ctipilot.ch

2026-05-23-852c21c8

One pipeline fire, in full · intel run of 2026-05-23 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-23/2026-05-23-852c21c8.md.

Run telemetry

2026-05-23-852c21c8 intel prompt v2.59
23m 27s duration 13 published 1 updates
Claude Opus 4.7 (claude-opus-4-7) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
19m 03s
Tool calls
11 WebFetch14 WebSearch9 bridge
Cited sources
5 of 27 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
5m 22s
Tool calls
8 WebFetch16 WebSearch10 bridge
Cited sources
3 of 43 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
5m 30s
Tool calls
7 WebFetch5 WebSearch14 bridge
Cited sources
5 of 67 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
9m 34s
Tool calls
22 WebFetch12 WebSearch8 bridge
Cited sources
4 of 25 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 · t=9 e=4 a=2 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=3 e=1 a=1 #3 NEEDS_FIXES · Claude Opus 4.7 · t=5 e=2 a=3 #4 CLEAN · Claude Sonnet 4.6 · t=0 e=0 a=3

Deep dive

2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:urlbridge:wayback403 transport-403
upstream HTTP 403 (Cloudflare Managed Challenge)
BleepingComputer/TheRecord/SecurityAffairs cross-check covered the same incidents
inside-it-chhttps://www.inside-it.ch/bridge:urlbridge:wayback403 transport-403
Cloudflare Managed Challenge page; Wayback snapshot stale (>7 days)
WebSearch fallback found no in-window CH-specific items from this publisher
sophos-xopshttps://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242webfetch503 transport-5xx
HTTP 503 on canonical RSS — fifth consecutive failing run
none — quiet host this run; rotation-priority for next

Bridge invocations (this run)

