2026-05-31-d742bed9
One pipeline fire, in full · intel run of 2026-05-31 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-31/2026-05-31-d742bed9.md.
Run telemetry
- Items returned
- 4
- Duration
- 2m 58s
- Tool calls
- 8 WebFetch8 WebSearch12 bridge
- Cited sources
- 0 of 13 in slice
- Items returned
- 4
- Duration
- 7m 24s
- Tool calls
- 14 WebFetch12 WebSearch16 bridge
- Cited sources
- 3 of 14 in slice
- Items returned
- 8
- Duration
- 43m 34s
- Tool calls
- 28 WebFetch9 WebSearch18 bridge
- Cited sources
- 2 of 12 in slice
- Items returned
- 3
- Duration
- 6m 54s
- Tool calls
- 10 WebFetch11 WebSearch12 bridge
- Cited sources
- 1 of 10 in slice
Verification
Deep dive
—
Entries published (this run)
- Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass threat high
- "Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users threat high
- California AG sues former 23andMe (Chrome Holding Co.) over the 2023 genetic-data breach — bulk-enumeration coding error plus absent credential-stuffing defences incident high
- Cisco Talos maps the DICOM-format attack surface against Orthanc PACS — network-ingested medical images as a heap out-of-bounds-write primitive research high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://www.databreaches.net/ | webfetch → bridge:url → wayback | 403 transport-403 HTTP 403 persistent (6th consecutive run); bridge:url also 403; no Wayback snapshot >=5000 bytes | none |
| inside-it-ch | https://www.inside-it.ch/ | bridge:url → wayback | 403 transport-403 Cloudflare 403; no usable Wayback snapshot in last 180 days | none |
| sophos-xops | https://news.sophos.com/feed/ | webfetch → bridge:feed | 503 transport-5xx RSS feed and news.sophos.com both HTTP 503 on two attempts | none |
| sekoia | https://www.sekoia.io/blog/feed/ | rss → webfetch | 404 transport-dns blog feed URL returned HTTP 404 | none |
| volexity | https://www.volexity.com/blog/feed/ | rss → webfetch | 200 RSS XML parse error; landing-page scrape found no items in window | none |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #? NEEDS_FIXES · 2 findings (truth=0, editorial=0, advisory=0) · Claude Opus 4.8 · 2m 25s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | California AG sues former 23andMe (Chrome Holding Co.) — 2023 genetic-data breac | Cited OAG primary dated 2026-05-28; brief prose + OAG citation label said 2026-05-29 (borrowed from BleepingComputer/Register). Figures/substance all correct. | Changed prose ('filed suit on 2026-05-29'->'announced ... on 2026-05-28, filed ...') and OAG citation label to 2026-05-28 in TL;DR and § 1; BleepingComputer/Reg fixed-clean |
| F11 editorial-advisory | active-threats | Mautic 7.1.2/6.0.9 — seven authenticated flaws | Per-CVE CVSS all n/a (honest — BSI SPA not renderable, GHSA scores not all retrievable); BSI 'hoch' qualitative rating already in prose; correctly placed in § 1. | none — advisory, left as-is per verifier deferred |
Iteration #? NEEDS_FIXES · 1 finding (truth=0, editorial=0, advisory=0) · Claude Sonnet 4.6 · 2m 39s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | Mautic 7.1.2/6.0.9 — 'remaining five' CVE descriptions mischaracterised severity | Fetched GHSAs: CVE-2026-9558=SSTI/server-side RCE (theme templates, all branches); CVE-2026-9559=path-traversal/PHP-RCE (campaign import, Mautic 7.x); CVE-2026-9808=API v2 authorization bypass (omitte | Rewrote the cluster description with accurate per-CVE classes and version scope; headline now leads with the two post-auth RCE paths; added tags rce, auth-bypas fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-31-d742bed9 · Claude Opus 4.8 · 4 entries published
- Recency.
