ctipilot.ch

2026-05-22-5b90d5a1

One pipeline fire, in full · intel run of 2026-05-22 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-22/2026-05-22-5b90d5a1.md.

Run telemetry

2026-05-22-5b90d5a1 intel prompt v2.59
24m 24s duration 10 published 2 updates
Claude Sonnet 4.6 (claude-sonnet-4-6) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
6m 55s
Tool calls
12 WebFetch7 WebSearch14 bridge
Cited sources
3 of 14 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
7
Duration
6m 30s
Tool calls
12 WebFetch4 WebSearch14 bridge
Cited sources
3 of 19 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
7m 27s
Tool calls
14 WebFetch10 WebSearch20 bridge
Cited sources
4 of 13 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
7m 40s
Tool calls
11 WebFetch12 WebSearch7 bridge
Cited sources
4 of 11 in slice

Verification

#? NEEDS_FIXES · Claude Opus 4.7 · t=0 e=0 a=0 #? NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=0 a=0 #? CLEAN · Claude Opus 4.7 · t=0 e=0 a=0

Deep dive

2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
sophos-xopshttps://www.sophos.com/en-us/blog/feedwebfetchbridge:feed503 transport-5xx
HTTP 503 on both direct and bridge attempts
none
inside-it-chhttps://www.inside-it.ch/webfetchbridge:url403 transport-403
HTTP 403; no Wayback snapshot available (5 consecutive failures)
none
databreaches-nethttps://www.databreaches.net/webfetchwebsearchbridge:fetch_source.py403 transport-403
HTTP 403; WebSearch fallback found no in-window items
websearch-fallback — no in-window items found

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-22-5b90d5a1 · Claude Sonnet 4.6 · 10 entries published

  • Coverage window: standard (gap to prior brief: 24 h, window: 36 h).
  • Items dropped — out-of-window primary source (all primary sources outside 36 h window):
    • ICO fine £963,900 vs. South Staffordshire Water (Cl0p, 20-month dwell) — ICO primary 2026-05-11, outside window. No in-window fresh development found.
    • Microsoft DART / HPE Operations Manager third-party intrusion case study (123-day dwell) — Microsoft Security Blog primary 2026-05-12, outside window. No in-window news coverage found.
    • Fortinet FortiAuthenticator CVE-2026-44277 (CVSS 9.8) + FortiSandbox CVE-2026-26083 (CVSS 9.1) — Fortinet PSIRT primary 2026-05-13, outside window. Not in CISA KEV; no confirmed exploitation in window.
    • SAP May 2026 Patch Day (CVE-2026-34260 SQL injection S/4HANA CVSS 9.6; CVE-2026-34263 unauthenticated RCE Commerce Cloud CVSS 9.6) — SAP Security Notes primary 2026-05-12, outside window.
  • Verizon 2026 DBIR (published 2026-05-19–20, S4 found, in-window): covered in weekly 2026-W21 as annual-report entry (PD-9 — no re-treatment in daily). Not re-summarised.
  • CVE-2026-45585 (YellowKey BitLocker bypass): previously covered as UPDATE on 2026-05-20; S2 sources (MSRC 2026-05-20, NCSC-NL 2026-05-20) are same-day as prior coverage — no material new delta; excluded.
  • Microsoft Entra ID / Azure cloud CVSS 10.0 cluster (CVE-2026-42901, CVE-2026-47280, CVE-2026-23652, CVE-2026-40411, CVE-2026-42823 — MSRC 2026-05-21): already mitigated server-side by Microsoft, no customer action required, no exploitation, ENISA EUVD status unverified. Excluded from § 2; operators monitoring Azure/Entra posture should review May 2026 MSRC release.
  • Single-source items: ICO POCA confiscation (Rizwan Manjra) — ICO is the primary disclosing party for its own enforcement action; no other source covered in window.
  • Coverage gaps: sophos-xops (HTTP 503, 4 consecutive failures, no bridge available); inside-it-ch (HTTP 403, 5 consecutive failures, no Wayback snapshot); databreaches-net (HTTP 403, bridge also 403, 4 consecutive failures, rotation-priority — WebSearch fallback found no in-window items); recordedfuture (RSS 404). Note: Lumen Black Lotus Labs blog previously recorded as redirect-to-homepage during research sub-agent phase; verification sub-agent (iter 1) confirmed the full blog URL resolves — Lumen and PwC Threat Intelligence are now promoted as primary sources for the Showboat/JFMBackdoor item in § 1 and § 5.
  • Verification iteration 1 (2026-05-22T06:40:29Z–06:46:02Z, Claude Opus 4.7): NEEDS_FIXES — 4 truth, 4 editorial, 1 advisory. All applied.
  • Verification iteration 2 (2026-05-22T06:54:52Z–07:00:28Z, Claude Sonnet 4.6): NEEDS_FIXES — 1 truth, 2 editorial. Findings: JPCERT advisory misplaced in Langflow footer (removed); HKCERT Evidence quote had no backing URL (HKCERT advisory URL added to § 0 callout footer); Defender AMEngineVersion check missing for LPE CVE (added). All applied.
  • Verification iteration 3 (2026-05-22T07:07:09Z–07:11:40Z, Claude Opus 4.7): CLEAN — 0 truth, 0 editorial, 0 advisory. All iter 1 and iter 2 remediations confirmed correct; all primary source facts independently verified.
  • CVE-2025-34291 (Langflow) source quality gap (iter 2 advisory F4): CISA KEV is the only non-NVD primary reachable in this run; the JPCERT advisory in url-liveness.tsv covers only Apex One. Trend Micro's Flodric botnet analysis was not reachable as a primary URL. Reduced confidence on Flodric attribution specifics — the core CORS/token-theft CVE details are from the CISA KEV description, which directly quotes the Langflow security bulletin.

Unmatched action items (migrated)

  • Hunt for kworker process anomalies on Linux telecom and infrastructure servers — Showboat (Calypso/Red Lamassu) masquerades as kworker; legitimate kernel workers are exclusively children of kthreadd (PID 2). Any kworker-named process with a user-space parent is high-confidence suspicious. Deploy auditd EXECVE rule checking ppid != 2 when comm = kworker, or Sysmon for Linux EID 1 with parent-pid filter. Flag egress DNS/HTTP to pastebin.com from daemon-context processes.
  • Rotate npm tokens and GitHub PATs if your pipeline ran npm publish during 2026-05-11 to 2026-05-12 — TeamPCP Mini Shai-Hulud stole tokens via gh auth token capture in CI runners; self-propagating worm backdoored packages across every account the stolen token could reach. Audit owned npm packages for unauthorised versions published in that window.

Migrated from briefs/2026-05-22.md (v2).

← Operations dashboard · day page 2026-05-22 · run-record contract: docs/pipeline.md