ctipilot.ch

2026-06-12-5ab9a319

One pipeline fire, in full · intel run of 2026-06-12 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-12/2026-06-12-5ab9a319.md.

Run telemetry

2026-06-12-5ab9a319 intel prompt v2.60
1h 08m duration 12 published 1 updates
Claude Fable 5 (claude-fable-5) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
11m 01s
Tool calls
14 WebFetch8 WebSearch18 bridge
Cited sources
3 of 10 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
7m 24s
Tool calls
12 WebFetch5 WebSearch8 bridge
Cited sources
5 of 8 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
5m 12s
Tool calls
18 WebFetch6 WebSearch14 bridge
Cited sources
7 of 9 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
7m 29s
Tool calls
14 WebFetch10 WebSearch10 bridge
Cited sources
5 of 9 in slice

Verification

#1 NEEDS_FIXES · Anthropic Claude Opus 4.8 · t=3 e=1 a=2 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=3 e=0 a=1 #3 NEEDS_FIXES · Anthropic Claude Opus 4.8 · t=6 e=0 a=0 #4 CLEAN · Anthropic Claude Sonnet 4.6 · t=0 e=0 a=0

Deep dive

2026-06-12/mariadb-cve-2026-49261-galera-wsrep-notify-cmd-shell-injecti

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://databreaches.net/webfetchbridge:url403 robots-blocked
Cloudflare interstitial block; Wayback fallback not attempted
none — no unique signal beyond BleepingComputer/TheRecord
sophos-xopshttps://news.sophos.com/feedwebfetchbridge:url503 transport-5xx
503 on both sophos.com/en-us/blog/feed and news.sophos.com/feed
none — no in-window Sophos items identified
cnil-frhttps://www.cnil.fr/fr/rss.xmlwebfetchwebsearch404 transport-404
CNIL RSS 404; no in-window enforcement actions found via WebSearch
none — no in-window CNIL actions

Bridge invocations (this run)

4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

3 ok1 empty feed
  • bridge:ncsc-csh.recent ×1
  • bridge:ncsc-nl.csaf ×1
  • bridge:cisa-kev ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 6 findings (truth=3, editorial=1, advisory=2) · Claude Opus 4.8 · 4m 03s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
active-threatsThe Gentlemen — 478 victims/66 countries/sectors
66 countries including Germany, France and the UK, with education, transport, healthcare and finance
Cited sources confirm only 478 victims + Thailand/UK/Brazil/Germany/India concentration; no 66-country count, no France, no sector list.Rewrote to THN concentration (Thailand/UK/Brazil/Germany/India) + Krebs (Germany/UK); dropped 66-countries/France/sectors fixed-clean
F4
hallucinated-fact
active-threatsThe Gentlemen — affiliate origins
drawing former LockBit, Qilin and Medusa affiliates
Check Point confirms 90/10 split but not LockBit/Qilin/Medusa migration.Dropped the LockBit/Qilin/Medusa clause; kept 90/10 split fixed-clean
F4
hallucinated-fact
researchESET OceanLotus SPECTRALVIPER techniques
process hollowing, COM hijacking — T1195.002, T1055.012
ESET supports T1195.002 + generic T1055/DLL side-loading, not hollowing/COM-hijacking; T1055.012 is Process Hollowing not COM hijacking.Changed to process injection + DLL side-loading (T1195.002, T1055); dropped COM hijacking and .012 fixed-clean
F9
surface-contradiction
trending-vulnerabilitiesCVE-2026-25089 FortiSandbox CVSS
9.1 (NCSC-NL) vs 9.8 (CCB Belgium)
CVSS disagreement between cited national CERTs.Added §7 contradiction note; retained NCSC-NL 9.1, flagged disagreement fixed-clean
F11
editorial-advisory
active-threatsMaine VRChat quote
the employee/email cited does not exist
'/email' inserted inside quote marks; source reads 'the employee cited'.Corrected quote to 'the employee cited does not exist' fixed-clean
F11
editorial-advisory
active-threatsCheck Point citation date
[Check Point Research, 2026-06-09]
Page date is 2026-05-13, not 06-09.Corrected citation date to 2026-05-13; §7 recency note updated fixed-clean

