2026-06-06-d01b95fe
One pipeline fire, in full · intel run of 2026-06-06 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-06/2026-06-06-d01b95fe.md.
Run telemetry
- Items returned
- 9
- Duration
- 9m 09s
- Tool calls
- 22 WebFetch9 WebSearch14 bridge
- Cited sources
- 2 of 27 in slice
- Items returned
- 4
- Duration
- 10m 18s
- Tool calls
- 18 WebFetch6 WebSearch12 bridge
- Cited sources
- 2 of 43 in slice
- Items returned
- 5
- Duration
- 7m 08s
- Tool calls
- 5 WebFetch7 WebSearch18 bridge
- Cited sources
- 1 of 68 in slice
- Items returned
- 4
- Duration
- 5m 48s
- Tool calls
- 18 WebFetch6 WebSearch12 bridge
- Cited sources
- 4 of 26 in slice
Verification
Deep dive
2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac
Entries published (this run)
- Five Eyes joint bulletin: Chinese military intelligence recruiting cleared personnel through LinkedIn and job platforms threat high
- IronWorm: Rust-built npm worm ships an eBPF kernel rootkit, Tor C2 and a cloud/AI-credential sweep threat high
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch) vulnerability high
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV vulnerability high
- CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform vulnerability high
- OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers research notable
- Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors threat notable update
- Luna Moth / Silent Ransom Group (UNC3753): vishing-to-physical-access data-theft extortion against legal and professional services threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url → bridge:wayback | 403 transport-403 bridge url fetch returned empty body — Cloudflare protection active | none — overlap covered by risky-biz-news/bleepingcomputer |
| inside-it-ch | https://www.inside-it.ch/rss/newsflash.rss | bridge:feed → bridge:url → bridge:wayback | 0 transport-403 feed + url + wayback all returned empty | WebSearch fallback — no in-window items |
| sophos-xops | https://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242 | bridge:feed → bridge:url | 503 transport-5xx upstream HTTP 503 — sixth consecutive run | none |
| zdi | https://www.zerodayinitiative.com/blog/rss/ | bridge:feed | 404 transport-dns feed URL 404 — appears changed | none |
| recordedfuture-insikt | https://www.recordedfuture.com/blog/rss.xml | bridge:feed | 404 transport-dns RSS feed 404 — not functional | none |
Bridge invocations (this run)
5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:ncsc-csh.recent ×1
- bridge:bsi-csaf ×1
- bridge:cisa-kev ×1
- bridge:sec-edgar.8k ×1
- bridge:feed+url+wayback ×1
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-06-d01b95fe · Claude Opus 4.8 · 8 entries published
- Items dropped:
- CVE-2026-49975 (HTTP/2 Bomb) — surfaced by S1 and S2 but already covered as the full deep dive on 2026-06-04; the in-window BSI WID-SEC-2026-1791 and NCSC-CH advisory 12610 are national-CERT pickup, not a material new development (no new exploitation, no new patch beyond what was already reported), so it is not re-reported under PD-8.
- Chrome 149 ANGLE sandbox-escape (reported CVSS 9.6) — does not clear a § 2 inclusion gate (no in-the-wild exploitation, no public PoC); the "record 429 vulnerabilities" framing is a vendor-release count, not threat signal. The single sub-agent that surfaced it (S1) had unreliable sourcing (below); the bare CVE id is therefore omitted from this note rather than recorded as fact. Apply Chrome auto-update via MDM as routine.
- Everest Forms Pro WordPress unauthenticated RCE (reported CVSS 9.8) — only an NVD page (a hard-blocked source) and a single aggregator carried it; no acceptable vendor/research primary was reachable and the exploitation claim was single-source. Dropped pending a verifiable advisory; CVE id omitted as unverified.
- Altium Enterprise Server path-traversal cluster (reported CVSS up to 10.0, unauth file write) — would clear the CVSS gate but is a niche electronics/defence-engineering product with no observed exploitation and low CH/EU public-sector nexus; the only sourcing was a single sub-agent whose URL ledger proved unreliable (below). CVE ids omitted as unverified.
- ESET BTMOB Android RAT-as-a-service — primary source dated 2026-05-26 (well outside the 36 h window, and outside the 72 h developing window); Latin-America targeting with low CH/EU nexus.
- Red Canary "Entra Agent ID → Teams" identity-abuse research — primary dated 2026-06-01, outside the 36 h window; genuinely relevant to CH/EU Copilot/M365 deployments and flagged here for possible pickup if a fresh development lands.
- Hola Browser update-pipeline cryptominer compromise — real (Sophos/BleepingComputer) but lower operational signal (≈0.1 % of users, cryptominer payload); omitted for focus.
- Single-source / reduced-confidence:
- OP-512 (§ 3) is a single-source original disclosure by ReliaQuest; included as research with the lab named, per the PD-5 carve-out for primary research.
- InfoGuard Q2 2026 Threat Intelligence Report (Iran-resumes / Rockwell FactoryTalk ICS pivot / Russia OT probing) — the InfoGuard primary blog was unreachable and only a German press relay (itiko.de) carried the specific findings; the FactoryTalk-pivot claim could not be independently corroborated, so it is logged here rather than reported as fact.
- Data-quality note (research sub-agent reliability): S1 returned several fabricated or guessed Source URLs — its JFrog IronWorm URL returned HTTP 404, its OP-512 ReliaQuest URL and several The-Hacker-News slugs were incorrect, and it recorded false
200statuses for those URLs in the run's URL-liveness ledger (work/<run-id>/url-liveness.tsv). Every S1-derived item retained in this brief (Cisco SD-WAN, SolarWinds Serv-U, IronWorm, Miasma, OP-512) was re-verified against independently-confirmed primaries (NCSC-CH / CISA-KEV bridge, ReliaQuest's correct URL, JFrog Research's correct URL) before inclusion; affected items were dropped. - Contradictions: S1 and S3 reported OP-512 with conflicting URLs and differing web-shell detail (S1: three role-specific shells; S3/ReliaQuest: one
.aspx+ two.ashxwith RSA/RC4 per-deployment keying). Resolved in favour of the ReliaQuest source text, which was fetched and verified directly. - Coverage gaps: sec-disclosures-edgar (no Item 1.05 8-K filings in window); databreaches-net (HTTP 403, Cloudflare); inside-it-ch (HTTP 403 / empty feed across direct, RSS and Wayback — unreachable this run); sophos-xops (HTTP 503, sixth consecutive run); zdi, recordedfuture-insikt (RSS feed 404); cnil-fr, edpb (no in-window enforcement notices); sekoia (not fetched — time).
Migrated from briefs/2026-06-06.md (v2).
← Operations dashboard · day page 2026-06-06 · run-record contract: docs/pipeline.md