2026-06-02-8af85d01
One pipeline fire, in full · intel run of 2026-06-02 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-02/2026-06-02-8af85d01.md.
Run telemetry
- Items returned
- 4
- Duration
- 4m 44s
- Tool calls
- 14 WebFetch9 WebSearch12 bridge
- Cited sources
- 3 of 13 in slice
- Items returned
- 6
- Duration
- 9m 36s
- Tool calls
- 14 WebFetch11 WebSearch9 bridge
- Cited sources
- 8 of 12 in slice
- Items returned
- 8
- Duration
- 4m 09s
- Tool calls
- 11 WebFetch4 WebSearch14 bridge
- Cited sources
- 5 of 12 in slice
- Items returned
- 4
- Duration
- 3m 19s
- Tool calls
- 18 WebFetch5 WebSearch14 bridge
- Cited sources
- 4 of 10 in slice
Verification
Deep dive
2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g
Entries published (this run)
- Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff incident high
- "Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse threat high
- Attackers social-engineer Meta's AI support chatbot into resetting Instagram passwords threat notable
- CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited vulnerability notable
- CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client vulnerability notable
- CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet vulnerability notable
- Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm research notable
- GoDaddy documents WordPress malware using Steam profile comments as a Unicode-steganography C2 resolver research notable
- Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited vulnerability critical update
- ShinyHunters publishes the Charter Communications dataset after ransom refusal incident notable update
- Operation Dragon Weave: China-nexus espionage against Czech government with Azure Blob Storage dead-drop C2 threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| sec-disclosures-edgar | https://efts.sec.gov/LATEST/search-index?q=%22Item+1.05%22&forms=8-K&startdt=202 | bridge:url | 500 transport-5xx EDGAR EFTS full-text search returned HTTP 500 for both date windows tried | none — no 8-K Item 1.05 filings retrievable |
| sophos-xops | https://www.sophos.com/en-us/blog | webfetch | 503 transport-5xx Sophos blog feed + news firehose returned HTTP 503 (rotation-priority source) | none — Wayback time-boxed; no Sophos items this run |
| cert-fr-actualite | https://www.cert.ssi.gouv.fr/ | webfetch | 200 CERT-FR actualites RSS stalled — most recent item dated 2025-10-27; no in-window content | none — feed not updating |
Bridge invocations (this run)
4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:cisa-kev ×1
- bridge:enisa-euvd.recent ×1
- bridge:bsi-csaf ×1
- bridge:ncsc-csh.recent ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 5 findings (truth=2, editorial=0, advisory=3) · Claude Opus 4.8 · 3m 02s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | trending-vulnerabilities | CVE-2026-8931 — Disig Web Signer | Disig vendor advisory does not itself state CVE/RCE/CVSS 9.4/eIDAS context; those rest on EUVD which verifier saw as empty SPA shell. | Re-anchored item to ENISA EUVD EUVD-2026-33648 as primary (CVE/RCE/CVSS 9.4/SK-CERT confirmed via enisa-euvd bridge re-fetch); dropped unsourced specifics (slov fixed-clean |
| F13 analytical-link-as-fact | deep-dive | Operation Dragon Weave Seqrite ... tooling overlaps it links to SteppeDriver and UNC5221 | Seqrite primary names no group / never mentions SteppeDriver/UNC5221; that grouping is from The Hacker News roundup. | Re-attributed the SteppeDriver/UNC5221 overlap to The Hacker News (with inline link); kept Seqrite's China-nexus as moderate-confidence, no-named-group. fixed-clean |
| F9 surface-contradiction | active-threats | Miasma worm — Red Hat npm ~80,000 weekly downloads (Wiz) vs 116,991 (Aikido) | Brief silently used Wiz's ~80k figure; Aikido states ~117k for the same clause. | Surfaced both figures with attribution (Wiz ~80,000; Aikido ~117,000). fixed-clean |
