ctipilot.ch

2026-06-27-40e791d4

One pipeline fire, in full · intel run of 2026-06-27 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-27/2026-06-27-40e791d4.md.

Run telemetry

2026-06-27-40e791d4 intel prompt v2.64
30m 16s duration 15 published 4 updates
Claude Opus 4.8 (claude-opus-4-8) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
8m 33s
Tool calls
18 WebFetch0 WebSearch10 bridge
Cited sources
7 of 9 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
11m 34s
Tool calls
10 WebFetch4 WebSearch12 bridge
Cited sources
5 of 8 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
11
Duration
13m 31s
Tool calls
11 WebFetch10 WebSearch12 bridge
Cited sources
9 of 9 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
4m 13s
Tool calls
4 WebFetch6 WebSearch16 bridge
Cited sources
2 of 7 in slice

Verification

#1 NEEDS_FIXES · Anthropic Claude Opus 4.8 (1M context) · t=4 e=1 a=2 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=1 a=1 #3 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=1 e=0 a=3 #4 CLEAN · Anthropic Claude Sonnet 4.6 · t=0 e=0 a=0

Deep dive

2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
chrome-releaseshttps://chromereleases.googleblog.com/feeds/posts/defaultrsswebfetch302
RSS feed returned HTTP 302 redirect; Chrome security advisory content unavailable via bridge
none — BSI WID-SEC-2026-2092 indicates a Chrome multi-vuln advisory 2026-06-26; not covered this run
databreaches-nethttps://databreaches.net/webfetchbridge:url403 transport-403
HTTP 403 (anti-bot); third consecutive run
none — no specific article URL to bridge; transport block, not demoted

Bridge invocations (this run)

4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

4 ok
  • bridge:cisa-kev ×1
  • bridge:ncsc-nl.csaf ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:sec-edgar ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 7 findings (truth=4, editorial=1, advisory=2) · Claude Opus 4.8 · 5m 35s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
researchCVE-2026-12957 Amazon Q Developer MCP auto-load
fixed in 1.69.0 ... confirm >= 1.69.0
Wiz + Register state fixed in 1.65.0, not 1.69.0Corrected fix version to 1.65.0 in prose and the why-line fixed-clean
F4
hallucinated-fact
researchSANS ISC prctl masquerading
diary recommends auditd rules on prctl
Cited diary never mentions auditd; covers comm/cmdline divergence, Kunai/eBPFRemoved auditd clause; kept comm-vs-cmdline divergence + eBPF/Kunai fixed-clean
F4
hallucinated-fact
updatesThe Gentlemen 478 victims / --spread
[The Hacker News, 2026-06-26]
THN byline is 2026-06-11; 478/--spread is stale, not in-window. Fresh hook is the inside-it.ch Swiss-targetingCorrected THN date to 2026-06-11; reframed UPDATE so the in-window delta is the inside-it.ch (2026-06-26) Swiss-targeting; swapped footer source order; logged s fixed-degraded
F13
analytical-link-as-fact
updatesMiasma new wave
RevokeAndItGoesKaboom ties this wave to codfish/semantic-release-action
Neither Socket nor JFrog connects the marker to codfish/semantic-release-actionRemoved the codfish tie; kept the marker-recurrence claim only fixed-clean
F9
surface-contradiction
deep-diveSTOCKSTAY publication date
published ... on 2026-06-26
GTIG primary byline is 2026-06-25; S7 note inverted source/dateSet GTIG primary date to 2026-06-25 in S5; rewrote the S7 contradiction note fixed-clean
F11
editorial-advisory
deep-diveSTOCKTRADER command count
supporting 15+ commands
GTIG enumerates 13 commandsChanged 15+ to 13 fixed-clean
F11
editorial-advisory
multipleCosmetic date/lure drift
StrikeShark 06-26 (actual 06-24); Miasma 06-26 (actual 06-25); Czech lure
Cosmetic primary-date/attribution driftStrikeShark->2026-06-24, Miasma Socket->2026-06-25, dropped Czech lure language fixed-clean

