=GHSA-wrwr-h859-xh2r=XML Node P | Re-mapped GHSAs to correct CVEs in §2 lead, CVE Summary Table, and §5 deep dive. Corrected each per-CVE description. §5 deep dive 'Vulnerability class and compo fixed-clean |
| F3 hallucinated-fact | tldr-and-updates | Datadog analysis date Datadog Security Labs analysed on 2026-05-15 | Datadog published 2026-05-13 per the 2026-05-15 daily's citation; brief misstated date in TL;DR + §4 UPDATE (three occurrences). | Replaced all occurrences with '2026-05-13'. fixed-clean |
| F4 hallucinated-fact | updates | chalk-tempalte key descriptor — public vs private a modified C2 server and a new attacker public key | Both cited sources (OX Security, THN) say 'private key'; brief flipped to 'public key'. | Changed §4 UPDATE to 'new attacker private key'. fixed-clean |
| F13 analytical-link-as-fact | tldr-and-active-threats | INTERPOL — 'first-of-its-kind PhaaS server takedown in the region' described as a first-of-its-kind PhaaS server takedown in the region | 'first-of-its-kind' applies to the overall operation, not specifically to the Algerian PhaaS takedown. | §0 TL;DR: 'first Algerian PhaaS takedown' → 'Algerian PhaaS server takedown'. §1 H3: same. §1 paragraph: removed the 'first-of-its-kind PhaaS server takedown' g fixed-clean |
| F14 quantifier-without-source | active-threats | ARWINI 11 million GKV patients approximately 11 million statutory-health-insurance (GKV) patients | 11M figure not in cited sources; Niedersachsen population ~8M total. | Replaced 'approximately 11 million statutory-health-insurance (GKV) patients' with 'statutory-health-insurance (GKV) patients in Lower Saxony' — drops the unsou fixed-clean |
| F11 editorial-advisory | updates | Grafana UPDATE — technical-mechanism details framed as new The material new disclosures: ... The root-cause confirmation is precise | Technical-mechanism details (pull_request_target, forked-PR curl, write-scoped GITHUB_TOKEN, canary detection) were in the 2026-W21 weekly summary citing THN, not in the 2026-05-18 confirmations. | Reframed §4 UPDATE: '(a)(b)(c)' kept as genuinely new 2026-05-18 disclosures (source-only access, no customer data, ransom refused); technical-mechanism block n fixed-clean |
Iteration #4 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 01s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 hallucinated-fact | updates | §4 TeamPCP UPDATE body — Datadog analysis date Datadog Security Labs' 2026-05-15 analysis | Iter-3 F3 fix on Datadog date applied to TL;DR but missed §4 body 'Datadog Security Labs' 2026-05-15 analysis' phrasing. | Replaced §4 body '2026-05-15 analysis' with '2026-05-13 analysis'. fixed-clean |
| F9 surface-contradiction | updates | chalk-tempalte attacker-key descriptor — public vs private a new attacker private key | OX Security says 'public key embedded inside the code'; THN says 'private key'. Iter-3 F4 fix adopted THN wording without surfacing the contradiction. | §4 body rephrased to 'new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7)'. fixed-clean |
Iteration #5 NEEDS_FIXES cap-breach · 2 findings (truth=1, editorial=1, advisory=0) · Claude Opus 4.7 · 4m 01s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | trending-vulnerabilities-and-deep-dive | CVE-2026-42232 component misattributed as HTTP Request Node injection in three p | Cited GHSA title is 'XML Node Prototype Pollution to RCE'; affected component is the XML Node. Brief had HTTP Request Node in three places (§2 body, §2 table, §5 deep dive). | Applied post-cap: replaced 'HTTP-Request-Node injection flaw amplifying the same primitive' with 'XML-Node prototype-pollution flaw exercising the same primitiv fixed-clean |
| F2 generic-url | trending-vulnerabilities | Four CVE Summary Table rows link to advisories listing index instead of per-GHSA | Per-GHSA permalinks exist and resolve for GHSA-hqr4-h3xv-9m3r, GHSA-c8xv-5998-g76h, GHSA-57g9-58c2-xjg3, GHSA-wrwr-h859-xh2r. | Applied post-cap: updated all four CVE Summary Table rows to link to the per-GHSA permalinks. fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-19-2505c918 · Claude Opus 4.7 · 11 entries published
- Items dropped — CVE-2026-41702 (VMware Fusion 25H2 macOS, TOCTOU SETUID race condition, CVSS 7.8, Broadcom VMSA-2026-0003 dated 2026-05-14): dropped from § 2 — did not clear § 2 inclusion gates (no in-the-wild exploitation, not CISA KEV, not ENISA EUVD
exploited=true, CVSS < 9.0, local-only attack vector on developer-workstation product, not pre-auth-RCE-on-edge-software). - Single-source items — none in this run.
- Reduced-confidence items — ARWINI (S2) MULTI-SOURCE but no direct ARWINI press release retrieved; investigating-authority statement (Polizeidirektion Hannover) reported via Deutsches Ärzteblatt and Heise Security; ARWINI's own quote on Art. 9 data scope is via Borns IT Blog citing the ARWINI statement, not the statement page itself.
- Contradictions — chalk-tempalte attacker-key descriptor: OX Security (blog post) describes the embedded key as a "public key"; The Hacker News (article), reporting on the same OX research, describes it as a "private key". Brief reports the attacker-controlled-key fact without taking a side on the key-type modifier; defenders cross-checking the brief should expect both descriptors in coverage.
