ctipilot.ch

2026-05-19-2505c918

One pipeline fire, in full · intel run of 2026-05-19 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-19/2026-05-19-2505c918.md.

Run telemetry

2026-05-19-2505c918 intel prompt v2.59
25m 14s duration 11 published 1 updates
Claude Opus 4.7 (claude-opus-4-7) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
8m 24s
Tool calls
8 WebFetch9 WebSearch9 bridge
Cited sources
9 of 12 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
8m 02s
Tool calls
9 WebFetch18 WebSearch14 bridge
Cited sources
9 of 13 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
3m 39s
Tool calls
12 WebFetch7 WebSearch9 bridge
Cited sources
7 of 10 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
9m 50s
Tool calls
14 WebFetch11 WebSearch9 bridge
Cited sources
8 of 12 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 (1M context) · t=4 e=1 a=3 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=2 a=0 #3 NEEDS_FIXES · Claude Opus 4.7 (1M context) · t=4 e=0 a=1 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=2 e=0 a=0 #5 NEEDS_FIXES · Claude Opus 4.7 · t=1 e=1 a=0

Deep dive

2026-05-19/n8n-prototype-pollution-chain-cve-2026-42231-et-al-authentic

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
inside-it-chhttps://www.inside-it.ch/webfetchbridge:urlwebsearch-fallback403 transport-403
WebFetch returned HTTP 403; known-403 blocking host with no bridge subcommand and no Wayback snapshot
bridge:url returned same 403 — known-blocking host; WebSearch fallback surfaced no unique in-window CH-specific items
cert-euhttps://cert.europa.eu/publications/security-advisorieswebfetchbridge:cert-eu.recent200
Source reachable (200) but no in-window advisories — newest item is 2026-006 dated 2026-05-06, outside the 36 h window
Bridge confirmed empty — coverage gap not a transport failure
databreaches-nethttps://databreaches.net/feed/bridge:databreacheswayback403 transport-403
HTTP 403 on bridge fetch; Wayback fallback returned empty
No usable content retrieved; coverage relied on Krebs/Gizmodo/SecurityWeek/Security Affairs instead
sophos-xopshttps://news.sophos.com/en-us/category/x-ops/feed/webfetchwebsearch503 transport-5xx
Sophos X-Ops blog feed empty / 503; no in-window content found via WebSearch corroboration
WebSearch surfaced only Feb 2026 / pre-window items
trendmicro-researchhttps://www.trendmicro.com/en_us/research.htmlwebfetchwebsearch500 spa-empty-body
JavaScript-heavy SPA shell; no RSS feed found; WebSearch returned no in-window primary research
Rotation-priority retry exhausted; coverage gap stands
bright-talk-dbir
covered via alternate · should NOT be in this list
https://www.brighttalk.com/webcast/15099/665415webfetch403 transport-403
BrightTalk webinar page 403; DBIR findings obtained via Verizon landing page + WebSearch summaries
Verizon landing page WebFetch + DBIR findings via search-aggregator summaries

