2026-06-11-7edf1d8a
One pipeline fire, in full · intel run of 2026-06-11 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-11/2026-06-11-7edf1d8a.md.
Run telemetry
- Items returned
- 6
- Duration
- 6m 14s
- Tool calls
- not reported
- Cited sources
- 3 of 21 in slice
- Items returned
- 5
- Duration
- 3m 32s
- Tool calls
- not reported
- Cited sources
- 2 of 26 in slice
- Items returned
- 5
- Duration
- 9m 43s
- Tool calls
- not reported
- Cited sources
- 2 of 35 in slice
- Items returned
- 4
- Duration
- 12m 00s
- Tool calls
- not reported
- Cited sources
- 3 of 9 in slice
Verification
Deep dive
2026-06-11/shinyhunters-oracle-peoplesoft-campaign-gadget-chain-access
Entries published (this run)
- ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch incident high
- "RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch threat high
- EDPB adopts a harmonised GDPR Article 33 breach-notification template; consultation open to 5 August incident notable
- CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild vulnerability high
- Black Lotus Labs: the Volt Typhoon-linked JDY botnet doubles to 1,500+ devices and weaponises CVE disclosures within hours research notable
- CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector annual-report notable
- Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007 vulnerability high
- ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url → bridge:wayback | 0 transport-403 no usable Wayback snapshot >= 5000 bytes in last 180 days; Cloudflare challenge on direct | WebSearch fallback — no in-window exclusive items |
| sec-disclosures-edgar | https://efts.sec.gov/LATEST/search-index?q=%22Item+1.05%22&forms=8-K&startdt=202 | bridge:sec-edgar → webfetch | 0 bridge returned {total:0,hits:[]} for all windows; direct curl 403 'Undeclared Automated Tool' | WebSearch found EVERTEC 8-K (later dropped — no CH/EU nexus) |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Opus 4.8 · 3m 41s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | RoguePlanet Microsoft Defender zero-day GreatXML BitLocker-bypass attributed to NCSC-CH GovCERT 12622 | NCSC-CH post 12622 does not name GreatXML; neither do the other cited sources. | Dropped the GreatXML clause; rewrote to list the prior Defender drops NCSC actually consolidates (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma). fixed-clean |
| F14 quantifier-without-source | active-threats | ServiceNow unauthenticated REST endpoint roughly five API requests per tenant; 2-3 June window | Per-tenant request count in no cited source; exploitation window should be 2-4 June per THN. | Dropped the per-tenant count; aligned exploitation window to 2-4 June in TL;DR and § 1. fixed-clean |
Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=1) · Claude Sonnet 4.6 · 3m 38s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | RoguePlanet Microsoft Defender zero-day GreenPlasma/CVE-2026-50507 | GreenPlasma is CVE-2026-45586 (CTFMON EoP); CVE-2026-50507 is a separate BitLocker bypass. | Corrected GreenPlasma CVE to CVE-2026-45586; added it to cves_seen.json. fixed-clean |
| F11 citation-date | updates | Netlogon CVE-2026-41089 UPDATE (BleepingComputer, 2026-06-10) | BleepingComputer Netlogon article published 2026-06-01 (updated 06-02), not 06-10. | Corrected the citation date annotation to 2026-06-01. fixed-clean |
Iteration #3 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=1) · Claude Opus 4.8 · 2m 58s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact-regression | active-threats | RoguePlanet Microsoft Defender zero-day GreenPlasma/CVE-2026-45586 | Regression from iter-2: item's cited primary NCSC-CH 12622 says GreenPlasma=CVE-2026-50507; CVE-2026-45586 is an unrelated CTFMON EoP per SecurityWeek. | Reverted to CVE-2026-50507 (matches cited primary NCSC-CH 12622 and both original sub-agents); removed CVE-2026-45586 from cves_seen; added a § 7 cross-source d fixed-clean |
| F11 editorial-advisory | research | CrowdStrike 2026 Technology Threat Landscape Report 58% figure loosely coupled to three named PANDA clusters | Advisory only: the 58% state-sponsored figure is loosely associated with the named PANDA clusters. | Left as-is — F11 advisory; the report names the clusters and the 58% figure separately, and the brief presents them as report findings, not a derived causal lin deferred |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-11-7edf1d8a · Anthropic Claude (specific model not determined) · 8 entries published
- Items dropped:
- CVE-2026-25089 (FortiSandbox unauthenticated OS command injection, CVSS 9.8, patched 9 June) — dropped from § 2 because it cleared no inclusion gate: not in CISA KEV, no confirmed ENISA EUVD listing, no in-the-wild exploitation reported, and no public PoC. The Fortinet PSIRT page (FG-IR-26-141) returned "Unavailable" on fetch, so no primary advisory URL could be cited. Will reassess if exploitation or a working PoC emerges.
