ctipilot.ch

2026-06-06-d01b95fe

One pipeline fire, in full · intel run of 2026-06-06 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-06/2026-06-06-d01b95fe.md.

Run telemetry

2026-06-06-d01b95fe intel prompt v2.60
32m 47s duration 8 published 1 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
9
Duration
9m 09s
Tool calls
22 WebFetch9 WebSearch14 bridge
Cited sources
2 of 27 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
10m 18s
Tool calls
18 WebFetch6 WebSearch12 bridge
Cited sources
2 of 43 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
7m 08s
Tool calls
5 WebFetch7 WebSearch18 bridge
Cited sources
1 of 68 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
5m 48s
Tool calls
18 WebFetch6 WebSearch12 bridge
Cited sources
4 of 26 in slice

Verification

#1 CLEAN · Claude Opus 4.8 · t=0 e=0 a=0

Deep dive

2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/bridge:urlbridge:wayback403 transport-403
bridge url fetch returned empty body — Cloudflare protection active
none — overlap covered by risky-biz-news/bleepingcomputer
inside-it-chhttps://www.inside-it.ch/rss/newsflash.rssbridge:feedbridge:urlbridge:wayback0 transport-403
feed + url + wayback all returned empty
WebSearch fallback — no in-window items
sophos-xopshttps://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242bridge:feedbridge:url503 transport-5xx
upstream HTTP 503 — sixth consecutive run
none
zdihttps://www.zerodayinitiative.com/blog/rss/bridge:feed404 transport-dns
feed URL 404 — appears changed
none
recordedfuture-insikthttps://www.recordedfuture.com/blog/rss.xmlbridge:feed404 transport-dns
RSS feed 404 — not functional
none

Bridge invocations (this run)

5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

3 ok2 empty feed
  • bridge:ncsc-csh.recent ×1
  • bridge:bsi-csaf ×1
  • bridge:cisa-kev ×1
  • bridge:sec-edgar.8k ×1
  • bridge:feed+url+wayback ×1

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-06-d01b95fe · Claude Opus 4.8 · 8 entries published

  • Items dropped:
    • CVE-2026-49975 (HTTP/2 Bomb) — surfaced by S1 and S2 but already covered as the full deep dive on 2026-06-04; the in-window BSI WID-SEC-2026-1791 and NCSC-CH advisory 12610 are national-CERT pickup, not a material new development (no new exploitation, no new patch beyond what was already reported), so it is not re-reported under PD-8.
    • Chrome 149 ANGLE sandbox-escape (reported CVSS 9.6) — does not clear a § 2 inclusion gate (no in-the-wild exploitation, no public PoC); the "record 429 vulnerabilities" framing is a vendor-release count, not threat signal. The single sub-agent that surfaced it (S1) had unreliable sourcing (below); the bare CVE id is therefore omitted from this note rather than recorded as fact. Apply Chrome auto-update via MDM as routine.
    • Everest Forms Pro WordPress unauthenticated RCE (reported CVSS 9.8) — only an NVD page (a hard-blocked source) and a single aggregator carried it; no acceptable vendor/research primary was reachable and the exploitation claim was single-source. Dropped pending a verifiable advisory; CVE id omitted as unverified.
    • Altium Enterprise Server path-traversal cluster (reported CVSS up to 10.0, unauth file write) — would clear the CVSS gate but is a niche electronics/defence-engineering product with no observed exploitation and low CH/EU public-sector nexus; the only sourcing was a single sub-agent whose URL ledger proved unreliable (below). CVE ids omitted as unverified.
    • ESET BTMOB Android RAT-as-a-service — primary source dated 2026-05-26 (well outside the 36 h window, and outside the 72 h developing window); Latin-America targeting with low CH/EU nexus.
    • Red Canary "Entra Agent ID → Teams" identity-abuse research — primary dated 2026-06-01, outside the 36 h window; genuinely relevant to CH/EU Copilot/M365 deployments and flagged here for possible pickup if a fresh development lands.
    • Hola Browser update-pipeline cryptominer compromise — real (Sophos/BleepingComputer) but lower operational signal (≈0.1 % of users, cryptominer payload); omitted for focus.
  • Single-source / reduced-confidence:
    • OP-512 (§ 3) is a single-source original disclosure by ReliaQuest; included as research with the lab named, per the PD-5 carve-out for primary research.
    • InfoGuard Q2 2026 Threat Intelligence Report (Iran-resumes / Rockwell FactoryTalk ICS pivot / Russia OT probing) — the InfoGuard primary blog was unreachable and only a German press relay (itiko.de) carried the specific findings; the FactoryTalk-pivot claim could not be independently corroborated, so it is logged here rather than reported as fact.
  • Data-quality note (research sub-agent reliability): S1 returned several fabricated or guessed Source URLs — its JFrog IronWorm URL returned HTTP 404, its OP-512 ReliaQuest URL and several The-Hacker-News slugs were incorrect, and it recorded false 200 statuses for those URLs in the run's URL-liveness ledger (work/<run-id>/url-liveness.tsv). Every S1-derived item retained in this brief (Cisco SD-WAN, SolarWinds Serv-U, IronWorm, Miasma, OP-512) was re-verified against independently-confirmed primaries (NCSC-CH / CISA-KEV bridge, ReliaQuest's correct URL, JFrog Research's correct URL) before inclusion; affected items were dropped.
  • Contradictions: S1 and S3 reported OP-512 with conflicting URLs and differing web-shell detail (S1: three role-specific shells; S3/ReliaQuest: one .aspx + two .ashx with RSA/RC4 per-deployment keying). Resolved in favour of the ReliaQuest source text, which was fetched and verified directly.
  • Coverage gaps: sec-disclosures-edgar (no Item 1.05 8-K filings in window); databreaches-net (HTTP 403, Cloudflare); inside-it-ch (HTTP 403 / empty feed across direct, RSS and Wayback — unreachable this run); sophos-xops (HTTP 503, sixth consecutive run); zdi, recordedfuture-insikt (RSS feed 404); cnil-fr, edpb (no in-window enforcement notices); sekoia (not fetched — time).

Migrated from briefs/2026-06-06.md (v2).

← Operations dashboard · day page 2026-06-06 · run-record contract: docs/pipeline.md