6 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

4 ok2 item not found
  • bridge:url ×3
  • bridge:cisa-kev ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:sec-edgar.8k ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 15 findings (truth=9, editorial=4, advisory=2) · Claude Opus 4.7 · 4m 43s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
broken-url
researchCheck Point AI Threat Landscape March-April 2026 Digest — Gambit Security primarHTTP 404 on direct fetch. The Check Point Research summary post still resolves and carries the same nine-Mexican-agency content; drop the dead Gambit URL or replace if Gambit moved the post.applied per remediation log in commit message fixed-clean
F3
claim-not-supported
active-threatsKimwolf / Dort arrest — arrest date and DOJ unsealing date
Ontario Provincial Police arrested Jacob Butler ... on 2026-05-19 on a U.S. extradition warrant; the U.S. Department of
Krebs and The Record both say 'Wednesday' (= 2026-05-20); The Hacker News says DOJ announcement 'on Thursday' (= 2026-05-21). The 2026-05-19 arrest date and 2026-05-22 unsealing date in the brief are applied per remediation log in commit message fixed-clean
F3
claim-not-supported
researchScreening Serpens — MiniUpdate variant count
MiniUpdate in three variants used in March–April 2026
Unit 42 says four variants of MiniUpdate, not three (March 26-April 17, 2026).applied per remediation log in commit message fixed-clean
F3
claim-not-supported
researchScreening Serpens — MiniJunk V2 target characterisation
MiniJunk V2 in three variants used in February–March 2026 against a single Middle Eastern IT professional that the opera
Unit 42 says February 17-March 27, 2026 against Middle Eastern and US targets (plural). The 'single IT professional tracked since late 2025 via job-hunting' specific does not appear in the Unit 42 pagapplied per remediation log in commit message fixed-clean
F3
claim-not-supported
researchROADtools — T1556.006 mapping
T1556.006 (Multi-Factor Authentication bypass via device PRT binding)
Unit 42 maps T1098.005, T1550, T1087 only. T1556.006 is not in the Unit 42 article per direct WebFetch entity extraction.applied per remediation log in commit message fixed-clean
F3
claim-not-supported
active-threatsSPIP CERTFR-2026-AVI-0635 — vulnerability class characterisation
security-policy bypass ... typically covers authentication / authorisation or ACL circumvention that does not require ch
SPIP project blog (cited Additional source) says the underlying fix is 'Open Redirect security vulnerability in the cookie action'. CERT-FR uses the standard French 'contournement de la politique de sapplied per remediation log in commit message fixed-clean
F3
claim-not-supported
active-threatsKali365 — IC3 advisory explicitly naming government / critical infrastructure
The IC3 advisory explicitly names government and critical-infrastructure organisations among April 2026 victims
IC3 PSA260521 returned 403 to the routine (per § 7); none of the four corroborating outlets (Register, Help Net Security, Record, CyberScoop) quote FBI text naming government / critical-infrastructureapplied per remediation log in commit message fixed-clean
F4
hallucinated-fact
active-threatsFIOD arrest — suspect names and residences
Youssef Z. (57, Enschede), director of WorkTitans B.V., and Andrey N. (39, Almere), founder of MIRhosting
Suspect names 'Youssef Z.' and 'Andrey N.' do not appear in FIOD release, BleepingComputer, or DutchNews. Cities Enschede/Almere are search/raid locations; FIOD says suspects are from Amsterdam (57) aapplied per remediation log in commit message fixed-clean
F4
hallucinated-fact
active-threatsMegalodon — hardcoded timestamp and payload line count
throwaway accounts with forged committer identities (`build-bot`, `auto-ci`, `ci-bot`, `pipeline-bot`) and a hardcoded t
SafeDep WebFetch entity-extraction did not surface the 2001-09-17 timestamp or 111-line count. Action Item 5 also references the 2001-09-17 timestamp. Refetch SafeDep with a targeted prompt to confirmapplied per remediation log in commit message fixed-clean
F5
missing-citation
tldrDrupal CVE-2026-9082 Immediate Action — Imperva 15,000+ attempts figure
Imperva measured 15,000+ attempts against ~6,000 sites ... 15,000+ exploitation attempts against approximately 6,000 sit
Cited in § 0 TL;DR, § 0 Immediate Action and § 4 UPDATE. No inline source. Canonical primary: https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/ (confirmed applied per remediation log in commit message fixed-clean
F6
strengthen-primary-source
active-threatsKimwolf / Dort arrest — primary source on the indictment
Source: KrebsOnSecurity · Additional source: The Record · Additional source: The Hacker News
All three Source lines are news aggregators. DOJ release (https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) is the canonical primaapplied per remediation log in commit message fixed-clean
F9
surface-contradiction
active-threatsKimwolf peak DDoS throughput
peaked at roughly 30–31.4 Tbps
Krebs, DOJ, and The Record say 'nearly 30 Tbps'; only The Hacker News carries '31.4 Tbps'. Brief silently splits. Surface as 'nearly 30 Tbps per DOJ/Krebs; 31.4 Tbps per The Hacker News' or anchor 31.applied per remediation log in commit message fixed-clean
F10
missed-angle
tldrCISA KEV listing for CVE-2026-9082 — direct citation
CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day
KEV-add asserted three times in the brief (§ 0 TL;DR, Immediate Action, § 4 UPDATE) but no CISA URL cited inline. BleepingComputer per direct WebFetch does NOT mention the 2026-05-22 KEV add. Verify tapplied per remediation log in commit message fixed-clean
F11
editorial-advisory
deep-diveCanonical / Ubuntu blog publication date
Canonical / Ubuntu, 2026-05-15
Canonical blog post published 2026-05-19 per direct WebFetch; 2026-05-15 was the upstream kernel-fix landing date. Minor citation-date discrepancy.applied per remediation log in commit message fixed-clean
F11
editorial-advisory
action-itemsASN blocklist freshness caveat
AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans)
ASNs from Insikt Group 2025 background; verify current routing-table state before pushing blocklist updates. Add a freshness caveat to the action item.applied per remediation log in commit message fixed-clean