window_hours = 36(gap to prior brief 24 h; standard daily class). The strict 36 h window was quiet — the four research sub-agents surfaced little new in-window signal. The qualifying items in §§ 1 and 3 have primary sources dated 2026-05-28 / 2026-05-29 (within ~72 h); included because they are genuinely new (not previously covered), CH/EU-relevant and defender-actionable. No "Coverage window: extended" disclosure is required at this gap. - Items dropped — no material delta (already covered): CVE-2026-0257 PAN-OS GlobalProtect authentication-bypass "UPDATE" was returned independently by S1, S2 and S3, but the 2026-05-30 brief already covered it in full (Immediate Action callout, § 2 entry and the deep dive), including the Rapid7 two-wave exploitation (Vultr / Dromatics), the public PoC, and the 2026-05-29 CISA KEV addition. NCSC-NL advisory NCSC-2026-0172 (2026-05-30) is a national-CERT re-confirmation of already-published facts, not a new threat development; per PD-8 / PD-13 it does not justify a fresh § 4 UPDATE.
- Items dropped — stale source / already deep-dived: CVE-2026-42897 Microsoft Exchange OWA XSS (deep dive 2026-05-16; freshest source 2026-05-15, and one supplied "Evidence" quote was flagged by the main agent as search-result synthesis rather than a verbatim fetched quote); CVE-2026-20182 Cisco Catalyst SD-WAN / UAT-8616 persistence (deep dive 2026-05-15 and weekly 2026-W21; sources 2026-05-14).
- Items dropped — out of window (> 72 h) / weak nexus: CVE-2026-9256 NGINX "nginx-poolslip" (freshest corroboration 2026-05-27, vendor-index + aggregator sourcing only); Unit 42 cyber-extortion-economy analysis (2026-05-27, overlaps already-covered actors, leans on cost/dwell metrics — PD-4); Unit 42 FIFA World Cup 2026 attack-surface forecast (2026-05-28, host nations US/CA/MX, thin CH/EU nexus, overlaps Ghost Stadium PhaaS covered 2026-05-30); Elastic Security Labs Tycoon 2FA device-PRT detection-engineering (2026-05-26 — predates and overlaps the 2026-05-27 Tycoon 2FA deep dive).
- Item dropped — already treated under PD-9: Check Point Research AI Threat Landscape Digest March–April 2026 (2026-05-26) was already covered in weekly 2026-W21 (periodic-report one-treatment rule).
- Item dropped — awareness / out of window: GCHQ Annual Lecture 2026 (2026-05-27), returned by S2, S3 and S4. A rare primary intelligence-chief statement on Russian hybrid operations against UK/EU critical infrastructure, but it carries no specific in-window defender action and overlaps the Russia-hybrid picture already in the 2026-05-30 ESET coverage.
- Item dropped — long-running campaign already consolidated: ShinyHunters / Charter Communications HIBP 4.9M-record de-duplication UPDATE (2026-05-29). The ShinyHunters Salesforce campaign was already updated on 2026-05-25, 05-27 and 05-29 (Carnival); the HIBP dedup count is not a critical change under the long-running-campaign rule.
- Item dropped — niche / low severity: QuickCMS CVE-2026-33384 (session fixation, CVSS 4.0 = 4.8) and CVE-2026-33386 (MITM-XSS, CVSS 4.0 = 2.3), CERT Polska 2026-05-29 — a niche Polish CMS at low severity; below the daily relevance bar.
- CVEs that did not clear the § 2 inclusion gates (logged, not in § 2): the Mautic cluster CVE-2026-4776 / CVE-2026-9557 / CVE-2026-9558 / CVE-2026-9559 / CVE-2026-9808 / CVE-2026-9809 / CVE-2026-9811 (all post-auth, no observed exploitation — covered as a patch advisory in § 1); Gitea CVE-2026-27771 (unauthenticated container-registry private-image pull, CVSS 8.2, Orca Security 2026-05-27 — not KEV, no observed exploitation, CVSS < 9, not RCE, and source > 72 h old). The Gitea flaw is genuinely CH/EU-public-sector-relevant (self-hosted Git in government and academia, secrets baked into image layers) and is rolled forward as a first-coverage candidate for the next run should fresh in-window reporting or exploitation appear.
