ctipilot.ch

2026-06-28-1b30612a

One pipeline fire, in full · intel run of 2026-06-28 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-28/2026-06-28-1b30612a.md.

Run telemetry

2026-06-28-1b30612a intel prompt v2.64
28m 19s duration 9 published 0 updates
Claude Opus 4.8 (claude-opus-4-8[1m]) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
7m 23s
Tool calls
14 WebFetch8 WebSearch9 bridge
Cited sources
7 of 12 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
9m 04s
Tool calls
18 WebFetch9 WebSearch14 bridge
Cited sources
4 of 9 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
11m 05s
Tool calls
14 WebFetch7 WebSearch6 bridge
Cited sources
5 of 9 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
4m 10s
Tool calls
18 WebFetch8 WebSearch9 bridge
Cited sources
2 of 7 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=3 e=2 a=3 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=1 a=0 #3 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=1 e=0 a=2 #4 CLEAN · Claude Sonnet 4.6 · t=0 e=0 a=0

Deep dive

2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

1 added.

SourceChangeFrom → ToReason
netcraftadded— → candidatesurfaced the Bluekit BitM PhaaS analysis (§3); recurring phishing/brand-abuse research lab

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Bridge invocations (this run)

8 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

6 ok2 empty feed
  • bridge:feed ×1
  • bridge:sec-edgar.8k ×1
  • bridge:ico-uk.enforcement ×1
  • bridge:cisa-kev ×1
  • bridge:enisa-euvd.recent ×1
  • bridge:bsi-csaf ×1
  • bridge:ncsc-nl.csaf ×1
  • bridge:ncsc-csh.recent ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 8 findings (truth=3, editorial=2, advisory=3) · Claude Opus 4.8 · 4m 00s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F2
generic-url
researchNetcraft: Bluekit PhaaS BitMVaronis URL resolved to homepage; correct canonical slugreplaced with canonical https://www.varonis.com/blog/meet-bluekit-the-ai-powered-all-in-one-phishing-kit (re-fetched, 200, confirms article) fixed-clean
F3
claim-not-supported
active-threatsNAIC PeopleSoft breach
~3.1 TB / 105,000+ files; 264k PDFs; 45k rating-agency files
granular counts not in cited Insurance Journal/TechRadardropped granular file counts; kept ~3.1 TB (TechRadar) + general categories (Insurance Journal) fixed-degraded
F3
claim-not-supported
active-threatsNAIC PeopleSoft breach
ShinyHunters (tracked as UNC6240)
UNC6240 absent from cited NAIC sourcesdropped the UNC6240 parenthetical fixed-clean
F4
hallucinated-fact
verification-notesPowerDNS advisory
CVE-2026-3361
malformed CVE id; advisory CVE is CVE-2026-33612removed the specific CVE id from § 7 (advisory-name reference only); removed CVE-2026-3361 from cves_seen fixed-clean
F8
needs-more-research
active-threatsNAIC PeopleSoft breach
PeopleSoft vulnerability ... never named
CVE-2026-35273 (PeopleTools 8.61/8.62) in cited Insurance Business Mag not surfacedadded CVE-2026-35273 + versions to § 1 item and § 6 action; re-fetched Insurance Business Mag to confirm; added to cves_seen fixed-clean
F11
editorial-advisory
deep-diveKeycloak CVE-2026-11800
Vector: zero-click
advisory: vector vs post-auth prereqkept (no victim interaction required; advisory only) deferred
F11
editorial-advisory
researchTalos COM primer
Tags: nation-state, infostealer, botnet
boilerplate tags on a defensive primerremoved nation-state tag fixed-clean
F11
editorial-advisory
trending-vulnerabilitieslibssh2 CVE-2026-55200
advisories.ncsc.nl/advisory?id=NCSC-2026-0210
JS-redirect shim; resolves to supporting contentkept (URL returns 200 and is the NCSC-NL advisory; advisory only) deferred

Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 4.6 · 4m 22s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F2
generic-url
researchBluekit (Varonis source)iter-1 replacement slug also resolved to Varonis homepage; correct canonical is /blog/bluekitreplaced both inline + footer with https://www.varonis.com/blog/bluekit fixed-clean
F3
claim-not-supported
researchBluekit (Varonis date)
first documented by Varonis Threat Labs on 2026-06-17
Varonis article dated 2026-04-29, not 2026-06-17changed date to 2026-04-29 and reworded framing (Varonis = earlier original discovery; Netcraft = in-window scale finding) fixed-clean

Iteration #3 NEEDS_FIXES · 3 findings (truth=1, editorial=0, advisory=2) · Claude Opus 4.8 · 2m 45s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
active-threatsJLR ransomware NYT attribution
UK Cyber Monitoring Centre 'Category 3 systemic event' ... surpassing WannaCry (Evidence attributed to The Next Web)
Claim + Evidence quote not present in cited TechCrunch/The Next Web sourcesremoved the CMC Category-3/WannaCry claim from TL;DR, § 1 heading, body, and Evidence; retained supported facts (£1.9bn/$2.5bn, six-week halt, 5000+ suppliers, fixed-clean
F11
editorial-advisory
active-threatsNAIC breach
confirmed on 2026-06-27
NAIC page reads June 26changed NAIC date references to 2026-06-26 fixed-clean
F11
editorial-advisory
researchNetcraft Bluekit
named targets / FIDO2 framing
sound analysis but not explicit source wording; advisory onlykept (framing is supported analysis) deferred

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-28-1b30612a · Claude Opus 4.8 (1M context) · 9 entries published

