2026-05-23-852c21c8
One pipeline fire, in full · intel run of 2026-05-23 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-23/2026-05-23-852c21c8.md.
Run telemetry
- Items returned
- 6
- Duration
- 19m 03s
- Tool calls
- 11 WebFetch14 WebSearch9 bridge
- Cited sources
- 5 of 27 in slice
- Items returned
- 4
- Duration
- 5m 22s
- Tool calls
- 8 WebFetch16 WebSearch10 bridge
- Cited sources
- 3 of 43 in slice
- Items returned
- 5
- Duration
- 5m 30s
- Tool calls
- 7 WebFetch5 WebSearch14 bridge
- Cited sources
- 5 of 67 in slice
- Items returned
- 3
- Duration
- 9m 34s
- Tool calls
- 22 WebFetch12 WebSearch8 bridge
- Cited sources
- 4 of 25 in slice
Verification
Deep dive
2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l
Entries published (this run)
- Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled threat high
- Kimwolf / "Dort" DDoS-for-hire operator arrested — 30+ Tbps IoT botnet, U.S. DoD-range targeting, AISURU variant threat high
- Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens threat high
- FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture threat high
- Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident incident notable
- ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS threat notable
- Unit 42 — Iran's Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore): AppDomainManager hijacking silently disables ETW + strong-name checks in six new RATs research high
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration research notable
- Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days annual-report notable
- Check Point Research March-April 2026 AI Threat Landscape Digest: a single operator runs two AI platforms in parallel to breach nine Mexican government agencies annual-report notable
- Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited" vulnerability critical update
- Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures threat notable
- CVE-2026-46333 ssh-keysign-pwn: a 9-year ptrace race in the Linux kernel reaching root and SSH host keys vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url → bridge:wayback | 403 transport-403 upstream HTTP 403 (Cloudflare Managed Challenge) | BleepingComputer/TheRecord/SecurityAffairs cross-check covered the same incidents |
| inside-it-ch | https://www.inside-it.ch/ | bridge:url → bridge:wayback | 403 transport-403 Cloudflare Managed Challenge page; Wayback snapshot stale (>7 days) | WebSearch fallback found no in-window CH-specific items from this publisher |
| sophos-xops | https://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242 | webfetch | 503 transport-5xx HTTP 503 on canonical RSS — fifth consecutive failing run | none — quiet host this run; rotation-priority for next |
Bridge invocations (this run)
6 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:url ×3
- bridge:cisa-kev ×1
- bridge:ncsc-csh.recent ×1
- bridge:sec-edgar.8k ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 15 findings (truth=9, editorial=4, advisory=2) · Claude Opus 4.7 · 4m 43s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 broken-url | research | Check Point AI Threat Landscape March-April 2026 Digest — Gambit Security primar | HTTP 404 on direct fetch. The Check Point Research summary post still resolves and carries the same nine-Mexican-agency content; drop the dead Gambit URL or replace if Gambit moved the post. | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | active-threats | Kimwolf / Dort arrest — arrest date and DOJ unsealing date Ontario Provincial Police arrested Jacob Butler ... on 2026-05-19 on a U.S. extradition warrant; the U.S. Department of | Krebs and The Record both say 'Wednesday' (= 2026-05-20); The Hacker News says DOJ announcement 'on Thursday' (= 2026-05-21). The 2026-05-19 arrest date and 2026-05-22 unsealing date in the brief are | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | research | Screening Serpens — MiniUpdate variant count MiniUpdate in three variants used in March–April 2026 | Unit 42 says four variants of MiniUpdate, not three (March 26-April 17, 2026). | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | research | Screening Serpens — MiniJunk V2 target characterisation MiniJunk V2 in three variants used in February–March 2026 against a single Middle Eastern IT professional that the opera | Unit 42 says February 17-March 27, 2026 against Middle Eastern and US targets (plural). The 'single IT professional tracked since late 2025 via job-hunting' specific does not appear in the Unit 42 pag | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | research | ROADtools — T1556.006 mapping T1556.006 (Multi-Factor Authentication bypass via device PRT binding) | Unit 42 maps T1098.005, T1550, T1087 only. T1556.006 is not in the Unit 42 article per direct WebFetch entity extraction. | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | active-threats | SPIP CERTFR-2026-AVI-0635 — vulnerability class characterisation security-policy bypass ... typically covers authentication / authorisation or ACL circumvention that does not require ch | SPIP project blog (cited Additional source) says the underlying fix is 'Open Redirect security vulnerability in the cookie action'. CERT-FR uses the standard French 'contournement de la politique de s | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | active-threats | Kali365 — IC3 advisory explicitly naming government / critical infrastructure The IC3 advisory explicitly names government and critical-infrastructure organisations among April 2026 victims | IC3 PSA260521 returned 403 to the routine (per § 7); none of the four corroborating outlets (Register, Help Net Security, Record, CyberScoop) quote FBI text naming government / critical-infrastructure | applied per remediation log in commit message fixed-clean |
| F4 hallucinated-fact | active-threats | FIOD arrest — suspect names and residences Youssef Z. (57, Enschede), director of WorkTitans B.V., and Andrey N. (39, Almere), founder of MIRhosting | Suspect names 'Youssef Z.' and 'Andrey N.' do not appear in FIOD release, BleepingComputer, or DutchNews. Cities Enschede/Almere are search/raid locations; FIOD says suspects are from Amsterdam (57) a | applied per remediation log in commit message fixed-clean |
| F4 hallucinated-fact | active-threats | Megalodon — hardcoded timestamp and payload line count throwaway accounts with forged committer identities (`build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`) and a hardcoded t | SafeDep WebFetch entity-extraction did not surface the 2001-09-17 timestamp or 111-line count. Action Item 5 also references the 2001-09-17 timestamp. Refetch SafeDep with a targeted prompt to confirm | applied per remediation log in commit message fixed-clean |
| F5 missing-citation | tldr | Drupal CVE-2026-9082 Immediate Action — Imperva 15,000+ attempts figure Imperva measured 15,000+ attempts against ~6,000 sites ... 15,000+ exploitation attempts against approximately 6,000 sit | Cited in § 0 TL;DR, § 0 Immediate Action and § 4 UPDATE. No inline source. Canonical primary: https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/ (confirmed | applied per remediation log in commit message fixed-clean |
| F6 strengthen-primary-source | active-threats | Kimwolf / Dort arrest — primary source on the indictment Source: KrebsOnSecurity · Additional source: The Record · Additional source: The Hacker News | All three Source lines are news aggregators. DOJ release (https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) is the canonical prima | applied per remediation log in commit message fixed-clean |
| F9 surface-contradiction | active-threats | Kimwolf peak DDoS throughput peaked at roughly 30–31.4 Tbps | Krebs, DOJ, and The Record say 'nearly 30 Tbps'; only The Hacker News carries '31.4 Tbps'. Brief silently splits. Surface as 'nearly 30 Tbps per DOJ/Krebs; 31.4 Tbps per The Hacker News' or anchor 31. | applied per remediation log in commit message fixed-clean |
| F10 missed-angle | tldr | CISA KEV listing for CVE-2026-9082 — direct citation CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day | KEV-add asserted three times in the brief (§ 0 TL;DR, Immediate Action, § 4 UPDATE) but no CISA URL cited inline. BleepingComputer per direct WebFetch does NOT mention the 2026-05-22 KEV add. Verify t | applied per remediation log in commit message fixed-clean |
| F11 editorial-advisory | deep-dive | Canonical / Ubuntu blog publication date Canonical / Ubuntu, 2026-05-15 | Canonical blog post published 2026-05-19 per direct WebFetch; 2026-05-15 was the upstream kernel-fix landing date. Minor citation-date discrepancy. | applied per remediation log in commit message fixed-clean |
| F11 editorial-advisory | action-items | ASN blocklist freshness caveat AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) | ASNs from Insikt Group 2025 background; verify current routing-table state before pushing blocklist updates. Add a freshness caveat to the action item. | applied per remediation log in commit message fixed-clean |