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 10 findings (truth=4, editorial=1, advisory=3) · Claude Opus 4.7 · 4m 25s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
research-investigativeSymantec / Carbon Black confirm Fast16 is contemporaneous with StuxnetBrief attributed 'contemporaneous with Stuxnet' framing to Broadcom Symantec; sources show that correction is from Kim Zetter (ZERO DAY) only.Reframed §3 H3 title and body to attribute the contemporaneous correction to Kim Zetter alone; Broadcom credited only with the LS-DYNA/AUTODYN technical analysi fixed-clean
F2
claim-not-supported
active-threatsARWINI — LKA Niedersachsen attributionCited Ärzteblatt + Heise sources name Polizeidirektion Hannover as investigating authority, not LKA Niedersachsen.Changed §1 lead paragraph attribution from 'LKA Niedersachsen' to 'Polizeidirektion Hannover'; removed LKA-advised-not-to-pay sentence (not in cited sources). fixed-clean
F3
claim-not-supported
active-threatsARWINI — 'No actor named publicly' contradicted by HeiseHeise (cited additional source) names 'Kairos' ransomware group with 2.87 TB leak-site claim from 2026-05-11; brief said no actor named.Added Kairos attribution and 2.87 TB leak-site claim to §1 H3 title, lead paragraph, TL;DR bullet; added Kairos line to Evidence field. fixed-clean
F4
analytical-link-as-fact
active-threats7-Eleven — CoinbaseCartel framing not in 7-Eleven sourcesSecurityWeek + Security Affairs articles on 7-Eleven do not mention CoinbaseCartel; the link only appears in separate Grafana coverage.Removed CoinbaseCartel from 7-Eleven TL;DR bullet and §1 H3 + Why-it-matters paragraph; kept ShinyHunters attribution which the sources do support. fixed-clean
F5
missing-citation
trending-vulnerabilitiesn8n — CCB Belgium advisory asserted without inline URL
TL;DR / §2 / §5
Three assertions of CCB Belgium emergency advisory; sub-agent confirmed via WebSearch only — no advisory URL retrieved.Removed CCB Belgium emergency-advisory phrasing from TL;DR / §2 / §5 / §6; reframed as 'expect downstream national-CERT advisories' without specific attribution fixed-degraded
F6
analytical-link-as-fact
tldr-and-updatesTeamPCP — 'Datadog's forecast validated within 48h' framing
TL;DR bullet 6 + §4 UPDATE lead
Datadog 2026-05-15 was analysis of leaked worm architecture, not forecast of copycats; '48h' quantifier off (5/15 → 5/17 = ~4 days).Removed 'forecast validated within 48h' phrasing from TL;DR and §4 UPDATE lead paragraph; reframed as factual chronology (Datadog analysed 5/15 → OX surfaced cl fixed-clean
F8
editorial-advisory
active-threatsBBB Why-it-matters — T1090 misuse
§1 BBB Why-it-matters paragraph
T1090 is C2 proxying, not SSRF; the SSRF technique class belongs under T1190 chained with internal-reach.Replaced 'T1090 (Proxy / SSRF for internal access)' with 'the SSRF maps to T1190 (Exploit Public-Facing Application) chained with internal-network reach'. fixed-clean
F10
editorial-advisory
deep-diven8n deep-dive — child_process.spawn function-name specificity
§5 Vulnerability class and component paragraph
GHSA confirms 'Git node's SSH operations' lead to RCE but doesn't name child_process.spawn.Softened to 'the Git node's SSH invocation path consumes attacker-controlled values and achieves RCE' — drops the function-name specificity. fixed-clean
F11
editorial-advisory
active-threatsBBB CVE-2026-46404 — meeting-organiser inference
§1 BBB lead paragraph
GHSA states generic 'Privileges Required: High'; 'meeting-organiser-level' was an interpretive specificity.Replaced 'meeting-organiser-level attacker' with 'high-privilege authenticated attacker' (matches GHSA wording). fixed-clean
F12
quantifier-without-source
research-investigativeFast16 — 'first publicly-documented use' quantifier
§3 Fast16 paragraph end
'first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine' is brief's own analytical novelty claim, not in sources.Hedged to 'Broadcom appears to describe the first publicly-documented use' — explicit attribution to the cited source's framing without asserting it as fact. fixed-degraded

Iteration #2 NEEDS_FIXES · 2 findings (truth=0, editorial=2, advisory=0) · Claude Sonnet 4.6 · 2m 04s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
analytical-link-as-fact
action-items§6 Salesforce audit — 'ShinyHunters / CoinbaseCartel pattern hitting 7-Eleven'Iter-1 F4 remediation missed §6 — CoinbaseCartel still appeared in the Salesforce audit action item sentence sourced to SecurityWeek.Rewrote action-item sentence to 'ShinyHunters Salesforce-targeting pattern' — CoinbaseCartel removed from §6. fixed-clean
F2
editorial-advisory
verification-notes§7 reduced-confidence note still named 'LKA Niedersachsen'
§7 Verification Notes reduced-confidence bullet
Iter-1 F2 remediation updated §1 lead + TL;DR but left §7 reduced-confidence note inconsistent (still LKA).Changed §7 reduced-confidence bullet to 'investigating-authority statement (Polizeidirektion Hannover)' — internal consistency restored. fixed-clean

