2026-06-27-40e791d4
One pipeline fire, in full · intel run of 2026-06-27 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-27/2026-06-27-40e791d4.md.
Run telemetry
- Items returned
- 8
- Duration
- 8m 33s
- Tool calls
- 18 WebFetch0 WebSearch10 bridge
- Cited sources
- 7 of 9 in slice
- Items returned
- 6
- Duration
- 11m 34s
- Tool calls
- 10 WebFetch4 WebSearch12 bridge
- Cited sources
- 5 of 8 in slice
- Items returned
- 11
- Duration
- 13m 31s
- Tool calls
- 11 WebFetch10 WebSearch12 bridge
- Cited sources
- 9 of 9 in slice
- Items returned
- 6
- Duration
- 4m 13s
- Tool calls
- 4 WebFetch6 WebSearch16 bridge
- Cited sources
- 2 of 7 in slice
Verification
Deep dive
2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat
Entries published (this run)
- FBI/CISA: Russian intelligence now phishing Signal Backup Recovery Keys for persistent account takeover threat high
- UK Cyber Monitoring Centre publishes sector review of the Canvas/Instructure LMS breach — 160 universities, ShinyHunters extortion, ransom paid incident notable
- Microsoft: "Photo ZIP" phishing laundered through Calendly drops Node.js TonRAT against European hospitality front desks threat notable
- CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC) vulnerability high
- CVE-2026-46331 — Linux kernel "pedit COW": out-of-bounds write in the tc act_pedit module (public weaponised PoC) vulnerability notable
- Kaspersky GReAT: "StrikeShark" loader deploys Cobalt Strike via "Perfect DLL Hijacking" against government targets research notable
- Citizen Lab: Cellebrite UFED used by Russian authorities three months after the vendor's Russia pull-out research notable
- CVE-2026-12957 — Amazon Q Developer auto-loaded workspace MCP configs, enabling repo-planted code execution and AWS credential theft (Wiz) research notable
- SANS ISC: Linux process-name masquerading via prctl(PR_SET_NAME) and how to detect it research notable
- PTC Windchill CVE-2026-12569 now confirmed exploited in the wild with JSP web shells vulnerability high update
- Mandiant documents the full Cisco Catalyst SD-WAN exploitation chain — CSV-injection to a root backdoor vulnerability notable update
- Klue/Icarus Salesforce breach widens to ~24 firms; the attacker is itself hacked and a second extortion actor emerges incident high update
- "The Gentlemen" ransomware claims 478 victims and adds worm propagation — Switzerland the second-most-targeted European country threat high
- Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages threat high update
- Turla's STOCKSTAY: a four-component .NET backdoor for diplomatic intelligence collection vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| chrome-releases | https://chromereleases.googleblog.com/feeds/posts/default | rss → webfetch | 302 RSS feed returned HTTP 302 redirect; Chrome security advisory content unavailable via bridge | none — BSI WID-SEC-2026-2092 indicates a Chrome multi-vuln advisory 2026-06-26; not covered this run |
| databreaches-net | https://databreaches.net/ | webfetch → bridge:url | 403 transport-403 HTTP 403 (anti-bot); third consecutive run | none — no specific article URL to bridge; transport block, not demoted |
Bridge invocations (this run)
4 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:cisa-kev ×1
- bridge:ncsc-nl.csaf ×1
- bridge:ncsc-csh.recent ×1
- bridge:sec-edgar ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 7 findings (truth=4, editorial=1, advisory=2) · Claude Opus 4.8 · 5m 35s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | research | CVE-2026-12957 Amazon Q Developer MCP auto-load fixed in 1.69.0 ... confirm >= 1.69.0 | Wiz + Register state fixed in 1.65.0, not 1.69.0 | Corrected fix version to 1.65.0 in prose and the why-line fixed-clean |
| F4 hallucinated-fact | research | SANS ISC prctl masquerading diary recommends auditd rules on prctl | Cited diary never mentions auditd; covers comm/cmdline divergence, Kunai/eBPF | Removed auditd clause; kept comm-vs-cmdline divergence + eBPF/Kunai fixed-clean |
| F4 hallucinated-fact | updates | The Gentlemen 478 victims / --spread [The Hacker News, 2026-06-26] | THN byline is 2026-06-11; 478/--spread is stale, not in-window. Fresh hook is the inside-it.ch Swiss-targeting | Corrected THN date to 2026-06-11; reframed UPDATE so the in-window delta is the inside-it.ch (2026-06-26) Swiss-targeting; swapped footer source order; logged s fixed-degraded |
| F13 analytical-link-as-fact | updates | Miasma new wave RevokeAndItGoesKaboom ties this wave to codfish/semantic-release-action | Neither Socket nor JFrog connects the marker to codfish/semantic-release-action | Removed the codfish tie; kept the marker-recurrence claim only fixed-clean |