Iteration #2 NEEDS_FIXES · 3 findings (truth=1, editorial=1, advisory=1) · Claude Sonnet 4.6 · 5m 45s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
updatesMiasma codfish marker (iter1 F13 regression)
RevokeAndItGoesKaboom ... codfish/semantic-release-action
iter1 removal was wrong — Socket explicitly ties the marker to the codfish/semantic-release-action compromise (StepSecurity)Restored the codfish/semantic-release-action link, sourced to Socket fixed-clean
F9
surface-contradiction
active-threatsCanvas/CMC ransom payment
Instructure paid an undisclosed ransom
Computer Weekly says paid; Infosec unclear; Instructure statement says only 'agreement'+deletion logsHedged to 'reportedly paid an undisclosed sum' (Computer Weekly) + added Instructure's own framing; added § 7 contradiction note fixed-clean
F11
editorial-advisory
active-threatsCyberScoop date tag on Signal item
[CyberScoop, 2026-06-26]
That CyberScoop URL is the March 20 PSA article, not the June 26 updateRemoved CyberScoop (mis-dated); claim re-cited to FBI IC3; footer keeps IC3 + THN (2026-06-27) fixed-clean

Iteration #3 NEEDS_FIXES · 4 findings (truth=1, editorial=0, advisory=3) · Claude Opus 4.8 · 4m 03s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
researchCitizen Lab/Cellebrite forensic report attribution
official Russian Investigative Committee forensic report
Citizen Lab: report authored by MVD Forensic Expert Center, only commissioned by the Investigative CommitteeCorrected attribution to MVD (Interior Ministry) Forensic Expert Center, commissioned by the Investigative Committee fixed-clean
F11
editorial-advisory
tldrSocket TL;DR date
[Socket, 2026-06-26]
TL;DR cited Socket 06-26; primary is 06-25Changed TL;DR Socket date to 2026-06-25 fixed-clean
F11
editorial-advisory
updatesAutodesk as Klue victim
Blackbaud, Autodesk, Deel
Autodesk listed without SecurityWeek's hedgeRemoved Autodesk from the named-victim list fixed-clean
F11
editorial-advisory
updatesEUVD additional source SPA
euvd.enisa.europa.eu/.../EUVD-2026-37831
EUVD additional-source renders blank (SPA)Kept — real corroborating advisory URL; SPA-render is not a liveness failure deferred

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-27-40e791d4 · Claude Opus 4.8 · 15 entries published