Iteration #2 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Sonnet 4.6 · 5m 37s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | Kimwolf / 'Dort' DDoS-for-hire operator arrested the U.S. Department of Justice unsealed the criminal complaint in the District of Alaska on Wednesday 2026-05-20 | KrebsOnSecurity (fetched) says arrest and unsealing both May 21; The Record (fetched) says unsealing was Thursday. Calendar confirms May 20 = Wednesday, May 21 = Thursday. Iter-1 remediation introduce | applied per remediation log in commit message fixed-clean |
| F3 claim-not-supported | research-investigative | Unit 42 — Iran's Screening Serpens: MiniJunk V2 variant count MiniJunk V2 in three variants used between 2026-02-17 and 2026-03-27 / seven new RAT variants (four MiniUpdate, three Mi | Unit 42 (fetched https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/) documents exactly 2 MiniJunk V2 variants (February Middle Eastern, March U.S.). Correct total is 4+2=6 (match | applied per remediation log in commit message fixed-clean |
| F14 quantifier-without-source | research-investigative | Rapid7 Q1 2026 Threat Landscape Report the first time it has overtaken social engineering (24%) in Rapid7's dataset | Neither the Rapid7 blog (fetched https://www.rapid7.com/blog/post/tr-q1-2026-threat-landscape-report-geopolitics-ransomware/) nor the GlobeNewswire press release (fetched) use 'first time' language. G | applied per remediation log in commit message fixed-clean |
| F5 missing-citation | verification-notes | § 7 Aggregator-only sourcing note — Kimwolf / Dort the original justice.gov URL was not directly verified live in this run and is therefore not cited as a Source | The DOJ URL https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos IS cited as the first Source in the Kimwolf footer (line 40) — the it | applied per remediation log in commit message fixed-clean |
| F11 editorial-advisory | deep-dive | CVE-2026-46333 ssh-keysign-pwn — exploit availability wording Qualys built four working public exploits demonstrating the surface | Qualys advisory (fetched https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt) says 'We developed four different exploits' but exploit code was withheld during coordinated disclosure; | applied per remediation log in commit message fixed-clean |
Iteration #3 NEEDS_FIXES · 10 findings (truth=5, editorial=2, advisory=3) · Claude Opus 4.7 · 6m 01s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | updates | Ghostwriter UPDATE — CERT-UA#10340 bulletin ID CERT-UA disclosed (CERT-UA#10340, surfaced 2026-05-22) a spring-2026 phishing campaign by Ghostwriter | The Hacker News (the brief's primary source for this UPDATE, fetched this iteration) references the CERT-UA report as article '6315762', not CERT-UA#10340. SC World corroborator returned 403 this iter | applied per remediation log in commit message fixed-clean |
| F2 claim-not-supported | updates | Ghostwriter UPDATE — Storm-0257 and Umbral Bison aliases Ghostwriter (a.k.a. UAC-0057, UNC1151, FrostyNeighbor, Storm-0257, Umbral Bison) | The Hacker News (fetched this iteration) only confirms UAC-0057 and UNC1151. Storm-0257 (Microsoft) and Umbral Bison (CrowdStrike) are real public aliases but not in either cited source. Either cite a | applied per remediation log in commit message fixed-clean |
| F3 analytical-link-as-fact | active-threats | FIOD arrests — suspect-to-company role attributions a 57-year-old man from Amsterdam, identified as the director of WorkTitans B.V., and a 39-year-old man from The Hague, i | FIOD release does not name WorkTitans or MIRhosting at all. BleepingComputer names both companies but does not explicitly connect them to specific suspects by role. DutchNews.nl names WorkTitans BV bu | applied per remediation log in commit message fixed-clean |
| F4 quantifier-without-source | active-threats | FIOD arrests — 'five locations' raid count raiding five locations including data centres in Dronten and Schiphol-Rijk | BleepingComputer (fetched this iteration) explicitly lists four raid locations: Dronten, Schiphol-Rijk, Enschede, Almere. FIOD release names the same four. DutchNews enumerates the same four (the Amst | applied per remediation log in commit message fixed-clean |
| F5 claim-not-supported | updates | Ghostwriter UPDATE — MITRE technique parenthetical mappings OYSTERFRESH (T1027 Obfuscated Files/Information) ... writing an obfuscated, RC4-encrypted OYSTERBLUES payload to the Win | THN (fetched this iteration) does not carry any MITRE technique IDs. The mapping is the brief's own analytical layer. Either explicitly call out 'MITRE mapping is the brief's analysis' once in the ite | applied per remediation log in commit message fixed-clean |