Iteration #2 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Sonnet 4.6 · 5m 37s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
active-threatsKimwolf / 'Dort' DDoS-for-hire operator arrested
the U.S. Department of Justice unsealed the criminal complaint in the District of Alaska on Wednesday 2026-05-20
KrebsOnSecurity (fetched) says arrest and unsealing both May 21; The Record (fetched) says unsealing was Thursday. Calendar confirms May 20 = Wednesday, May 21 = Thursday. Iter-1 remediation introduceapplied per remediation log in commit message fixed-clean
F3
claim-not-supported
research-investigativeUnit 42 — Iran's Screening Serpens: MiniJunk V2 variant count
MiniJunk V2 in three variants used between 2026-02-17 and 2026-03-27 / seven new RAT variants (four MiniUpdate, three Mi
Unit 42 (fetched https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/) documents exactly 2 MiniJunk V2 variants (February Middle Eastern, March U.S.). Correct total is 4+2=6 (matchapplied per remediation log in commit message fixed-clean
F14
quantifier-without-source
research-investigativeRapid7 Q1 2026 Threat Landscape Report
the first time it has overtaken social engineering (24%) in Rapid7's dataset
Neither the Rapid7 blog (fetched https://www.rapid7.com/blog/post/tr-q1-2026-threat-landscape-report-geopolitics-ransomware/) nor the GlobeNewswire press release (fetched) use 'first time' language. Gapplied per remediation log in commit message fixed-clean
F5
missing-citation
verification-notes§ 7 Aggregator-only sourcing note — Kimwolf / Dort
the original justice.gov URL was not directly verified live in this run and is therefore not cited as a Source
The DOJ URL https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos IS cited as the first Source in the Kimwolf footer (line 40) — the itapplied per remediation log in commit message fixed-clean
F11
editorial-advisory
deep-diveCVE-2026-46333 ssh-keysign-pwn — exploit availability wording
Qualys built four working public exploits demonstrating the surface
Qualys advisory (fetched https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt) says 'We developed four different exploits' but exploit code was withheld during coordinated disclosure;applied per remediation log in commit message fixed-clean

Iteration #3 NEEDS_FIXES · 10 findings (truth=5, editorial=2, advisory=3) · Claude Opus 4.7 · 6m 01s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
updatesGhostwriter UPDATE — CERT-UA#10340 bulletin ID
CERT-UA disclosed (CERT-UA#10340, surfaced 2026-05-22) a spring-2026 phishing campaign by Ghostwriter
The Hacker News (the brief's primary source for this UPDATE, fetched this iteration) references the CERT-UA report as article '6315762', not CERT-UA#10340. SC World corroborator returned 403 this iterapplied per remediation log in commit message fixed-clean
F2
claim-not-supported
updatesGhostwriter UPDATE — Storm-0257 and Umbral Bison aliases
Ghostwriter (a.k.a. UAC-0057, UNC1151, FrostyNeighbor, Storm-0257, Umbral Bison)
The Hacker News (fetched this iteration) only confirms UAC-0057 and UNC1151. Storm-0257 (Microsoft) and Umbral Bison (CrowdStrike) are real public aliases but not in either cited source. Either cite aapplied per remediation log in commit message fixed-clean
F3
analytical-link-as-fact
active-threatsFIOD arrests — suspect-to-company role attributions
a 57-year-old man from Amsterdam, identified as the director of WorkTitans B.V., and a 39-year-old man from The Hague, i
FIOD release does not name WorkTitans or MIRhosting at all. BleepingComputer names both companies but does not explicitly connect them to specific suspects by role. DutchNews.nl names WorkTitans BV buapplied per remediation log in commit message fixed-clean
F4
quantifier-without-source
active-threatsFIOD arrests — 'five locations' raid count
raiding five locations including data centres in Dronten and Schiphol-Rijk
BleepingComputer (fetched this iteration) explicitly lists four raid locations: Dronten, Schiphol-Rijk, Enschede, Almere. FIOD release names the same four. DutchNews enumerates the same four (the Amstapplied per remediation log in commit message fixed-clean
F5
claim-not-supported
updatesGhostwriter UPDATE — MITRE technique parenthetical mappings
OYSTERFRESH (T1027 Obfuscated Files/Information) ... writing an obfuscated, RC4-encrypted OYSTERBLUES payload to the Win
THN (fetched this iteration) does not carry any MITRE technique IDs. The mapping is the brief's own analytical layer. Either explicitly call out 'MITRE mapping is the brief's analysis' once in the iteapplied per remediation log in commit message fixed-clean
F6
missing-citation
active-threatsSPIP 4.4.14 prior release / CERTFR-2026-AVI-0564 claim
SPIP 4.4.14 had already addressed several RCE flaws on 2026-05-12 (CERTFR-2026-AVI-0564) — this is the immediate follow-
Neither the SPIP project blog (fetched this iteration) nor CERT-FR CERTFR-2026-AVI-0635 (fetched this iteration) carries 'CERTFR-2026-AVI-0564' or '2026-05-12' or 'RCE flaws' wording. Either drop the applied per remediation log in commit message fixed-clean
F7
quantifier-without-source
active-threatsFIOD arrests — 'first criminal enforcement of EU CFSP cyber sanctions' quantifie
This is the first criminal enforcement of EU CFSP cyber sanctions against a bulletproof hoster acting as a proxy for a d
FIOD release does not use 'first' framing. BleepingComputer (fetched this iteration) explicitly does NOT carry the 'first criminal enforcement' phrasing (per WebFetch response: 'No, this phrase does napplied per remediation log in commit message fixed-clean
F8
editorial-advisory
tldrImperva citation date — 2026-05-22 vs Imperva-published 2026-05-21
Imperva, 2026-05-22
Imperva blog post (fetched this iteration) reports publication date May 21, 2026. Brief consistently cites '2026-05-22' across § 0 TL;DR (line 9), Immediate Action (line 16), and § 4 UPDATE (line 137)applied per remediation log in commit message fixed-clean
F11
editorial-advisory
deep-diveQualys TRU citation date — 2026-05-20 vs Qualys blog metadata 2026-05-22
Qualys TRU disclosed CVE-2026-46333 ... on 2026-05-20
URL path encodes /2026/05/20/ (consistent with brief) but Qualys blog WebFetch returns 'Date: May 22, 2026' in the rendered metadata. The Hacker News story on 2026-05-21 anchors original disclosure toapplied per remediation log in commit message fixed-clean
F11
editorial-advisory
active-threatsRhysida Stuttgart listing date 2026-05-19 not in cited Heise source
listed Landeshauptstadt Stuttgart on its dark-web leak site on 2026-05-19
Heise (fetched this iteration) is dated 2026-05-21 and references a 'seven-day countdown' but does NOT carry '2026-05-19' as the posting date. DeXpose Additional source uses '2026-05-20' in the inlineapplied per remediation log in commit message fixed-clean