Iteration #2 NEEDS_FIXES · 4 findings (truth=3, editorial=0, advisory=1) · Claude Sonnet 4.6 · 3m 28s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
tldrThe Gentlemen TL;DR 478/66 countries
478 victims across 66 countries, Germany and France included
§0 TL;DR not updated when §1 body fixed in iter1; no source supports 66 countries/France.Updated TL;DR bullet to '478 leak-site victims (Germany and the UK among the most-affected)' fixed-clean
F3
claim-not-supported
trending-vulnerabilitiesFortiSandbox CVE-2026-25089 'no PoC'
No exploitation or public PoC is reported
CCB Belgium (cited) states a public PoC is available; contradicts brief.Rewrote to quote CCB on public PoC; added poc-public to Tags + Status fixed-clean
F3
claim-not-supported
active-threatsVRChat quote
the employee cited does not exist
BleepingComputer verbatim is 'the employee/email cited does not exist'; iter1 removal made it inaccurate.Restored '/email' to match source verbatim fixed-clean
F11
editorial-advisory
researchnpm Yarn/pnpm/Bun comparison
aligns npm with Yarn, pnpm and Bun
GitHub primary doesn't name them; BleepingComputer additional source may.Softened to 'other package managers that already block install scripts by default' fixed-clean

Iteration #3 NEEDS_FIXES · 6 findings (truth=6, editorial=0, advisory=0) · Claude Opus 4.8 · 3m 48s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
trending-vulnerabilitiesFortiSandbox CVSS
CVSS 9.1 + fabricated §7 contradiction
Both cited sources (NCSC-NL, CCB) record 9.8; 9.1 unsupported and the contradiction note fabricated.Set CVSS 9.8 in prose/table/footer; removed §7 contradiction note fixed-clean
F2
claim-not-supported
trending-vulnerabilitiesFortiSandbox PoC quote
"a proof-of-concept exploit is publicly available, heightening exploitation risk"
Not verbatim in CCB; substance fine.Replaced quotation with paraphrase of CCB wording fixed-clean
F3
claim-not-supported
active-threatsGentlemen geography attribution
Krebs separately lists Germany and the UK among the most-affected
Krebs does not state this; geography is THN's.Re-attributed geography to THN in TL;DR, §1 body, §7; removed Krebs geography clause fixed-clean
F4
hallucinated-fact
active-threatsGentlemen H3 heading 66 countries
478 claimed victims across 66 countries
No source supports 66 countries; §7 itself says it was dropped.Removed 'across 66 countries' from H3 heading fixed-clean
F5
analytical-link-as-fact
active-threatsPRODAFT administrator-supplies-credentials
PRODAFT adds that the administrator supplies affiliates ... Fortinet SSL-VPN credentials
No PRODAFT URL cited; not in Krebs; Check Point says affiliates obtain creds independently.Dropped PRODAFT high-confidence + supplies-credentials claim; re-attributed Fortinet SSL-VPN access to Check Point; noted drop in §7 fixed-clean
F6
claim-not-supported
deep-diveMariaDB companion CVEs CVSS 8.0 / SST
CVE-2026-48165 and CVE-2026-48163 (both CVSS 8.0) ... SST handshake (NCSC-CH)
NCSC-CH names only CVE-2026-49261; 8.0/SST unsourced. MariaDB Foundation names all three, no CVSS.Re-attributed companions to MariaDB Foundation; dropped CVSS 8.0 and SST specificity; footer CVSS per-CVE with n/a for companions; cves_seen titles corrected fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-12-5ab9a319 · Claude Fable 5 · 12 entries published