| F6 missing-citation | active-threats | SPIP 4.4.14 prior release / CERTFR-2026-AVI-0564 claim SPIP 4.4.14 had already addressed several RCE flaws on 2026-05-12 (CERTFR-2026-AVI-0564) — this is the immediate follow- | Neither the SPIP project blog (fetched this iteration) nor CERT-FR CERTFR-2026-AVI-0635 (fetched this iteration) carries 'CERTFR-2026-AVI-0564' or '2026-05-12' or 'RCE flaws' wording. Either drop the | applied per remediation log in commit message fixed-clean |
| F7 quantifier-without-source | active-threats | FIOD arrests — 'first criminal enforcement of EU CFSP cyber sanctions' quantifie This is the first criminal enforcement of EU CFSP cyber sanctions against a bulletproof hoster acting as a proxy for a d | FIOD release does not use 'first' framing. BleepingComputer (fetched this iteration) explicitly does NOT carry the 'first criminal enforcement' phrasing (per WebFetch response: 'No, this phrase does n | applied per remediation log in commit message fixed-clean |
| F8 editorial-advisory | tldr | Imperva citation date — 2026-05-22 vs Imperva-published 2026-05-21 Imperva, 2026-05-22 | Imperva blog post (fetched this iteration) reports publication date May 21, 2026. Brief consistently cites '2026-05-22' across § 0 TL;DR (line 9), Immediate Action (line 16), and § 4 UPDATE (line 137) | applied per remediation log in commit message fixed-clean |
| F11 editorial-advisory | deep-dive | Qualys TRU citation date — 2026-05-20 vs Qualys blog metadata 2026-05-22 Qualys TRU disclosed CVE-2026-46333 ... on 2026-05-20 | URL path encodes /2026/05/20/ (consistent with brief) but Qualys blog WebFetch returns 'Date: May 22, 2026' in the rendered metadata. The Hacker News story on 2026-05-21 anchors original disclosure to | applied per remediation log in commit message fixed-clean |
| F11 editorial-advisory | active-threats | Rhysida Stuttgart listing date 2026-05-19 not in cited Heise source listed Landeshauptstadt Stuttgart on its dark-web leak site on 2026-05-19 | Heise (fetched this iteration) is dated 2026-05-21 and references a 'seven-day countdown' but does NOT carry '2026-05-19' as the posting date. DeXpose Additional source uses '2026-05-20' in the inline | applied per remediation log in commit message fixed-clean |
Iteration #4 CLEAN · 3 findings (truth=0, editorial=0, advisory=3) · Claude Sonnet 4.6 · 5m 48s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F11 editorial-advisory | § 1 Megalodon | Megalodon mass-poisons 5,561 GitHub repos [SafeDep, 2026-05-22](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) | SafeDep article date per WebFetch summary is May 21 2026; brief citation label says 2026-05-22. OX Security correctly cited 2026-05-21. Minor label inconsistency; article content confirmed correct. | applied per remediation log in commit message applied |
| F11 editorial-advisory | § 1 Kimwolf | Kimwolf / Dort DDoS-for-hire operator arrested [U.S. Department of Justice, 2026-05-20](https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorit | Brief body says complaint unsealed Thursday 2026-05-21; citation label says 2026-05-20. DOJ URL returned 403 so date cannot be confirmed from the PR directly; KrebsOnSecurity (published May 21) confir | applied per remediation log in commit message applied |
| F11 editorial-advisory | § 1 FIOD | Netherlands FIOD arrests two over EU sanctions evasion Danish authorities and infrastructure providers have publicly linked WorkTitans to NoName057(16) DDoS campaigns | BleepingComputer (fetched) hedges this claim via De Volkskrant ('The same outlet alleges that Danish authorities and infrastructure providers linked WorkTitans to attacks'). Brief presents as establis | applied per remediation log in commit message applied |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-23-852c21c8 · Claude Opus 4.7 · 13 entries published
- Items dropped (off-audience / less-is-more): Oncology Institute Inc. SEC Item 1.05 8-K (US-only oncology practice, no Swiss/EU nexus, single-source MEDIUM via Globe and Mail relay since the EDGAR filing index returned HTTP 403 to the bridge fetcher — relevance bar not met); Cloud Atlas / Kaspersky Securelist 2026 PowerCloud + ReverseSocks coverage (substantive but indirect EU nexus — Cloud Atlas targets Russian and Belarusian government primarily; EU diplomatic exposure is collateral). Both available for re-surfacing if a CH/EU victim or operationally relevant detail emerges.