- Stalled sub-agents — none. All four Phase-1 sub-agents returned within wall-clock budget (S1 504s · S2 482s · S3 219s · S4 590s).
- Verification — five iterations ran with model rotation (Opus / Sonnet / Opus / Sonnet / Opus); each iteration's findings were applied as remediations before the next spawn. Iteration 5 (final, Opus) returned NEEDS_FIXES with two residual findings (truth=1, editorial=1): F1 (CVE-2026-42232 component attribution) — applied post-cap, the brief now describes it as "XML Node Prototype Pollution to RCE" matching the cited GHSA title; F2 (per-GHSA permalink specificity) — applied post-cap, CVE Summary Table rows now link to each specific GHSA permalink instead of the advisories listing index. Per v2.50 cap-breach policy the brief publishes after the cap regardless;
verification_residual_count = 2reflects the iteration-5 verdict, not the post-cap state of the brief. - Models reported — main agent Claude Opus 4.7 (
claude-opus-4-7); all four research sub-agents Claude Sonnet 4.6 (claude-sonnet-4-6). - Coverage gaps: bright-talk-dbir (403 on Verizon DBIR 2026 webinar URL); verizon-dbir-2026 (full PDF not yet available at run time — landing-page summary only); anssi-fr (no in-window advisories — newest 2026-05-13); bsi-de (only updates to already-covered advisories in window); cert-eu (RSS empty for in-window — newest item 2026-05-06); inside-it-ch (known 403, no bridge subcommand); heise-sec (TollBit-gated per-article URLs — used RSS summary + WebSearch corroboration); sophos-xops (rotation-priority empty — no in-window content); trendmicro-research (rotation-priority SPA shell with no RSS); databreaches-net (rotation-priority 403, Wayback empty); dark-reading (article 403 on Iran ATG fuel-tank campaign expansion — corroborated via WebSearch summaries but freshest CNN/Security-Magazine primary is dated outside the 36 h window so the item was dropped); sec-disclosures-edgar (no Item 1.05 8-K filings in window); ico-uk (no enforcement actions in window — newest action 2026-05-11 outside window).
Unmatched action items (migrated)
- Patch self-hosted n8n now — apply the later train
1.123.43/2.20.7/2.22.1which covers all five CVSS 9.4 CVEs in the cluster. The earlier patch (1.123.32/2.17.4/2.18.1) addresses only-42231/-42232and leaves the follow-on cluster (-44789pagination prototype pollution,-44790Git-node arbitrary file read,-44791XML-node patch bypass) exposed. See § 2 entry and § 5 deep dive in this brief. Additional: enforce SSO+MFA on the editor role, restrict workflow create/modify to a small admin group, disable Git node if not required. - Audit every
pull_request_targetGitHub Actions workflow on agency / OSS-component repositories for write-scoped tokens reachable from external forked-PR code. Setpermissions: read-allat workflow level; separate privileged steps into a secondworkflow_run-gated workflow that runs only on merged code; requireCODEOWNERSapproval before CI on external PRs. Grafana Labs (§ 4 UPDATE in this brief) is the second high-profile Pwn-Request loss this week. - Audit Checkmarx Jenkins AST plugin installations across CI/CD estate for any version installed during 2026-05-09 01:25 UTC → 2026-05-10 08:47 UTC; flag version
2026.5.09. Inventorycheckmarx/ast-github-actionandcheckmarx/kics-github-actionconsumers; remediated builds are2.0.13-848/2.0.13-847. CxSAST on-premise is unaffected; the trojanised surfaces are the Marketplace plugins and GitHub Actions. See § 4 TeamPCP/Shai-Hulud UPDATE in this brief. - Scan internal npm caches and lockfiles for packages by
deadcode09284814(chalk-tempalte,@deadcode09284814/axios-util,axois-utils,color-style-utils); inspect.vscode/tasks.jsonand~/.claude/settings.jsonon developer endpoints for injected persistence hooks. Block egress from CI runners and developer workstations to*.lhr.lifeand other suspicious tunnel-provider domains used as commodity C2 channels. - Audit Salesforce Connected App OAuth grants and Event Monitoring across public-sector Salesforce tenants — particularly third-party AI / RPA SaaS integrations. Alert on bulk
Report Exportevents and high-volume SOQL API calls; enforce IP-range / Trusted-IP session policies; consider Salesforce Shield field-level encryption for partner/supplier PII. The ShinyHunters Salesforce-targeting pattern hitting 7-Eleven, Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic is identity-side, not Salesforce-product-side. - Hunt for MiniPlasma / Chaotic Eclipse Windows LPE PoC use via Sysmon EID 13 (RegistryEvent / SetValue) on the
.DEFAULTuser hive from non-SYSTEMprocesses; pivot on registry keys under\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*and\Registry\User\.DEFAULT\Volatile Environment*(ThreatLocker hunt guidance). No vendor patch yet; mitigations are limited. - Inventory GKV / cantonal health-insurance and prescription-audit data-processor relationships as in-scope NIS2 / KRITIS critical suppliers; rehearse the 72-hour GDPR Art. 33 breach-notification clock starting from a third-party's detection event, not your own. ARWINI (§ 1 in this brief) follows the NMDL/IGJ Netherlands pattern from 2026-05-14.
Migrated from briefs/2026-05-19.md (v2).
← Operations dashboard · day page 2026-05-19 · run-record contract: docs/pipeline.md