Iteration #3 NEEDS_FIXES · 7 findings (truth=4, editorial=0, advisory=1) · Claude Opus 4.7 · 8m 56s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
trending-vulnerabilitiesn8n CVE Summary Table + §5 — patched versions for CVE-2026-44789/-44790/-44791
Patched in n8n 1.123.32, 2.17.4, and 2.18.1.
Verifier confirmed three of five CVEs are patched in 1.123.43 / 2.20.7 / 2.22.1, not the initial 1.123.32 / 2.17.4 / 2.18.1 train. High-impact patch-action defect.Split the patch advice into two trains: -42231/-42232 in 1.123.32 / 2.17.4 / 2.18.1; -44789/-44790/-44791 in 1.123.43 / 2.20.7 / 2.22.1. Updated CVE Summary Tab fixed-clean
F2
claim-not-supported
trending-vulnerabilitiesn8n GHSA-to-CVE mapping and per-CVE descriptions
CVE-2026-44790, GHSA-wrwr-h859-xh2r
Verifier confirmed: -44789=GHSA-c8xv-5998-g76h=HTTP Request Node Pagination; -44790=GHSA-57g9-58c2-xjg3=Arbitrary File Read via Git Node (file-read, not SSH RCE); -44791=GHSA-wrwr-h859-xh2r=XML Node PRe-mapped GHSAs to correct CVEs in §2 lead, CVE Summary Table, and §5 deep dive. Corrected each per-CVE description. §5 deep dive 'Vulnerability class and compo fixed-clean
F3
hallucinated-fact
tldr-and-updatesDatadog analysis date
Datadog Security Labs analysed on 2026-05-15
Datadog published 2026-05-13 per the 2026-05-15 daily's citation; brief misstated date in TL;DR + §4 UPDATE (three occurrences).Replaced all occurrences with '2026-05-13'. fixed-clean
F4
hallucinated-fact
updateschalk-tempalte key descriptor — public vs private
a modified C2 server and a new attacker public key
Both cited sources (OX Security, THN) say 'private key'; brief flipped to 'public key'.Changed §4 UPDATE to 'new attacker private key'. fixed-clean
F13
analytical-link-as-fact
tldr-and-active-threatsINTERPOL — 'first-of-its-kind PhaaS server takedown in the region'
described as a first-of-its-kind PhaaS server takedown in the region
'first-of-its-kind' applies to the overall operation, not specifically to the Algerian PhaaS takedown.§0 TL;DR: 'first Algerian PhaaS takedown' → 'Algerian PhaaS server takedown'. §1 H3: same. §1 paragraph: removed the 'first-of-its-kind PhaaS server takedown' g fixed-clean
F14
quantifier-without-source
active-threatsARWINI 11 million GKV patients
approximately 11 million statutory-health-insurance (GKV) patients
11M figure not in cited sources; Niedersachsen population ~8M total.Replaced 'approximately 11 million statutory-health-insurance (GKV) patients' with 'statutory-health-insurance (GKV) patients in Lower Saxony' — drops the unsou fixed-clean
F11
editorial-advisory
updatesGrafana UPDATE — technical-mechanism details framed as new
The material new disclosures: ... The root-cause confirmation is precise
Technical-mechanism details (pull_request_target, forked-PR curl, write-scoped GITHUB_TOKEN, canary detection) were in the 2026-W21 weekly summary citing THN, not in the 2026-05-18 confirmations.Reframed §4 UPDATE: '(a)(b)(c)' kept as genuinely new 2026-05-18 disclosures (source-only access, no customer data, ransom refused); technical-mechanism block n fixed-clean