  • Single-source items: the Maine breach-portal abuse (§ 1, BleepingComputer only — corroborated in substance by company denials quoted therein); ESET OceanLotus/FireAnt (§ 3, ESET Research as primary disclosing lab, THN corroborates the same write-up). Both flagged inline.
  • Reduced-confidence / contested: GreatXML (§ 1) — the BitLocker bypass is real and has a public PoC, but practical severity is disputed (Will Dormann notes the prerequisite Defender Offline scan requires admin, which already permits disabling BitLocker). Reported with the disagreement intact; no CVE assigned.
  • Contradiction — The Gentlemen victim count: the group's leak site claims 478 victims (THN, 2026-06-11) while Krebs counts 332 published victims since mid-2025. Brief reports both figures and attributes each, on the basis that leak-site totals are self-asserted and not independently verified; the 478 number is the actor's claim, not confirmed victimology. Geography is reported only to the concentration The Hacker News states (Thailand/UK/Brazil/Germany/India) — an unsupported "66 countries / France / sector-list" claim from a sub-agent return was dropped in verification as unsourced, as was a PRODAFT-attributed "administrator supplies affiliates' Fortinet credentials" claim for which no PRODAFT source was reachable this run.
  • Kyushu Electric Power lost-drive disclosure (10.9 M customers) dropped: Japan-only critical-infrastructure physical-media incident, single-source (BleepingComputer), no CH/EU nexus and no transferable defender action beyond generic media-handling — below the relevance bar.
  • South Korea PIPC ₩624.7 bn Coupang fine dropped: significant GDPR-adjacent enforcement precedent but APAC commercial, no CH/EU public-sector nexus and no defender-actionable delta this run; logged here for horizon awareness.
  • CVEs noted but not promoted to § 2: CVE-2026-48579 (Exchange Online) is included in § 2 for completeness but requires no customer action (service-side fix). No § 2 candidate CVEs were dropped for failing inclusion gates this run.
  • Recency: all promoted items have an in-window (≤ 36 h) primary or fresh-development source. The Microsoft Gentlemen dissection (2026-05-28) and Check Point analysis (2026-05-13) are cited as background/corroboration under the developing-window allowance; the in-window hooks are the Krebs deanonymisation (06-10) and the THN 478-victim escalation (06-11).
  • Candidate source surfaced (not added this run): securityonline.info (S1) — fast CVSS-annotated vuln tracking, occasionally ahead of national CERTs. One-candidate-per-run budget reserved; deferred.
  • Coverage gaps: sophos-xops (503 on both feeds, 4th consecutive run — transport block, not demotion); databreaches-net (Cloudflare block, 6th run — Wayback fallback not attempted, no unique signal beyond BleepingComputer/TheRecord); inside-it-ch (404, 3rd run — no unique CH breach items missed); sec-disclosures-edgar (EDGAR Item 1.05 full-text search returned zero hits for 2026-06-09→12; bridge worked, empty result set); cnil-fr (RSS 404, no in-window enforcement actions); oracle-psirt (403 on the PSIRT host — story fully covered via Oracle Security Alert page, Mandiant GTIG, NCSC-NL); anssi-fr / ncsc-ch-focus / dragos / rapid7-research / vulncheck / watchtowr / zdi (fetched, no in-window items not already covered); fortiguard-psirt (SPA shell — FortiSandbox covered via NCSC-NL + CCB).

Unmatched action items (migrated)

  • Hunt The Gentlemen's initial access and worm artefacts. Review Fortinet SSL-VPN logs for brute-force-then-success from new ASNs; alert on scheduled tasks named gentlemen_system/UpdateSystem/UpdateUser (Event ID 4698), SMBv1 re-enablement, and shadow-copy deletion. See § 1.
  • For BitLocker fleets, mitigate GreatXML pending a patch. Require TPM+PIN pre-boot auth on high-value mobile assets, audit recovery-partition unattend.xml/ReAgent.xml for tampering, and consider reagentc /disable where recovery capability is dispensable. See § 1.
  • Stage the npm v12 migration now. Run npm install under ≥ 11.16.0 to enumerate install-script deprecation warnings and build the npm approve-scripts allow-list before the July default flip; flag CI/CD pipelines that must keep scripts enabled wholesale. See § 3.

Migrated from briefs/2026-06-12.md (v2).

← Operations dashboard · day page 2026-06-12 · run-record contract: docs/pipeline.md