  • Items dropped — already covered (PD-8):
    • Ubiquiti UniFi OS triple-CVE chain (CVE-2026-34908 / -34909 / -34910) — was the full deep dive on 2026-06-24 (including the CISA KEV listing, in-the-wild exploitation and the pre-auth-to-root chain). S1 surfaced it again with no material new delta; not re-reported.
    • Turla STOCKSTAY .NET backdoor (Google GTIG, 2026-06-25) — S1 returned the same GTIG primary that was the 2026-06-27 deep dive; no new development, dropped.
    • Miasma / "Mini Shai-Hulud" npm worm (LeoPlatform/RStreams wave) — covered as a § 4 UPDATE on 2026-06-27; S3 returned the same Socket.dev analysis with no fresh delta, dropped.
  • Vulnerabilities assessed but below the § 2 inclusion bar:
    • GitLab CE/EE 19.1.1 / 19.0.3 / 18.11.6 incl. CVE-2026-10712 (Web IDE XSS, CVSS 8.0) — already assessed-and-dropped in the 2026-06-26 and 2026-06-27 briefs (stored XSS, not RCE, no exploitation, below the CVSS-9 gate). Self-managed CH/EU public-sector instances should still update on the normal change cycle (NCSC-NL NCSC-2026-0211).
    • PowerDNS Recursor advisory 2026-08 / DNSdist 2026-09 (DNS cache-poisoning / DNSSEC-bypass class, max CVSS 7.5) — no exploitation, no PoC, below the § 2 gate; carried as a normal-cycle patch in § 6 given its relevance to EU/CH government DNS resolvers (PowerDNS, 2026-06-25; BSI WID-SEC-2026-2091).
  • Items dropped — outside the recency window (PD-7; window_hours=36, developing 72 h):
    • Tata Electronics / World Leaks (Hunters International rebrand) 630 GB leak — primary disclosure 2026-06-24 (~96 h), no fresh in-window development; rolled forward.
    • KDDI shared email-platform breach (up to 14.22 M mailbox credentials) — primary 2026-06-24 (~96 h); APAC nexus; the multi-tenant shared-platform lesson noted for a future weekly. Rolled forward.
    • River Financial Corp SEC 8-K ransomware disclosure — filing 2026-06-25, [SINGLE-SOURCE] (SEC 8-K/StockTitan only), low CH/EU relevance; rolled forward.
  • Items dropped — relevance / novelty:
    • SANS ISC "Terrabot" IoT botnet (Mirai/Gafgyt variant exploiting decade-old D-Link / GPON / MVPower flaws) [SINGLE-SOURCE] — pedagogically useful but the campaign exploits ~2016–2018-era vulnerabilities with no new development; dropped to keep signal density.
  • Reduced-confidence / attribution items: the Jaguar Land Rover Russian attribution (§ 1) is MEDIUM confidence — sourced to a New York Times investigation relayed via TechCrunch / The Next Web, not an official UK government attribution or a CERT advisory. Reported as the investigators' claim per the fake-news guard.
  • Single-source (primary research) items: the Cisco Talos COM-abuse primer (§ 3) is single-source by nature (the lab's own research); included under the primary-research carve-out.
  • Contradictions: the Keycloak fixed-version reporting differed across sub-agents (official Keycloak release notes name 26.6.4, 2026-06-26; BSI/GitHub references also cite 26.4.x / 26.6.x backport branches). The brief cites the official Keycloak release-notes version (26.6.4) as authoritative and points Red Hat Build of Keycloak users to the matching RHSA errata.
  • Verification remediation (Phase 5.7): an iteration-3 truth finding removed an unsupported claim from the JLR item — the cited TechCrunch / The Next Web articles do not carry the "UK Cyber Monitoring Centre Category-3 systemic event / surpassing WannaCry" wording (and the Evidence quote attributed to The Next Web was not in the source). The supported facts are retained: the investigators'/NYT Russian-attribution framing, the ~six-week production halt, ~£1.9 bn / $2.5 bn economic impact, and 5,000+ affected suppliers. Earlier iterations corrected NAIC granular file counts, the PowerDNS CVE id, the missing PeopleSoft CVE (CVE-2026-35273), and the Bluekit/Varonis source URL and date.
  • Sub-agents: all four research sub-agents (S1–S4, Claude Sonnet 4.6) returned within the window (250–665 s).
  • Source-health probe: tools/source_health.py did not complete within this run's time budget (full 150-source sweep); the prior snapshot (2026-06-27) is retained and the weekly GitHub Action re-probes. No per-source accessibility action derived this run.
  • Coverage gaps: ncsc-ch-security-hub (Week 26 Wochenrückblick HTTP 404 — not yet published; no in-window NCSC-CH post); cert-eu (latest advisory 2026-06-10, out of window); cert-fr / anssi-fr (avis latest 2026-06-18, feed otherwise stale with 2025 items); databreaches-net (per-article drill-down 403 for a fourth consecutive run — transport block, not demoted; the RSS feed served and the stories reached the brief via primary pivots); mandiant-gtig (Feedburner stale/empty — direct article fetch used); sophos-xops (feed 404, no in-window research); dfirreport (feed accessible but all items older than 72 h).

Unmatched action items (migrated)

  • Verify Oracle PeopleSoft exposure and hunt for the pivot pattern (§ 1, NAIC): confirm patch status for CVE-2026-35273 (pre-auth RCE in PeopleTools 8.61/8.62) against the in-the-wild campaign, least-privilege PeopleSoft integration/service accounts, and alert on bulk export volumes from PeopleSoft data-bus repositories (DLP + off-hours staging).
  • Patch PowerDNS Recursor / DNSdist on the normal change cycle (§ 7): no exploitation reported, but the 2026-08/2026-09 advisories (cache-poisoning / DNSSEC-bypass class) matter for EU/CH government DNS resolvers — upgrade Recursor to 5.2.11 / 5.3.8 / 5.4.3 and DNSdist to 1.9.15 / 2.0.7.
  • Tune identity and endpoint detections from § 3 research: add hunts for rrweb/BitM relay indicators against M365/Entra logins (Bluekit), .NET .config files written next to signed PEs (AppDomainManager injection / TinyRCT), COM-based scheduled-task / BITS / WMI activity from unexpected processes (Talos), and review browser-extension governance for <all_urls> extensions (BadBlocker).

Migrated from briefs/2026-06-28.md (v2).

← Operations dashboard · day page 2026-06-28 · run-record contract: docs/pipeline.md