| F9 surface-contradiction | deep-dive | STOCKSTAY publication date published ... on 2026-06-26 | GTIG primary byline is 2026-06-25; S7 note inverted source/date | Set GTIG primary date to 2026-06-25 in S5; rewrote the S7 contradiction note fixed-clean |
| F11 editorial-advisory | deep-dive | STOCKTRADER command count supporting 15+ commands | GTIG enumerates 13 commands | Changed 15+ to 13 fixed-clean |
| F11 editorial-advisory | multiple | Cosmetic date/lure drift StrikeShark 06-26 (actual 06-24); Miasma 06-26 (actual 06-25); Czech lure | Cosmetic primary-date/attribution drift | StrikeShark->2026-06-24, Miasma Socket->2026-06-25, dropped Czech lure language fixed-clean |
Iteration #2 NEEDS_FIXES · 3 findings (truth=1, editorial=1, advisory=1) · Claude Sonnet 4.6 · 5m 45s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | updates | Miasma codfish marker (iter1 F13 regression) RevokeAndItGoesKaboom ... codfish/semantic-release-action | iter1 removal was wrong — Socket explicitly ties the marker to the codfish/semantic-release-action compromise (StepSecurity) | Restored the codfish/semantic-release-action link, sourced to Socket fixed-clean |
| F9 surface-contradiction | active-threats | Canvas/CMC ransom payment Instructure paid an undisclosed ransom | Computer Weekly says paid; Infosec unclear; Instructure statement says only 'agreement'+deletion logs | Hedged to 'reportedly paid an undisclosed sum' (Computer Weekly) + added Instructure's own framing; added § 7 contradiction note fixed-clean |
| F11 editorial-advisory | active-threats | CyberScoop date tag on Signal item [CyberScoop, 2026-06-26] | That CyberScoop URL is the March 20 PSA article, not the June 26 update | Removed CyberScoop (mis-dated); claim re-cited to FBI IC3; footer keeps IC3 + THN (2026-06-27) fixed-clean |
Iteration #3 NEEDS_FIXES · 4 findings (truth=1, editorial=0, advisory=3) · Claude Opus 4.8 · 4m 03s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | research | Citizen Lab/Cellebrite forensic report attribution official Russian Investigative Committee forensic report | Citizen Lab: report authored by MVD Forensic Expert Center, only commissioned by the Investigative Committee | Corrected attribution to MVD (Interior Ministry) Forensic Expert Center, commissioned by the Investigative Committee fixed-clean |
| F11 editorial-advisory | tldr | Socket TL;DR date [Socket, 2026-06-26] | TL;DR cited Socket 06-26; primary is 06-25 | Changed TL;DR Socket date to 2026-06-25 fixed-clean |
| F11 editorial-advisory | updates | Autodesk as Klue victim Blackbaud, Autodesk, Deel | Autodesk listed without SecurityWeek's hedge | Removed Autodesk from the named-victim list fixed-clean |
| F11 editorial-advisory | updates | EUVD additional source SPA euvd.enisa.europa.eu/.../EUVD-2026-37831 | EUVD additional-source renders blank (SPA) | Kept — real corroborating advisory URL; SPA-render is not a liveness failure deferred |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-27-40e791d4 · Claude Opus 4.8 · 15 entries published
- Items dropped:
- Check Point Quantum/Spark IKEv1 auth bypass (
CVE-2026-50751) — out-of-window: primary vendor blog 2026-06-08, NCSC-NL advisory 2026-06-16, no fresh development insidewindow_hours=36; already consolidated in the 2026-W25 weekly. Remains a real patch-now item for any IKEv1-enabled Check Point gateway (hotfixes sk185033/sk185035) but carries no in-window delta to report today. - PowerDNS coordinated security release (14 CVEs across Authoritative/Recursor/DNSdist, 2026-06-25) — dropped from § 2: no in-the-wild exploitation, not KEV/EUVD-exploited, patches available; did not clear a § 2 inclusion gate. Relevant to EU DNS/ISP operators as routine patching (BSI WID-SEC-2026-2091).
- GitLab CE/EE 13-CVE release incl. unauthenticated Web IDE XSS
CVE-2026-10712(CVSS 8.0), 2026-06-25 — dropped from § 2: no exploitation evidence and XSS rather than RCE; did not clear a gate. Self-managed EU/Swiss public-sector instances should still update to 19.1.1/19.0.3/18.11.6 in the next change window (NCSC-NL NCSC-2026-0211). - CL-STA-1062 / TinyRCT (Unit 42, 2026-06-26) — Chinese-suspected APT using AppDomainManager injection against Southeast-Asian energy/government; dropped for low CH/EU nexus and single-source. Detection angle (
.exe.configwithappDomainManagerType) noted for hunters. - Tata Electronics / World Leaks (630 GB), KDDI (14.22 M email credentials), River Financial 8-K ransomware, Polymarket ($2.94 M frontend-injection theft) — substantive confirmed breaches but without CH/EU public-sector nexus or a novel transferable TTP; not promoted to keep signal high.
