2026-05-22-5b90d5a1
One pipeline fire, in full · intel run of 2026-05-22 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-22/2026-05-22-5b90d5a1.md.
Run telemetry
- Items returned
- 5
- Duration
- 6m 55s
- Tool calls
- 12 WebFetch7 WebSearch14 bridge
- Cited sources
- 3 of 14 in slice
- Items returned
- 7
- Duration
- 6m 30s
- Tool calls
- 12 WebFetch4 WebSearch14 bridge
- Cited sources
- 3 of 19 in slice
- Items returned
- 3
- Duration
- 7m 27s
- Tool calls
- 14 WebFetch10 WebSearch20 bridge
- Cited sources
- 4 of 13 in slice
- Items returned
- 4
- Duration
- 7m 40s
- Tool calls
- 11 WebFetch12 WebSearch7 bridge
- Cited sources
- 4 of 11 in slice
Verification
Deep dive
2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco
Entries published (this run)
- Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed threat high
- Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence threat high
- ICO secures £355,880 POCA confiscation against former Markerstudy Insurance employee for off-hours bulk record access and sale incident notable
- CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW) vulnerability critical
- CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet) vulnerability high
- CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround vulnerability high
- TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate threat notable update
- Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix vulnerability notable update
- West Pharmaceutical Services — 8-K/A confirms full operational restoration, data investigation ongoing incident notable
- Red Lamassu (Calypso/Bronze Medley): Showboat + JFMBackdoor telco espionage implant pair threat notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| sophos-xops | https://www.sophos.com/en-us/blog/feed | webfetch → bridge:feed | 503 transport-5xx HTTP 503 on both direct and bridge attempts | none |
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url | 403 transport-403 HTTP 403; no Wayback snapshot available (5 consecutive failures) | none |
| databreaches-net | https://www.databreaches.net/ | webfetch → websearch → bridge:fetch_source.py | 403 transport-403 HTTP 403; WebSearch fallback found no in-window items | websearch-fallback — no in-window items found |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-22-5b90d5a1 · Claude Sonnet 4.6 · 10 entries published
- Coverage window: standard (gap to prior brief: 24 h, window: 36 h).
- Items dropped — out-of-window primary source (all primary sources outside 36 h window):
- ICO fine £963,900 vs. South Staffordshire Water (Cl0p, 20-month dwell) — ICO primary 2026-05-11, outside window. No in-window fresh development found.
- Microsoft DART / HPE Operations Manager third-party intrusion case study (123-day dwell) — Microsoft Security Blog primary 2026-05-12, outside window. No in-window news coverage found.
- Fortinet FortiAuthenticator CVE-2026-44277 (CVSS 9.8) + FortiSandbox CVE-2026-26083 (CVSS 9.1) — Fortinet PSIRT primary 2026-05-13, outside window. Not in CISA KEV; no confirmed exploitation in window.
- SAP May 2026 Patch Day (CVE-2026-34260 SQL injection S/4HANA CVSS 9.6; CVE-2026-34263 unauthenticated RCE Commerce Cloud CVSS 9.6) — SAP Security Notes primary 2026-05-12, outside window.
- Verizon 2026 DBIR (published 2026-05-19–20, S4 found, in-window): covered in weekly 2026-W21 as annual-report entry (PD-9 — no re-treatment in daily). Not re-summarised.
- CVE-2026-45585 (YellowKey BitLocker bypass): previously covered as UPDATE on 2026-05-20; S2 sources (MSRC 2026-05-20, NCSC-NL 2026-05-20) are same-day as prior coverage — no material new delta; excluded.
- Microsoft Entra ID / Azure cloud CVSS 10.0 cluster (CVE-2026-42901, CVE-2026-47280, CVE-2026-23652, CVE-2026-40411, CVE-2026-42823 — MSRC 2026-05-21): already mitigated server-side by Microsoft, no customer action required, no exploitation, ENISA EUVD status unverified. Excluded from § 2; operators monitoring Azure/Entra posture should review May 2026 MSRC release.
- Single-source items: ICO POCA confiscation (Rizwan Manjra) — ICO is the primary disclosing party for its own enforcement action; no other source covered in window.
- Coverage gaps:
sophos-xops(HTTP 503, 4 consecutive failures, no bridge available);inside-it-ch(HTTP 403, 5 consecutive failures, no Wayback snapshot);databreaches-net(HTTP 403, bridge also 403, 4 consecutive failures, rotation-priority — WebSearch fallback found no in-window items);recordedfuture(RSS 404). Note: Lumen Black Lotus Labs blog previously recorded as redirect-to-homepage during research sub-agent phase; verification sub-agent (iter 1) confirmed the full blog URL resolves — Lumen and PwC Threat Intelligence are now promoted as primary sources for the Showboat/JFMBackdoor item in § 1 and § 5. - Verification iteration 1 (2026-05-22T06:40:29Z–06:46:02Z, Claude Opus 4.7): NEEDS_FIXES — 4 truth, 4 editorial, 1 advisory. All applied.
- Verification iteration 2 (2026-05-22T06:54:52Z–07:00:28Z, Claude Sonnet 4.6): NEEDS_FIXES — 1 truth, 2 editorial. Findings: JPCERT advisory misplaced in Langflow footer (removed); HKCERT Evidence quote had no backing URL (HKCERT advisory URL added to § 0 callout footer); Defender AMEngineVersion check missing for LPE CVE (added). All applied.
- Verification iteration 3 (2026-05-22T07:07:09Z–07:11:40Z, Claude Opus 4.7): CLEAN — 0 truth, 0 editorial, 0 advisory. All iter 1 and iter 2 remediations confirmed correct; all primary source facts independently verified.
- CVE-2025-34291 (Langflow) source quality gap (iter 2 advisory F4): CISA KEV is the only non-NVD primary reachable in this run; the JPCERT advisory in url-liveness.tsv covers only Apex One. Trend Micro's Flodric botnet analysis was not reachable as a primary URL. Reduced confidence on Flodric attribution specifics — the core CORS/token-theft CVE details are from the CISA KEV description, which directly quotes the Langflow security bulletin.
Unmatched action items (migrated)
- Hunt for kworker process anomalies on Linux telecom and infrastructure servers — Showboat (Calypso/Red Lamassu) masquerades as
kworker; legitimate kernel workers are exclusively children ofkthreadd(PID 2). Anykworker-named process with a user-space parent is high-confidence suspicious. Deploy auditd EXECVE rule checkingppid != 2whencomm = kworker, or Sysmon for Linux EID 1 with parent-pid filter. Flag egress DNS/HTTP to pastebin.com from daemon-context processes. - Rotate npm tokens and GitHub PATs if your pipeline ran npm publish during 2026-05-11 to 2026-05-12 — TeamPCP Mini Shai-Hulud stole tokens via
gh auth tokencapture in CI runners; self-propagating worm backdoored packages across every account the stolen token could reach. Audit owned npm packages for unauthorised versions published in that window.
Migrated from briefs/2026-05-22.md (v2).
← Operations dashboard · day page 2026-05-22 · run-record contract: docs/pipeline.md