Iteration #4 CLEAN · 3 findings (truth=0, editorial=0, advisory=3) · Claude Sonnet 4.6 · 5m 48s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F11
editorial-advisory
§ 1 MegalodonMegalodon mass-poisons 5,561 GitHub repos
[SafeDep, 2026-05-22](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/)
SafeDep article date per WebFetch summary is May 21 2026; brief citation label says 2026-05-22. OX Security correctly cited 2026-05-21. Minor label inconsistency; article content confirmed correct.applied per remediation log in commit message applied
F11
editorial-advisory
§ 1 KimwolfKimwolf / Dort DDoS-for-hire operator arrested
[U.S. Department of Justice, 2026-05-20](https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorit
Brief body says complaint unsealed Thursday 2026-05-21; citation label says 2026-05-20. DOJ URL returned 403 so date cannot be confirmed from the PR directly; KrebsOnSecurity (published May 21) confirapplied per remediation log in commit message applied
F11
editorial-advisory
§ 1 FIODNetherlands FIOD arrests two over EU sanctions evasion
Danish authorities and infrastructure providers have publicly linked WorkTitans to NoName057(16) DDoS campaigns
BleepingComputer (fetched) hedges this claim via De Volkskrant ('The same outlet alleges that Danish authorities and infrastructure providers linked WorkTitans to attacks'). Brief presents as establisapplied per remediation log in commit message applied

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-23-852c21c8 · Claude Opus 4.7 · 13 entries published