Iteration #4 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 01s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
hallucinated-fact
updates§4 TeamPCP UPDATE body — Datadog analysis date
Datadog Security Labs' 2026-05-15 analysis
Iter-3 F3 fix on Datadog date applied to TL;DR but missed §4 body 'Datadog Security Labs' 2026-05-15 analysis' phrasing.Replaced §4 body '2026-05-15 analysis' with '2026-05-13 analysis'. fixed-clean
F9
surface-contradiction
updateschalk-tempalte attacker-key descriptor — public vs private
a new attacker private key
OX Security says 'public key embedded inside the code'; THN says 'private key'. Iter-3 F4 fix adopted THN wording without surfacing the contradiction.§4 body rephrased to 'new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7)'. fixed-clean

Iteration #5 NEEDS_FIXES cap-breach · 2 findings (truth=1, editorial=1, advisory=0) · Claude Opus 4.7 · 4m 01s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
trending-vulnerabilities-and-deep-diveCVE-2026-42232 component misattributed as HTTP Request Node injection in three pCited GHSA title is 'XML Node Prototype Pollution to RCE'; affected component is the XML Node. Brief had HTTP Request Node in three places (§2 body, §2 table, §5 deep dive).Applied post-cap: replaced 'HTTP-Request-Node injection flaw amplifying the same primitive' with 'XML-Node prototype-pollution flaw exercising the same primitiv fixed-clean
F2
generic-url
trending-vulnerabilitiesFour CVE Summary Table rows link to advisories listing index instead of per-GHSAPer-GHSA permalinks exist and resolve for GHSA-hqr4-h3xv-9m3r, GHSA-c8xv-5998-g76h, GHSA-57g9-58c2-xjg3, GHSA-wrwr-h859-xh2r.Applied post-cap: updated all four CVE Summary Table rows to link to the per-GHSA permalinks. fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-19-2505c918 · Claude Opus 4.7 · 11 entries published

  • Items dropped — CVE-2026-41702 (VMware Fusion 25H2 macOS, TOCTOU SETUID race condition, CVSS 7.8, Broadcom VMSA-2026-0003 dated 2026-05-14): dropped from § 2 — did not clear § 2 inclusion gates (no in-the-wild exploitation, not CISA KEV, not ENISA EUVD exploited=true, CVSS < 9.0, local-only attack vector on developer-workstation product, not pre-auth-RCE-on-edge-software).
  • Single-source items — none in this run.
  • Reduced-confidence items — ARWINI (S2) MULTI-SOURCE but no direct ARWINI press release retrieved; investigating-authority statement (Polizeidirektion Hannover) reported via Deutsches Ärzteblatt and Heise Security; ARWINI's own quote on Art. 9 data scope is via Borns IT Blog citing the ARWINI statement, not the statement page itself.
  • Contradictionschalk-tempalte attacker-key descriptor: OX Security (blog post) describes the embedded key as a "public key"; The Hacker News (article), reporting on the same OX research, describes it as a "private key". Brief reports the attacker-controlled-key fact without taking a side on the key-type modifier; defenders cross-checking the brief should expect both descriptors in coverage.
  • Stalled sub-agents — none. All four Phase-1 sub-agents returned within wall-clock budget (S1 504s · S2 482s · S3 219s · S4 590s).
  • Verification — five iterations ran with model rotation (Opus / Sonnet / Opus / Sonnet / Opus); each iteration's findings were applied as remediations before the next spawn. Iteration 5 (final, Opus) returned NEEDS_FIXES with two residual findings (truth=1, editorial=1): F1 (CVE-2026-42232 component attribution) — applied post-cap, the brief now describes it as "XML Node Prototype Pollution to RCE" matching the cited GHSA title; F2 (per-GHSA permalink specificity) — applied post-cap, CVE Summary Table rows now link to each specific GHSA permalink instead of the advisories listing index. Per v2.50 cap-breach policy the brief publishes after the cap regardless; verification_residual_count = 2 reflects the iteration-5 verdict, not the post-cap state of the brief.
  • Models reported — main agent Claude Opus 4.7 (claude-opus-4-7); all four research sub-agents Claude Sonnet 4.6 (claude-sonnet-4-6).
  • Coverage gaps: bright-talk-dbir (403 on Verizon DBIR 2026 webinar URL); verizon-dbir-2026 (full PDF not yet available at run time — landing-page summary only); anssi-fr (no in-window advisories — newest 2026-05-13); bsi-de (only updates to already-covered advisories in window); cert-eu (RSS empty for in-window — newest item 2026-05-06); inside-it-ch (known 403, no bridge subcommand); heise-sec (TollBit-gated per-article URLs — used RSS summary + WebSearch corroboration); sophos-xops (rotation-priority empty — no in-window content); trendmicro-research (rotation-priority SPA shell with no RSS); databreaches-net (rotation-priority 403, Wayback empty); dark-reading (article 403 on Iran ATG fuel-tank campaign expansion — corroborated via WebSearch summaries but freshest CNN/Security-Magazine primary is dated outside the 36 h window so the item was dropped); sec-disclosures-edgar (no Item 1.05 8-K filings in window); ico-uk (no enforcement actions in window — newest action 2026-05-11 outside window).