| F11 editorial-advisory | trending-vulnerabilities | CVE-2026-8732 — WP Maps Pro BleepingComputer date / CVSS-9.8 attribution | BleepingComputer article dated 2026-05-31 (not 06-01); CVSS 9.8 carried by THN not BleepingComputer. | Corrected BleepingComputer inline date to 2026-05-31; attributed CVSS 9.8 to The Hacker News. fixed-clean |
| F11 editorial-advisory | updates | Charter §4 UPDATE — ShinyHunters vishing/Entra/Salesforce chain | Chain not in cited Security Affairs source but valid as prior-coverage callback. | Reframed the vishing/Entra/Salesforce chain explicitly as established prior-coverage callback rather than a claim from the cited source. fixed-clean |
Iteration #2 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Sonnet 4.6 · 4m 07s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F13 analytical-link-as-fact | deep-dive | Operation Dragon Weave link to SteppeDriver/UNC5221 tooling comes from The Hacker News | iter1 remediation incomplete: THN presents SteppeDriver/UNC5221 as distinct clusters with no stated connection to Dragon Weave; opening clause still implied THN established a link. | Rewrote attribution: states the clusters are distinct/separate and that neither Seqrite nor THN connects Dragon Weave to them; removed 'link to ... tooling' fra fixed-clean |
| F5 missing-citation | tldr | TL;DR Netlogon bullet stack-based buffer overflow in `netlogon.dll` | BleepingComputer says 'Windows Netlogon' not 'netlogon.dll'; DLL filename unsupported by cited source. | Replaced `netlogon.dll` with 'the Windows Netlogon service' in the TL;DR bullet. fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-02-8af85d01 · Claude Opus 4.8 · 12 entries published
- Items dropped (out of window, window_hours = 36):
- PHANTOMPULSE blockchain-C2 RAT (Elastic Security Labs) — primary dated 2026-05-22, well outside window; single-source. Strong analysis but stale for a daily.
- Check Point AI Threat Landscape Digest (Mar–Apr 2026) — primary dated 2026-05-26, out of window; overlaps the W22 weekly's AI-tooling coverage; also carried several unverifiable forward-looking model/CVE claims that could not be corroborated.
- CIFSwitch — Linux kernel CIFS LPE (CVE-2026-46243) — freshest source 2026-05-30 (out of window) and a local-privilege-escalation that does not clear a §2 inclusion gate (no active exploitation, not pre-auth RCE). Notable item; may resurface if exploitation emerges.
- Vodafone source-code leak (Lapsus$) — the underlying leak occurred 2026-05-12 (out of window); the 1 June heise re-reporting carries no fresh delta, and the technical corroboration (OpsecInsider) is reduced-confidence. Reduced confidence on the hardcoded-credential detail.
- CVEs referenced but not given a §2 entry:
- CVE-2024-21182 (Oracle WebLogic T3/IIOP, CVSS 7.5) — added to the CISA KEV catalog on 2026-06-01 (active-exploitation signal noted). Dropped from §2 because the only in-window source is the CISA KEV catalog (a blocked listing URL) and Oracle's July-2024 CPU advisory is out of window — no citable in-window primary for the listing. Per PD-13 the US FCEB BOD 22-01 due date (2026-06-04) is not the operational driver in any case.
- Single-source items dropped:
- Dashlane brute-force / credential-stuffing lockouts (BleepingComputer, single-source) — routine credential-stuffing with no confirmed backend compromise; below the daily relevance bar. Defender note retained here: ensure password-manager accounts require a second factor for new-device enrolment.
- Deferred to the weekly horizon view: Anthropic "Mythos" / Project Glasswing — ENISA access (Bloomberg, 2026-06-01). In-window and EU-public-sector-relevant, but it is a policy/horizon development rather than a 1–7-day operational item and is framed around vendor performance metrics this brief excludes. Better suited to the weekly § Policy & regulatory horizon. Standing defender takeaway: vulnerabilities in widely-used software may become known to EU bodies before they are shared with non-EU jurisdictions (including Switzerland) — keep independent vulnerability-management cadence high on internet-facing systems.