- Items dropped (out of window): Germany Cyber-Dome / Cyber-Security Strengthening Act announcement (Interior Minister Dobrindt, 2026-05-12) — outside the 36 h recency window with no in-window legislative delta (cabinet vote outcome, final text). Carry forward; surface in next brief if a cabinet decision or NIS2 cross-impact lands in-window.
- CVEs dropped from § 2 with reason: CVE-2026-46333 — does not clear any § 2 inclusion gate (local LPE not pre-auth RCE; four working Qualys exploits detailed in the public advisory but no in-the-wild exploitation reported by Qualys or downstream researchers as of this run). Covered instead as § 5 Deep Dive given operational depth.
- Items included with reduced confidence: Rhysida ransomware claim against Landeshauptstadt Stuttgart —
[MEDIUM]confidence; corroboration is press coverage of the leak-site listing and a DeXpose write-up, not a victim statement (city denies confirmed incident). Treat as hunt-trigger not confirmed-victim. FBI PSA260521 details on Kali365 — the IC3 advisory itself (ic3.gov/PSA/2026/PSA260521) returned HTTP 403 to the bridge fetcher; primary advisory text was reconstructed from four independent corroborating outlets (The Register, Help Net Security, The Record, CyberScoop) all quoting the FBI text verbatim. Confidence HIGH on the technical content; primary URL not directly fetched in this run. SEC EDGAR direct-filing access also returned 403 (TOI 8-K), but TOI was dropped on relevance grounds rather than carried with degraded sourcing. Check Point Research March-April 2026 AI Threat Landscape Digest is[SINGLE-SOURCE]— only the CPR blog post was directly fetched in this run; the Gambit Security primary report URL referenced in earlier drafts returned a 404 and was dropped per the verifier iter-1 F1 finding. - Kimwolf primary-source upgrade applied in iteration 1: following the verifier's F6 finding, the DOJ press release on the indictment (
justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) was promoted to the first Source link in the § 1 Kimwolf footer, with KrebsOnSecurity demoted to second Source and The Hacker News + The Record kept as Additional sources. Confidence on the factual outline (defendant, charges, peak throughput, takedown sequence) is HIGH due to corroboration density anchored on the DOJ primary. - Contradictions: Drupal SA-CORE-2026-004 carries vendor severity 23/25 ("Highly Critical") while NIST's published CVSS v3.1 is 6.5 — the gap reflects Drupal's CMS-wide-impact risk framing versus NVD's strict base-score calculation. Brief reports both; the operational truth is "actively exploited pre-auth SQL injection on PostgreSQL backends" regardless of which score scheme is referenced.
- Sub-agents that didn't return on time: none — S1 / S2 / S3 / S4 all returned within the 30 min wall-clock cap. S2 (Sonnet 4.6): 4 items, 322 s; S3 (Sonnet 4.6): 5 items, 330 s + later updates; S1 (Sonnet 4.6): 6 items, 557 s; S4 (Sonnet 4.6): 3 items, 574 s. Sub-agent self-reported telemetry: webfetch 8/7/11/22, websearch 16/5/14/12, bridge fetches 10/14/9/8 for S2/S3/S1/S4 respectively.
- Verification loop (Phase 5.7): four iterations, model-rotated per v2.47 — iter 1 (Opus) NEEDS_FIXES truth=9 editorial=4 advisory=2, iter 2 (Sonnet) NEEDS_FIXES truth=3 editorial=1 advisory=1, iter 3 (Opus, cold) NEEDS_FIXES truth=5 editorial=2 advisory=3, iter 4 (Sonnet + iter-3 deltas) CLEAN truth=0 editorial=0 advisory=3. Brief published under iteration 4's CLEAN verdict. Three iter-4 F11 advisory items applied as cheap edits before publish: SafeDep citation label corrected to 2026-05-21; DOJ citation label corrected to 2026-05-21 to match the body's Thursday-2026-05-21 unsealing-date reading; Danish-authorities NoName057(16) claim softened to "per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns".