- EVERTEC / Banco Popular de Puerto Rico SEC 8-K (third-party support-platform breach, payment-card data) — dropped: no Switzerland/EU and no public-sector nexus (Puerto Rico banking). Logged as a third-party-vendor-risk pattern only; not within audience scope this run.
- BACS/NCSC-CH G7 Évian pre-event threat bulletin — dropped: the campaign is already covered (
campaign:g7-evian-2026) and the primary advisory is dated 1 June 2026, outside the 36 h recency window, with no fresh in-window delta.
- Single-source items: CrowdStrike's claim of an
axiosnpm-package compromise (§ 3) is asserted only by CrowdStrike in this run — flagged single-source-vendor pending independent corroboration. The rest of the CrowdStrike report is treated under the PD-9 one-treatment rule for periodic reports. - Contradiction resolved: Langflow CVE-2026-5027 patch status — one research stream reported "no patch available," another reported a fix in Langflow 1.9.0 / langflow-base 0.8.3 with 1.10.0 on 10 June. Brief reports patch-available on the basis of the more recent, BleepingComputer-sourced read; defenders should confirm the fixed version against the vendor release notes.
- Attribution caveat: ServiceNow (§ 1) — exploitation was observed against a subset of customers, but ServiceNow attributes the activity to "likely security researchers / bug-bounty," while NCSC-CH GovCERT records it as "Actively Exploited." The brief presents both framings rather than asserting malicious exploitation. The ShinyHunters PeopleSoft "gadget chain of zero-days" (§ 5) is attacker-asserted and not vendor-confirmed.
- Cross-source discrepancy (GreenPlasma CVE): the RoguePlanet item's cited primary, NCSC-CH GovCERT post 12622, maps the GreenPlasma zero-day to CVE-2026-50507, and SecurityWeek lists CVE-2026-45586 as a separate Windows CTFMON elevation-of-privilege flaw; a separate (non-cited) June Patch Tuesday round-up instead associates CVE-2026-45586 with GreenPlasma. The brief follows its cited primary (NCSC-CH 12622) and reports GreenPlasma as CVE-2026-50507. The GreenPlasma/YellowKey CVEs are background context for the RoguePlanet disclosure, not the operative item.
- Coverage gaps: databreaches-net (Cloudflare challenge / no usable Wayback snapshot — bridge blocked); sec-disclosures-edgar (EDGAR full-text bridge returned 0 results across all tested windows, direct fetch 403 "Undeclared Automated Tool"; EVERTEC 8-K found via WebSearch fallback); inside-it-ch (Cloudflare Managed Challenge on all attempts); sophos-xops (known 503 pattern, not attempted); greynoise (no in-window posts); fortiguard-psirt (FG-IR-26-141 returned "Unavailable"); cert-fr-actu (feed capped at 2025 entries); ncsc-ch-kw24 (Week-24 review not yet published as of run time).
Unmatched action items (migrated)
- Audit ServiceNow Scripted REST Resources for
requires_authentication=falseand rotate exposed secrets. Checksys_ws_operationfor unauthenticated endpoints, reviewaccess_log_transactionfor requests to/api/now/related_list_editin the 2–5 June window, and rotate any credentials or API tokens stored in support-ticket workflows. Confirm via the support portal whether a case was opened on your tenant. See § 1. - For PeopleSoft operators: rotate default SSH service accounts and hunt for ransom-note artefacts. Rename/disable
psoft,oracle,linuxadm; enforce SSH key-only auth; restrict the admin tier to jump-host access; reviewauthorized_keys; and treat unexpected ransom-note text files in web/app document roots as a lateral-movement indicator. See § 5. - With no patch for "RoguePlanet," instrument Defender process-tree monitoring. Alert on
MsMpEng.exespawningcmd.exe/powershell.exe(Sysmon EID 1 / Windows 4688) and on SYSTEM-context shells not tied to a service restart. See § 1.
Migrated from briefs/2026-06-11.md (v2).
← Operations dashboard · day page 2026-06-11 · run-record contract: docs/pipeline.md