ctipilot.ch

2026-05-31-d742bed9

One pipeline fire, in full · intel run of 2026-05-31 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-31/2026-05-31-d742bed9.md.

Run telemetry

2026-05-31-d742bed9 intel prompt v2.60
25m 40s duration 4 published 0 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
2m 58s
Tool calls
8 WebFetch8 WebSearch12 bridge
Cited sources
0 of 13 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
7m 24s
Tool calls
14 WebFetch12 WebSearch16 bridge
Cited sources
3 of 14 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
43m 34s
Tool calls
28 WebFetch9 WebSearch18 bridge
Cited sources
2 of 12 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
6m 54s
Tool calls
10 WebFetch11 WebSearch12 bridge
Cited sources
1 of 10 in slice

Verification

#? NEEDS_FIXES · Claude Opus 4.8 · t=0 e=0 a=0 #? NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=0 a=0 #? CLEAN · Claude Opus 4.8 · t=0 e=0 a=0

Deep dive

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://www.databreaches.net/webfetchbridge:urlwayback403 transport-403
HTTP 403 persistent (6th consecutive run); bridge:url also 403; no Wayback snapshot >=5000 bytes
none
inside-it-chhttps://www.inside-it.ch/bridge:urlwayback403 transport-403
Cloudflare 403; no usable Wayback snapshot in last 180 days
none
sophos-xopshttps://news.sophos.com/feed/webfetchbridge:feed503 transport-5xx
RSS feed and news.sophos.com both HTTP 503 on two attempts
none
sekoiahttps://www.sekoia.io/blog/feed/rsswebfetch404 transport-dns
blog feed URL returned HTTP 404
none
volexityhttps://www.volexity.com/blog/feed/rsswebfetch200
RSS XML parse error; landing-page scrape found no items in window
none

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #? NEEDS_FIXES · 2 findings (truth=0, editorial=0, advisory=0) · Claude Opus 4.8 · 2m 25s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
active-threatsCalifornia AG sues former 23andMe (Chrome Holding Co.) — 2023 genetic-data breac
Cited OAG primary dated 2026-05-28; brief prose + OAG citation label said 2026-05-29 (borrowed from BleepingComputer/Register). Figures/substance all correct.Changed prose ('filed suit on 2026-05-29'->'announced ... on 2026-05-28, filed ...') and OAG citation label to 2026-05-28 in TL;DR and § 1; BleepingComputer/Reg fixed-clean
F11
editorial-advisory
active-threatsMautic 7.1.2/6.0.9 — seven authenticated flaws
Per-CVE CVSS all n/a (honest — BSI SPA not renderable, GHSA scores not all retrievable); BSI 'hoch' qualitative rating already in prose; correctly placed in § 1.none — advisory, left as-is per verifier deferred

Iteration #? NEEDS_FIXES · 1 finding (truth=0, editorial=0, advisory=0) · Claude Sonnet 4.6 · 2m 39s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
active-threatsMautic 7.1.2/6.0.9 — 'remaining five' CVE descriptions mischaracterised severity
Fetched GHSAs: CVE-2026-9558=SSTI/server-side RCE (theme templates, all branches); CVE-2026-9559=path-traversal/PHP-RCE (campaign import, Mautic 7.x); CVE-2026-9808=API v2 authorization bypass (omitteRewrote the cluster description with accurate per-CVE classes and version scope; headline now leads with the two post-auth RCE paths; added tags rce, auth-bypas fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-31-d742bed9 · Claude Opus 4.8 · 4 entries published