  • Items dropped:
    • Check Point Quantum/Spark IKEv1 auth bypass (CVE-2026-50751) — out-of-window: primary vendor blog 2026-06-08, NCSC-NL advisory 2026-06-16, no fresh development inside window_hours=36; already consolidated in the 2026-W25 weekly. Remains a real patch-now item for any IKEv1-enabled Check Point gateway (hotfixes sk185033/sk185035) but carries no in-window delta to report today.
    • PowerDNS coordinated security release (14 CVEs across Authoritative/Recursor/DNSdist, 2026-06-25) — dropped from § 2: no in-the-wild exploitation, not KEV/EUVD-exploited, patches available; did not clear a § 2 inclusion gate. Relevant to EU DNS/ISP operators as routine patching (BSI WID-SEC-2026-2091).
    • GitLab CE/EE 13-CVE release incl. unauthenticated Web IDE XSS CVE-2026-10712 (CVSS 8.0), 2026-06-25 — dropped from § 2: no exploitation evidence and XSS rather than RCE; did not clear a gate. Self-managed EU/Swiss public-sector instances should still update to 19.1.1/19.0.3/18.11.6 in the next change window (NCSC-NL NCSC-2026-0211).
    • CL-STA-1062 / TinyRCT (Unit 42, 2026-06-26) — Chinese-suspected APT using AppDomainManager injection against Southeast-Asian energy/government; dropped for low CH/EU nexus and single-source. Detection angle (.exe.config with appDomainManagerType) noted for hunters.
    • Tata Electronics / World Leaks (630 GB), KDDI (14.22 M email credentials), River Financial 8-K ransomware, Polymarket ($2.94 M frontend-injection theft) — substantive confirmed breaches but without CH/EU public-sector nexus or a novel transferable TTP; not promoted to keep signal high.
  • § 2 inclusion note: DirtyClone and pedit COW are included on the basis of public working exploits and universal Linux exposure, although they are local LPEs rather than the literal pre-auth-RCE wording of § 2 gate 5; no in-the-wild exploitation has been observed yet (PoC-public only).
  • Single-source items: § 1 TonRAT/"Photo ZIP" (Microsoft Threat Intelligence sole primary — HIGH-reliability vendor TI, corroborated by THN restatement); § 3 SANS ISC prctl masquerading diary (single reputable primary, technique writeup); § 4 The Gentlemen — the Swiss-second-most-targeted claim is single-source (inside-it.ch, Swiss press citing Check Point Research; the article body returned 403 to direct fetch, so the claim was read via the publisher's RSS summary). The group's 478-victims/--spread profile is separately sourced to The Hacker News (2026-06-11). All other items meet the two-source rule or are national-CERT/HIGH-reliability primary disclosures.
  • Contradictions: the GTIG STOCKSTAY primary post is dated 2026-06-25; corroborating coverage (The Record, The Hacker News) is dated 2026-06-26. The brief cites the GTIG primary as 2026-06-25. On the Canvas breach, sources disagree on whether Instructure paid: Computer Weekly reports a ransom was paid; Infosecurity Magazine leaves it unclear; Instructure's own incident statement describes only "reaching an agreement" and receiving deletion logs, without confirming a monetary payment — the brief hedges to "reportedly paid" and surfaces Instructure's framing.
  • Sub-agents: S1–S4 all returned; no stalls. (Note: S1's findings YAML recorded an internally inconsistent ended_at; the run log uses the harness-reported timestamps.)
  • tools/source_health.py ran and refreshed state/source_health.json (2026-06-27 snapshot, 149 sources). It flagged 5 sources needs-demote, none actioned this run: cisa-advisories/cisa-directives/cisa-news returned bridge HTTP 403 on their listing pages (transport-blocked — the lifecycle hard rule is that sustained transport blocking never demotes, and CISA intelligence still reaches the brief via the working cisa-kev bridge), and sophos-xops/trellix hit single read-timeouts (transient, not persistent failures). All five are "recheck if persistent" advisories, not demotion-qualifying events.
  • Coverage gaps: chrome-releases (RSS 302 redirect — Chrome security advisory unavailable via bridge); ptc-psirt (CS473270 returned 403; KEV + ENISA EUVD used instead); databreaches-net (403, third consecutive run — transport block, not demoted); cert-eu (no in-window advisory, latest 2026-06-10); cert-fr (feed returned 2025 bulletins only, empty in window); ncsc-ch-security-hub (no new post in window; only the 2026-06-25 Cisco SD-WAN edit to post 12579); mandiant-gtig (Feedburner IncompleteRead — direct article fetch used).

Unmatched action items (migrated)

  • Regenerate Signal Backup Recovery Keys for high-risk personnel (diplomatic, federal, parliamentary, journalists) and issue guidance that any unsolicited "Signal support" message is hostile; disable Signal backups via MDM where operational security demands it (§ 1).
  • Deploy the /proc/<pid>/comm vs /proc/<pid>/cmdline masquerade hunt across Linux fleets — a kernel-worker-style comm with a non-empty cmdline is a free, high-fidelity detection (§ 3).
  • Audit npm/CI for the binding.gyp install-time-execution pattern — alert on node-gyp evaluating JavaScript from binding.gyp and rotate all CI/cloud credentials exposed to the affected LeoPlatform/RStreams packages since 2026-06-20 (§ 4).
  • Audit Salesforce Connected Apps and revoke dormant OAuth integration tokens with export scopes; alert on anomalous bulk ReportExport/API activity from integration service accounts (§ 4).
  • Hunt Cisco Catalyst SD-WAN Manager for unexpected /etc/passwd additions (troot), evil_tenant.csv artefacts and request tenant-upload CLI execution; enforce SMB signing and the Microsoft vulnerable-driver blocklist against The Gentlemen's worm/BYOVD behaviour (§ 4).

Migrated from briefs/2026-06-27.md (v2).

← Operations dashboard · day page 2026-06-27 · run-record contract: docs/pipeline.md