- Contradiction — CVE-2026-41089 network vector: sub-agent returns disagreed on the exact trigger. One framed it as the Netlogon RPC interface (MS-NRPC); another, citing heise, described an oversized field in a CLDAP (LDAP locator) request over UDP/389. BleepingComputer's coverage specifies only "a specially crafted network request to a domain controller" and Microsoft's advisory states the component (Netlogon) without a port/protocol. The brief therefore describes the affected component and the unauthenticated-network nature precisely and does not assert a specific port. Detection guidance was kept at the component/behaviour level accordingly.
- Exploitation-attribution nuance — CVE-2026-41089: active exploitation is asserted by CCB Belgium (national CSIRT) and corroborated by BleepingComputer, Help Net Security and SecurityWeek; Microsoft had not updated its advisory to mark the CVE exploited as of 2026-06-01. The Immediate Action and §4 update both attribute the exploitation signal to CCB rather than the vendor.
- Candidate source added this run (one max):
seqrite-labs(Seqrite Labs / Quick Heal research arm) — provided the original Operation Dragon Weave research underpinning today's deep dive; fills an India/APAC-plus-EU gap in the source list. Added ascandidate. Separately, the existing candidateccb-belgiumcontributed corroborating content again this run (CVE-2026-41089 exploitation confirmation) and had its successful-fetch timestamp advanced — progressing toward promotion, not a new addition. - Sourcing notes (reduced-confidence / journalistic-only primaries): CVE-2026-8732 (WP Maps Pro) — no public vendor PSIRT advisory exists for the plugin; the strongest available primaries are BleepingComputer and The Hacker News carrying Wordfence's exploitation data. Meta AI support-bot Instagram takeover — Meta issued no detailed technical advisory; reporting rests on Krebs on Security and TechCrunch. Both items are corroborated across two independent outlets and are reported with that limitation noted.
- Coverage gaps: sec-edgar (EDGAR full-text search returned HTTP 500 for both date windows; no 8-K Item 1.05 filings retrievable); sophos-xops (HTTP 503, rotation-priority, unrecovered); therecord (feed HTTP 404; partially recovered via BleepingComputer/WebSearch); inside-it-ch (rotation-priority, not attempted in window); databreaches-net (rotation-priority, not attempted); cert-fr-actualite (feed stalled at Oct 2025); anssi-fr (most recent CERT-FR avis dated 2026-05-22, out of window).
Unmatched action items (migrated)
- Update WP Maps Pro to 6.1.1 on any WordPress estate, then audit for rogue administrator accounts created during the exposure window — exploitation is live (see §2).
- Remediate Apache Solr template credentials now (no patch released): delete the
superadmin/admin/search/indextemplate users fromsecurity.jsonor rotate their passwords, and confirm Solr's API is not internet-exposed (see §2). - Update Disig Web Signer to 2.5.5 on government and regulated-sector workstations that perform eIDAS qualified-signing workflows; inventory for older 2.0.3–2.5.3 builds (see §2).
- Inventory
@redhat-cloud-services/*npm versions across build agents and developer endpoints; rotate any CI/CD cloud-identity tokens (AWS/GCP/Azure/Vault/Kubernetes) reachable from affected pipelines and alert on obfuscatedpreinstallnode -echains (see §1). - Verify KS-SOMED auto-update integrity in any environment running KAMSOFT healthcare software, and hunt for FTP connections to vendor update servers from non-vendor source IPs (see §1).
- Hunt for the Gamaredon GammaWorm pattern and the WordPress/Steam C2 pattern —
mshta.exe→wscript.exechains, NTFS-ADS-hidden scripts and Telegra.ph/Supabase/Workers dead-drops; web-server processes reachingsteamcommunity.comprofile pages and@eval(base64_decode(...))PHP underwp-content/uploads(see §3). - Review any AI helpdesk/account-recovery agent's authority to change credentials or recovery linkages — require out-of-band challenge to the currently registered second factor before any such change (see §1).
- Baseline legitimate Azure Blob Storage egress and alert on
blob.core.windows.nettraffic from non-Azure-native host processes to catch Dragon Weave-style dead-drop C2 (see §5).
Migrated from briefs/2026-06-02.md (v2).
← Operations dashboard · day page 2026-06-02 · run-record contract: docs/pipeline.md