  • Items dropped (off-audience / less-is-more): Oncology Institute Inc. SEC Item 1.05 8-K (US-only oncology practice, no Swiss/EU nexus, single-source MEDIUM via Globe and Mail relay since the EDGAR filing index returned HTTP 403 to the bridge fetcher — relevance bar not met); Cloud Atlas / Kaspersky Securelist 2026 PowerCloud + ReverseSocks coverage (substantive but indirect EU nexus — Cloud Atlas targets Russian and Belarusian government primarily; EU diplomatic exposure is collateral). Both available for re-surfacing if a CH/EU victim or operationally relevant detail emerges.
  • Items dropped (out of window): Germany Cyber-Dome / Cyber-Security Strengthening Act announcement (Interior Minister Dobrindt, 2026-05-12) — outside the 36 h recency window with no in-window legislative delta (cabinet vote outcome, final text). Carry forward; surface in next brief if a cabinet decision or NIS2 cross-impact lands in-window.
  • CVEs dropped from § 2 with reason: CVE-2026-46333 — does not clear any § 2 inclusion gate (local LPE not pre-auth RCE; four working Qualys exploits detailed in the public advisory but no in-the-wild exploitation reported by Qualys or downstream researchers as of this run). Covered instead as § 5 Deep Dive given operational depth.
  • Items included with reduced confidence: Rhysida ransomware claim against Landeshauptstadt Stuttgart — [MEDIUM] confidence; corroboration is press coverage of the leak-site listing and a DeXpose write-up, not a victim statement (city denies confirmed incident). Treat as hunt-trigger not confirmed-victim. FBI PSA260521 details on Kali365 — the IC3 advisory itself (ic3.gov/PSA/2026/PSA260521) returned HTTP 403 to the bridge fetcher; primary advisory text was reconstructed from four independent corroborating outlets (The Register, Help Net Security, The Record, CyberScoop) all quoting the FBI text verbatim. Confidence HIGH on the technical content; primary URL not directly fetched in this run. SEC EDGAR direct-filing access also returned 403 (TOI 8-K), but TOI was dropped on relevance grounds rather than carried with degraded sourcing. Check Point Research March-April 2026 AI Threat Landscape Digest is [SINGLE-SOURCE] — only the CPR blog post was directly fetched in this run; the Gambit Security primary report URL referenced in earlier drafts returned a 404 and was dropped per the verifier iter-1 F1 finding.
  • Kimwolf primary-source upgrade applied in iteration 1: following the verifier's F6 finding, the DOJ press release on the indictment (justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) was promoted to the first Source link in the § 1 Kimwolf footer, with KrebsOnSecurity demoted to second Source and The Hacker News + The Record kept as Additional sources. Confidence on the factual outline (defendant, charges, peak throughput, takedown sequence) is HIGH due to corroboration density anchored on the DOJ primary.
  • Contradictions: Drupal SA-CORE-2026-004 carries vendor severity 23/25 ("Highly Critical") while NIST's published CVSS v3.1 is 6.5 — the gap reflects Drupal's CMS-wide-impact risk framing versus NVD's strict base-score calculation. Brief reports both; the operational truth is "actively exploited pre-auth SQL injection on PostgreSQL backends" regardless of which score scheme is referenced.
  • Sub-agents that didn't return on time: none — S1 / S2 / S3 / S4 all returned within the 30 min wall-clock cap. S2 (Sonnet 4.6): 4 items, 322 s; S3 (Sonnet 4.6): 5 items, 330 s + later updates; S1 (Sonnet 4.6): 6 items, 557 s; S4 (Sonnet 4.6): 3 items, 574 s. Sub-agent self-reported telemetry: webfetch 8/7/11/22, websearch 16/5/14/12, bridge fetches 10/14/9/8 for S2/S3/S1/S4 respectively.
  • Verification loop (Phase 5.7): four iterations, model-rotated per v2.47 — iter 1 (Opus) NEEDS_FIXES truth=9 editorial=4 advisory=2, iter 2 (Sonnet) NEEDS_FIXES truth=3 editorial=1 advisory=1, iter 3 (Opus, cold) NEEDS_FIXES truth=5 editorial=2 advisory=3, iter 4 (Sonnet + iter-3 deltas) CLEAN truth=0 editorial=0 advisory=3. Brief published under iteration 4's CLEAN verdict. Three iter-4 F11 advisory items applied as cheap edits before publish: SafeDep citation label corrected to 2026-05-21; DOJ citation label corrected to 2026-05-21 to match the body's Thursday-2026-05-21 unsealing-date reading; Danish-authorities NoName057(16) claim softened to "per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns".
  • Candidate-source overflow: S3 surfaced two new candidate sources (searchlight-cyber — high-quality same-day technical analysis of CVE-2026-9082; gambit-security — primary research on the Mexico AI-orchestrated nine-agency breach). Per the one-candidate-per-run cap, searchlight-cyber was added as status: candidate in sources/sources.json; gambit-security is carried forward for next run.
  • Coverage gaps: databreaches-net (transport-403, Cloudflare challenge — fifth consecutive failing run, content cross-checked via BleepingComputer/TheRecord/SecurityAffairs); inside-it-ch (Cloudflare challenge + stale Wayback — fifth consecutive failing run, no Swiss-specific in-window items recovered via WebSearch fallback); sophos-xops (HTTP 503 on canonical RSS — fifth consecutive failing run); dragos-ot (HTTP 404 on resource library RSS — feed appears stale); trendmicro-research (rotation-priority but not retried this run); cisa.gov direct fetches consistently 403 (mitigation: python3 tools/fetch_source.py bridge — used for CISA KEV catalog ingest); ic3.gov direct fetches 403 (Kali365 PSA reconstructed from four corroborators); sec.gov EDGAR direct 403; heise.de Security articles TollBit-gated (HTTP 307 → tollbit.heise.de — feed summaries only); cert-eu (3 of 7 recent runs returned no new advisory — quiet, no advisory dated within this 36 h window — most recent is 2026-006 from 2026-05-06 on PAN-OS); anssi-fr (in-window CERTFR-2026-AVI-0611 on Azure surfaced but not operationally significant for this brief; AVI-0635 SPIP fetched and included); jpcert (no in-window lead surfaced; bridge not used in this run); prodaft (not attempted — no in-window publication surfaced via WebSearch); euronews (Cloudflare challenge on direct + Wayback miss — Germany Cyber-Dome AFP wire content recovered via The Star republication, but item ultimately dropped as out-of-window). edpb, cnil-fr returned 200 / no in-window enforcement actions — that is a quiet day, not a coverage gap.