- Candidate-source overflow: S3 surfaced two new candidate sources (
searchlight-cyber— high-quality same-day technical analysis of CVE-2026-9082;gambit-security— primary research on the Mexico AI-orchestrated nine-agency breach). Per the one-candidate-per-run cap,searchlight-cyberwas added asstatus: candidateinsources/sources.json;gambit-securityis carried forward for next run. - Coverage gaps: databreaches-net (transport-403, Cloudflare challenge — fifth consecutive failing run, content cross-checked via BleepingComputer/TheRecord/SecurityAffairs); inside-it-ch (Cloudflare challenge + stale Wayback — fifth consecutive failing run, no Swiss-specific in-window items recovered via WebSearch fallback); sophos-xops (HTTP 503 on canonical RSS — fifth consecutive failing run); dragos-ot (HTTP 404 on resource library RSS — feed appears stale); trendmicro-research (rotation-priority but not retried this run); cisa.gov direct fetches consistently 403 (mitigation:
python3 tools/fetch_source.pybridge — used for CISA KEV catalog ingest); ic3.gov direct fetches 403 (Kali365 PSA reconstructed from four corroborators); sec.gov EDGAR direct 403; heise.de Security articles TollBit-gated (HTTP 307 → tollbit.heise.de — feed summaries only); cert-eu (3 of 7 recent runs returned no new advisory — quiet, no advisory dated within this 36 h window — most recent is 2026-006 from 2026-05-06 on PAN-OS); anssi-fr (in-window CERTFR-2026-AVI-0611 on Azure surfaced but not operationally significant for this brief; AVI-0635 SPIP fetched and included); jpcert (no in-window lead surfaced; bridge not used in this run); prodaft (not attempted — no in-window publication surfaced via WebSearch); euronews (Cloudflare challenge on direct + Wayback miss — Germany Cyber-Dome AFP wire content recovered via The Star republication, but item ultimately dropped as out-of-window). edpb, cnil-fr returned 200 / no in-window enforcement actions — that is a quiet day, not a coverage gap.
Unmatched action items (migrated)
- Patch SPIP to 4.4.15 across every Francophone public-administration deployment — ANSSI CERTFR-2026-AVI-0635 is the operational driver; the underlying issue is an open-redirect on the cookie action (per the SPIP project blog), commonly chained into account-impersonation. SPIP is the predominant CMS in Romandie cantonal / communal portals, French ministries and Belgian Francophone government sites. No CVE attached, so the patch is easy to overlook on CVE-driven tooling.
- Block user-interactive OAuth device-code flow via Entra ID Conditional Access to defeat Kali365 PhaaS; enforce FIDO2 phishing-resistant MFA for privileged accounts and audit existing OAuth app consents. After a suspected device-code compromise the only persistent-token clearing path is
Revoke-MgUserSignInSession— refresh tokens survive password resets. - Audit
.github/workflows/*.ymlacross every internal fork and rotate CI cloud credentials issued during the Megalodon window on 2026-05-18. SafeDep and OX Security published the SysDiag and Optimize-Build payload markers and committer-identity tells; look for the forgedbuild-bot/auto-ci/ci-bot/pipeline-botauthor strings on commits dated to that day. Move CI to OIDC-based trusted publishing where long-lived cloud credentials still exist. - Hunt for Entra ID
Add deviceevents androadtxuser-agent strings following the Unit 42 ROADtools write-up; restrict device registration to compliant / hybrid-joined devices and enforce Conditional Access token-protection on admin sessions. Midnight Blizzard / APT29 has a documented EU diplomatic-tenant targeting pattern — Swiss federal and EU institution Entra estates are direct. - Re-baseline DDoS scrubbing capacity against a 10–30 Tbps reference and re-check AS-level ingress blocklists. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) are the relevant ASNs per Recorded Future's 2025 Insikt Group analysis — verify the current routing-table state via your IRR / RPKI tooling before pushing a blocklist update, since the post-FIOD seizure could have reshuffled BGP advertisements. The Kimwolf and Stark / WorkTitans takedowns reduce immediate supply but DDoS-for-hire reorganises within weeks; treat the moment as a capacity exercise window, not a closed risk.
Migrated from briefs/2026-05-23.md (v2).
← Operations dashboard · day page 2026-05-23 · run-record contract: docs/pipeline.md