  • Recency. window_hours = 36 (gap to prior brief 24 h; standard daily class). The strict 36 h window was quiet — the four research sub-agents surfaced little new in-window signal. The qualifying items in §§ 1 and 3 have primary sources dated 2026-05-28 / 2026-05-29 (within ~72 h); included because they are genuinely new (not previously covered), CH/EU-relevant and defender-actionable. No "Coverage window: extended" disclosure is required at this gap.
  • Items dropped — no material delta (already covered): CVE-2026-0257 PAN-OS GlobalProtect authentication-bypass "UPDATE" was returned independently by S1, S2 and S3, but the 2026-05-30 brief already covered it in full (Immediate Action callout, § 2 entry and the deep dive), including the Rapid7 two-wave exploitation (Vultr / Dromatics), the public PoC, and the 2026-05-29 CISA KEV addition. NCSC-NL advisory NCSC-2026-0172 (2026-05-30) is a national-CERT re-confirmation of already-published facts, not a new threat development; per PD-8 / PD-13 it does not justify a fresh § 4 UPDATE.
  • Items dropped — stale source / already deep-dived: CVE-2026-42897 Microsoft Exchange OWA XSS (deep dive 2026-05-16; freshest source 2026-05-15, and one supplied "Evidence" quote was flagged by the main agent as search-result synthesis rather than a verbatim fetched quote); CVE-2026-20182 Cisco Catalyst SD-WAN / UAT-8616 persistence (deep dive 2026-05-15 and weekly 2026-W21; sources 2026-05-14).
  • Items dropped — out of window (> 72 h) / weak nexus: CVE-2026-9256 NGINX "nginx-poolslip" (freshest corroboration 2026-05-27, vendor-index + aggregator sourcing only); Unit 42 cyber-extortion-economy analysis (2026-05-27, overlaps already-covered actors, leans on cost/dwell metrics — PD-4); Unit 42 FIFA World Cup 2026 attack-surface forecast (2026-05-28, host nations US/CA/MX, thin CH/EU nexus, overlaps Ghost Stadium PhaaS covered 2026-05-30); Elastic Security Labs Tycoon 2FA device-PRT detection-engineering (2026-05-26 — predates and overlaps the 2026-05-27 Tycoon 2FA deep dive).
  • Item dropped — already treated under PD-9: Check Point Research AI Threat Landscape Digest March–April 2026 (2026-05-26) was already covered in weekly 2026-W21 (periodic-report one-treatment rule).
  • Item dropped — awareness / out of window: GCHQ Annual Lecture 2026 (2026-05-27), returned by S2, S3 and S4. A rare primary intelligence-chief statement on Russian hybrid operations against UK/EU critical infrastructure, but it carries no specific in-window defender action and overlaps the Russia-hybrid picture already in the 2026-05-30 ESET coverage.
  • Item dropped — long-running campaign already consolidated: ShinyHunters / Charter Communications HIBP 4.9M-record de-duplication UPDATE (2026-05-29). The ShinyHunters Salesforce campaign was already updated on 2026-05-25, 05-27 and 05-29 (Carnival); the HIBP dedup count is not a critical change under the long-running-campaign rule.
  • Item dropped — niche / low severity: QuickCMS CVE-2026-33384 (session fixation, CVSS 4.0 = 4.8) and CVE-2026-33386 (MITM-XSS, CVSS 4.0 = 2.3), CERT Polska 2026-05-29 — a niche Polish CMS at low severity; below the daily relevance bar.
  • CVEs that did not clear the § 2 inclusion gates (logged, not in § 2): the Mautic cluster CVE-2026-4776 / CVE-2026-9557 / CVE-2026-9558 / CVE-2026-9559 / CVE-2026-9808 / CVE-2026-9809 / CVE-2026-9811 (all post-auth, no observed exploitation — covered as a patch advisory in § 1); Gitea CVE-2026-27771 (unauthenticated container-registry private-image pull, CVSS 8.2, Orca Security 2026-05-27 — not KEV, no observed exploitation, CVSS < 9, not RCE, and source > 72 h old). The Gitea flaw is genuinely CH/EU-public-sector-relevant (self-hosted Git in government and academia, secrets baked into image layers) and is rolled forward as a first-coverage candidate for the next run should fresh in-window reporting or exploitation appear.
  • Single-source items: Cisco Talos DICOM/Orthanc PACS research (§ 3) — primary research from a HIGH-reliability lab, flagged [SINGLE-SOURCE]; no second independent source for the technique study.
  • Reduced confidence — only aggregator sources: the Signal recovery-key phishing item (§ 1) rests on TechCrunch (original reporting) and Malwarebytes; Signal has published no advisory and no vendor/research-lab primary exists for this campaign. Both are reputable but neither is a primary disclosing party — the behavioural claim (impersonation lure, recovery-key target) is corroborated across the two, while exact targeting attribution is reported, not confirmed.
  • Contradictions: none surfaced this run.
  • Sub-agents: all four returned (S1, S2, S3, S4 — Claude Sonnet 4.6); none stalled.
  • Verification: 3 iterations (Opus → Sonnet → Opus), reached CLEAN at iteration 3; 0 residuals. Iteration 1 (Opus) corrected the 23andMe filing/citation date (cited California OAG primary is 2026-05-28, not 05-29). Iteration 2 (Sonnet) corrected the Mautic CVE severity classification — two of the cluster are post-authentication RCE (CVE-2026-9558 SSTI, CVE-2026-9559 path-traversal-to-PHP-RCE) and one is an API authorization bypass (CVE-2026-9808), not the stored-XSS / file-manipulation originally drafted; the § 1 item, tags and § 6 action were updated accordingly. Iteration 3 (Opus) independently re-verified the corrected per-CVE classes against the GitHub advisories and returned CLEAN.
  • Coverage gaps: databreaches-net (HTTP 403, 6th consecutive run — bridge and Wayback both unusable); inside-it-ch (HTTP 403, no Wayback snapshot ≥ 5000 bytes); sophos-xops (HTTP 503, feed and news.sophos.com both down); sekoia (blog feed HTTP 404); volexity (RSS XML parse error, no in-window items via landing-page scrape); cert-eu (newest advisory 2026-05-06, none in window); cert-fr-avis, anssi-fr (RSS lagging — newest item 2026-05-22, no direct ANSSI feed); sec-disclosures-edgar (zero Item 1.05 8-K filings 2026-05-27 → 05-31); ico-uk, cnil-fr, edpb (no new enforcement actions in window); dfirreport (newest 2026-05-11), sentinellabs (newest 2026-05-14), redcanary (newest 2026-05-26) — all outside window; chrome-releases, projectzero, watchtowr (no in-window publications).

Unmatched action items (migrated)

  • Brief high-value Signal users now (officials, lawyers, journalists, civil-society contacts): Signal Support never initiates contact and never asks for a recovery key, PIN or registration code — never paste the cloud-backup recovery key anywhere. Pair with carrier SIM port-freeze / number-lock for principals, since number hijacking is the takeover prerequisite. See § 1. Reference: TechCrunch.
  • Healthcare/PACS operators — constrain DICOM ingestion. Restrict DICOM C-STORE acceptance to known modality AE titles, segment PACS servers from clinical workstations, and confirm Orthanc is on a supported version; treat studies from referring institutions as untrusted input. See § 3. Reference: Cisco Talos.
  • Special-category-data registry owners — close the 23andMe failure pattern. Enforce MFA on accounts holding health/genetic/civil-registry data, block known-breached credentials and rate-limit login failures, and add per-request authorization + bulk-export limits to any relationship/lookup endpoint so one account cannot enumerate the population. See § 1. Reference: California OAG.

Migrated from briefs/2026-05-31.md (v2).

← Operations dashboard · day page 2026-05-31 · run-record contract: docs/pipeline.md