Unmatched action items (migrated)

  • Patch self-hosted n8n now — apply the later train 1.123.43 / 2.20.7 / 2.22.1 which covers all five CVSS 9.4 CVEs in the cluster. The earlier patch (1.123.32 / 2.17.4 / 2.18.1) addresses only -42231 / -42232 and leaves the follow-on cluster (-44789 pagination prototype pollution, -44790 Git-node arbitrary file read, -44791 XML-node patch bypass) exposed. See § 2 entry and § 5 deep dive in this brief. Additional: enforce SSO+MFA on the editor role, restrict workflow create/modify to a small admin group, disable Git node if not required.
  • Audit every pull_request_target GitHub Actions workflow on agency / OSS-component repositories for write-scoped tokens reachable from external forked-PR code. Set permissions: read-all at workflow level; separate privileged steps into a second workflow_run-gated workflow that runs only on merged code; require CODEOWNERS approval before CI on external PRs. Grafana Labs (§ 4 UPDATE in this brief) is the second high-profile Pwn-Request loss this week.
  • Audit Checkmarx Jenkins AST plugin installations across CI/CD estate for any version installed during 2026-05-09 01:25 UTC → 2026-05-10 08:47 UTC; flag version 2026.5.09. Inventory checkmarx/ast-github-action and checkmarx/kics-github-action consumers; remediated builds are 2.0.13-848 / 2.0.13-847. CxSAST on-premise is unaffected; the trojanised surfaces are the Marketplace plugins and GitHub Actions. See § 4 TeamPCP/Shai-Hulud UPDATE in this brief.
  • Scan internal npm caches and lockfiles for packages by deadcode09284814 (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils); inspect .vscode/tasks.json and ~/.claude/settings.json on developer endpoints for injected persistence hooks. Block egress from CI runners and developer workstations to *.lhr.life and other suspicious tunnel-provider domains used as commodity C2 channels.
  • Audit Salesforce Connected App OAuth grants and Event Monitoring across public-sector Salesforce tenants — particularly third-party AI / RPA SaaS integrations. Alert on bulk Report Export events and high-volume SOQL API calls; enforce IP-range / Trusted-IP session policies; consider Salesforce Shield field-level encryption for partner/supplier PII. The ShinyHunters Salesforce-targeting pattern hitting 7-Eleven, Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic is identity-side, not Salesforce-product-side.
  • Hunt for MiniPlasma / Chaotic Eclipse Windows LPE PoC use via Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT user hive from non-SYSTEM processes; pivot on registry keys under \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment* (ThreatLocker hunt guidance). No vendor patch yet; mitigations are limited.
  • Inventory GKV / cantonal health-insurance and prescription-audit data-processor relationships as in-scope NIS2 / KRITIS critical suppliers; rehearse the 72-hour GDPR Art. 33 breach-notification clock starting from a third-party's detection event, not your own. ARWINI (§ 1 in this brief) follows the NMDL/IGJ Netherlands pattern from 2026-05-14.

Migrated from briefs/2026-05-19.md (v2).

← Operations dashboard · day page 2026-05-19 · run-record contract: docs/pipeline.md