- Single-source items: Cisco Talos DICOM/Orthanc PACS research (§ 3) — primary research from a HIGH-reliability lab, flagged
[SINGLE-SOURCE]; no second independent source for the technique study. - Reduced confidence — only aggregator sources: the Signal recovery-key phishing item (§ 1) rests on TechCrunch (original reporting) and Malwarebytes; Signal has published no advisory and no vendor/research-lab primary exists for this campaign. Both are reputable but neither is a primary disclosing party — the behavioural claim (impersonation lure, recovery-key target) is corroborated across the two, while exact targeting attribution is reported, not confirmed.
- Contradictions: none surfaced this run.
- Sub-agents: all four returned (S1, S2, S3, S4 — Claude Sonnet 4.6); none stalled.
- Verification: 3 iterations (Opus → Sonnet → Opus), reached CLEAN at iteration 3; 0 residuals. Iteration 1 (Opus) corrected the 23andMe filing/citation date (cited California OAG primary is 2026-05-28, not 05-29). Iteration 2 (Sonnet) corrected the Mautic CVE severity classification — two of the cluster are post-authentication RCE (CVE-2026-9558 SSTI, CVE-2026-9559 path-traversal-to-PHP-RCE) and one is an API authorization bypass (CVE-2026-9808), not the stored-XSS / file-manipulation originally drafted; the § 1 item, tags and § 6 action were updated accordingly. Iteration 3 (Opus) independently re-verified the corrected per-CVE classes against the GitHub advisories and returned CLEAN.
- Coverage gaps: databreaches-net (HTTP 403, 6th consecutive run — bridge and Wayback both unusable); inside-it-ch (HTTP 403, no Wayback snapshot ≥ 5000 bytes); sophos-xops (HTTP 503, feed and news.sophos.com both down); sekoia (blog feed HTTP 404); volexity (RSS XML parse error, no in-window items via landing-page scrape); cert-eu (newest advisory 2026-05-06, none in window); cert-fr-avis, anssi-fr (RSS lagging — newest item 2026-05-22, no direct ANSSI feed); sec-disclosures-edgar (zero Item 1.05 8-K filings 2026-05-27 → 05-31); ico-uk, cnil-fr, edpb (no new enforcement actions in window); dfirreport (newest 2026-05-11), sentinellabs (newest 2026-05-14), redcanary (newest 2026-05-26) — all outside window; chrome-releases, projectzero, watchtowr (no in-window publications).
Unmatched action items (migrated)
- Brief high-value Signal users now (officials, lawyers, journalists, civil-society contacts): Signal Support never initiates contact and never asks for a recovery key, PIN or registration code — never paste the cloud-backup recovery key anywhere. Pair with carrier SIM port-freeze / number-lock for principals, since number hijacking is the takeover prerequisite. See § 1. Reference: TechCrunch.
- Healthcare/PACS operators — constrain DICOM ingestion. Restrict DICOM C-STORE acceptance to known modality AE titles, segment PACS servers from clinical workstations, and confirm Orthanc is on a supported version; treat studies from referring institutions as untrusted input. See § 3. Reference: Cisco Talos.
- Special-category-data registry owners — close the 23andMe failure pattern. Enforce MFA on accounts holding health/genetic/civil-registry data, block known-breached credentials and rate-limit login failures, and add per-request authorization + bulk-export limits to any relationship/lookup endpoint so one account cannot enumerate the population. See § 1. Reference: California OAG.
Migrated from briefs/2026-05-31.md (v2).
← Operations dashboard · day page 2026-05-31 · run-record contract: docs/pipeline.md