Unmatched action items (migrated)

  • Patch SPIP to 4.4.15 across every Francophone public-administration deployment — ANSSI CERTFR-2026-AVI-0635 is the operational driver; the underlying issue is an open-redirect on the cookie action (per the SPIP project blog), commonly chained into account-impersonation. SPIP is the predominant CMS in Romandie cantonal / communal portals, French ministries and Belgian Francophone government sites. No CVE attached, so the patch is easy to overlook on CVE-driven tooling.
  • Block user-interactive OAuth device-code flow via Entra ID Conditional Access to defeat Kali365 PhaaS; enforce FIDO2 phishing-resistant MFA for privileged accounts and audit existing OAuth app consents. After a suspected device-code compromise the only persistent-token clearing path is Revoke-MgUserSignInSession — refresh tokens survive password resets.
  • Audit .github/workflows/*.yml across every internal fork and rotate CI cloud credentials issued during the Megalodon window on 2026-05-18. SafeDep and OX Security published the SysDiag and Optimize-Build payload markers and committer-identity tells; look for the forged build-bot / auto-ci / ci-bot / pipeline-bot author strings on commits dated to that day. Move CI to OIDC-based trusted publishing where long-lived cloud credentials still exist.
  • Hunt for Entra ID Add device events and roadtx user-agent strings following the Unit 42 ROADtools write-up; restrict device registration to compliant / hybrid-joined devices and enforce Conditional Access token-protection on admin sessions. Midnight Blizzard / APT29 has a documented EU diplomatic-tenant targeting pattern — Swiss federal and EU institution Entra estates are direct.
  • Re-baseline DDoS scrubbing capacity against a 10–30 Tbps reference and re-check AS-level ingress blocklists. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) are the relevant ASNs per Recorded Future's 2025 Insikt Group analysis — verify the current routing-table state via your IRR / RPKI tooling before pushing a blocklist update, since the post-FIOD seizure could have reshuffled BGP advertisements. The Kimwolf and Stark / WorkTitans takedowns reduce immediate supply but DDoS-for-hire reorganises within weeks; treat the moment as a capacity exercise window, not a closed risk.

Migrated from briefs/2026-05-23.md (v2).

← Operations dashboard · day page 2026-05-23 · run-record contract: docs/pipeline.md