- Check Point Quantum/Spark IKEv1 auth bypass (
- § 2 inclusion note: DirtyClone and pedit COW are included on the basis of public working exploits and universal Linux exposure, although they are local LPEs rather than the literal pre-auth-RCE wording of § 2 gate 5; no in-the-wild exploitation has been observed yet (PoC-public only).
- Single-source items: § 1 TonRAT/"Photo ZIP" (Microsoft Threat Intelligence sole primary — HIGH-reliability vendor TI, corroborated by THN restatement); § 3 SANS ISC
prctlmasquerading diary (single reputable primary, technique writeup); § 4 The Gentlemen — the Swiss-second-most-targeted claim is single-source (inside-it.ch, Swiss press citing Check Point Research; the article body returned 403 to direct fetch, so the claim was read via the publisher's RSS summary). The group's 478-victims/--spreadprofile is separately sourced to The Hacker News (2026-06-11). All other items meet the two-source rule or are national-CERT/HIGH-reliability primary disclosures. - Contradictions: the GTIG STOCKSTAY primary post is dated 2026-06-25; corroborating coverage (The Record, The Hacker News) is dated 2026-06-26. The brief cites the GTIG primary as 2026-06-25. On the Canvas breach, sources disagree on whether Instructure paid: Computer Weekly reports a ransom was paid; Infosecurity Magazine leaves it unclear; Instructure's own incident statement describes only "reaching an agreement" and receiving deletion logs, without confirming a monetary payment — the brief hedges to "reportedly paid" and surfaces Instructure's framing.
- Sub-agents: S1–S4 all returned; no stalls. (Note: S1's findings YAML recorded an internally inconsistent
ended_at; the run log uses the harness-reported timestamps.) tools/source_health.pyran and refreshedstate/source_health.json(2026-06-27 snapshot, 149 sources). It flagged 5 sourcesneeds-demote, none actioned this run:cisa-advisories/cisa-directives/cisa-newsreturned bridge HTTP 403 on their listing pages (transport-blocked — the lifecycle hard rule is that sustained transport blocking never demotes, and CISA intelligence still reaches the brief via the workingcisa-kevbridge), andsophos-xops/trellixhit single read-timeouts (transient, not persistent failures). All five are "recheck if persistent" advisories, not demotion-qualifying events.- Coverage gaps: chrome-releases (RSS 302 redirect — Chrome security advisory unavailable via bridge); ptc-psirt (CS473270 returned 403; KEV + ENISA EUVD used instead); databreaches-net (403, third consecutive run — transport block, not demoted); cert-eu (no in-window advisory, latest 2026-06-10); cert-fr (feed returned 2025 bulletins only, empty in window); ncsc-ch-security-hub (no new post in window; only the 2026-06-25 Cisco SD-WAN edit to post 12579); mandiant-gtig (Feedburner IncompleteRead — direct article fetch used).
Unmatched action items (migrated)
- Regenerate Signal Backup Recovery Keys for high-risk personnel (diplomatic, federal, parliamentary, journalists) and issue guidance that any unsolicited "Signal support" message is hostile; disable Signal backups via MDM where operational security demands it (§ 1).
- Deploy the
/proc/<pid>/commvs/proc/<pid>/cmdlinemasquerade hunt across Linux fleets — a kernel-worker-stylecommwith a non-emptycmdlineis a free, high-fidelity detection (§ 3). - Audit npm/CI for the
binding.gypinstall-time-execution pattern — alert onnode-gypevaluating JavaScript frombinding.gypand rotate all CI/cloud credentials exposed to the affected LeoPlatform/RStreams packages since 2026-06-20 (§ 4). - Audit Salesforce Connected Apps and revoke dormant OAuth integration tokens with export scopes; alert on anomalous bulk
ReportExport/API activity from integration service accounts (§ 4). - Hunt Cisco Catalyst SD-WAN Manager for unexpected
/etc/passwdadditions (troot),evil_tenant.csvartefacts andrequest tenant-uploadCLI execution; enforce SMB signing and the Microsoft vulnerable-driver blocklist against The Gentlemen's worm/BYOVD behaviour (§ 4).
Migrated from briefs/2026-06-27.md (v2).
← Operations dashboard · day page 2026-06-27 · run-record contract: docs/pipeline.md