2026-06-28-1b30612a
One pipeline fire, in full · intel run of 2026-06-28 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-28/2026-06-28-1b30612a.md.
Run telemetry
- Items returned
- 5
- Duration
- 7m 23s
- Tool calls
- 14 WebFetch8 WebSearch9 bridge
- Cited sources
- 7 of 12 in slice
- Items returned
- 3
- Duration
- 9m 04s
- Tool calls
- 18 WebFetch9 WebSearch14 bridge
- Cited sources
- 4 of 9 in slice
- Items returned
- 6
- Duration
- 11m 05s
- Tool calls
- 14 WebFetch7 WebSearch6 bridge
- Cited sources
- 5 of 9 in slice
- Items returned
- 5
- Duration
- 4m 10s
- Tool calls
- 18 WebFetch8 WebSearch9 bridge
- Cited sources
- 2 of 7 in slice
Verification
Deep dive
2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede
Entries published (this run)
- NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause incident high
- NYT investigation gives first named attribution for the Jaguar Land Rover ransomware attack — a Russian state-linked criminal group threat high
- CVE-2026-58053 — Gitea act_runner Docker backend: container-hardening bypass to host escape (CVSS 9.4, public PoC) vulnerability high
- CVE-2026-55200 — libssh2 heap out-of-bounds write in ssh2_transport_read() with public PoC; companion pre-auth DoS CVE-2026-55199 vulnerability high
- Netcraft: Bluekit PhaaS uses Browser-in-the-Middle to defeat FIDO2 and Device Bound Session Credentials research notable
- Unit 42: Chinese-speaking cluster CL-STA-1062 deploys the new TinyRCT .NET backdoor against SE-Asian government and energy targets via AppDomainManager injection research notable
- Cisco Talos: a field guide to Windows COM abuse — ITaskService, BITS, WMI and DCOM as EDR-evasion primitives research notable
- Island: "BadBlocker" — an 11M-user Chrome ad-blocker is one server config change away from arbitrary JavaScript on any site research notable
- Keycloak JWT algorithm confusion (CVE-2026-11800): forging federated identity in the EU public sector's dominant IdP vulnerability high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
1 added.
| Source | Change | From → To | Reason |
|---|---|---|---|
| netcraft | added | — → candidate | surfaced the Bluekit BitM PhaaS analysis (§3); recurring phishing/brand-abuse research lab |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Bridge invocations (this run)
8 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:feed ×1
- bridge:sec-edgar.8k ×1
- bridge:ico-uk.enforcement ×1
- bridge:cisa-kev ×1
- bridge:enisa-euvd.recent ×1
- bridge:bsi-csaf ×1
- bridge:ncsc-nl.csaf ×1
- bridge:ncsc-csh.recent ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 8 findings (truth=3, editorial=2, advisory=3) · Claude Opus 4.8 · 4m 00s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F2 generic-url | research | Netcraft: Bluekit PhaaS BitM | Varonis URL resolved to homepage; correct canonical slug | replaced with canonical https://www.varonis.com/blog/meet-bluekit-the-ai-powered-all-in-one-phishing-kit (re-fetched, 200, confirms article) fixed-clean |
| F3 claim-not-supported | active-threats | NAIC PeopleSoft breach ~3.1 TB / 105,000+ files; 264k PDFs; 45k rating-agency files | granular counts not in cited Insurance Journal/TechRadar | dropped granular file counts; kept ~3.1 TB (TechRadar) + general categories (Insurance Journal) fixed-degraded |
| F3 claim-not-supported | active-threats | NAIC PeopleSoft breach ShinyHunters (tracked as UNC6240) | UNC6240 absent from cited NAIC sources | dropped the UNC6240 parenthetical fixed-clean |
| F4 hallucinated-fact | verification-notes | PowerDNS advisory CVE-2026-3361 | malformed CVE id; advisory CVE is CVE-2026-33612 | removed the specific CVE id from § 7 (advisory-name reference only); removed CVE-2026-3361 from cves_seen fixed-clean |
| F8 needs-more-research | active-threats | NAIC PeopleSoft breach PeopleSoft vulnerability ... never named | CVE-2026-35273 (PeopleTools 8.61/8.62) in cited Insurance Business Mag not surfaced | added CVE-2026-35273 + versions to § 1 item and § 6 action; re-fetched Insurance Business Mag to confirm; added to cves_seen fixed-clean |
| F11 editorial-advisory | deep-dive | Keycloak CVE-2026-11800 Vector: zero-click | advisory: vector vs post-auth prereq | kept (no victim interaction required; advisory only) deferred |
| F11 editorial-advisory | research | Talos COM primer Tags: nation-state, infostealer, botnet | boilerplate tags on a defensive primer | removed nation-state tag fixed-clean |
| F11 editorial-advisory | trending-vulnerabilities | libssh2 CVE-2026-55200 advisories.ncsc.nl/advisory?id=NCSC-2026-0210 | JS-redirect shim; resolves to supporting content | kept (URL returns 200 and is the NCSC-NL advisory; advisory only) deferred |
Iteration #2 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 4.6 · 4m 22s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F2 generic-url | research | Bluekit (Varonis source) | iter-1 replacement slug also resolved to Varonis homepage; correct canonical is /blog/bluekit | replaced both inline + footer with https://www.varonis.com/blog/bluekit fixed-clean |
| F3 claim-not-supported | research | Bluekit (Varonis date) first documented by Varonis Threat Labs on 2026-06-17 | Varonis article dated 2026-04-29, not 2026-06-17 | changed date to 2026-04-29 and reworded framing (Varonis = earlier original discovery; Netcraft = in-window scale finding) fixed-clean |
Iteration #3 NEEDS_FIXES · 3 findings (truth=1, editorial=0, advisory=2) · Claude Opus 4.8 · 2m 45s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | JLR ransomware NYT attribution UK Cyber Monitoring Centre 'Category 3 systemic event' ... surpassing WannaCry (Evidence attributed to The Next Web) | Claim + Evidence quote not present in cited TechCrunch/The Next Web sources | removed the CMC Category-3/WannaCry claim from TL;DR, § 1 heading, body, and Evidence; retained supported facts (£1.9bn/$2.5bn, six-week halt, 5000+ suppliers, fixed-clean |
| F11 editorial-advisory | active-threats | NAIC breach confirmed on 2026-06-27 | NAIC page reads June 26 | changed NAIC date references to 2026-06-26 fixed-clean |
| F11 editorial-advisory | research | Netcraft Bluekit named targets / FIDO2 framing | sound analysis but not explicit source wording; advisory only | kept (framing is supported analysis) deferred |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-28-1b30612a · Claude Opus 4.8 (1M context) · 9 entries published
- Items dropped — already covered (PD-8):
- Ubiquiti UniFi OS triple-CVE chain (CVE-2026-34908 / -34909 / -34910) — was the full deep dive on 2026-06-24 (including the CISA KEV listing, in-the-wild exploitation and the pre-auth-to-root chain). S1 surfaced it again with no material new delta; not re-reported.
- Turla STOCKSTAY .NET backdoor (Google GTIG, 2026-06-25) — S1 returned the same GTIG primary that was the 2026-06-27 deep dive; no new development, dropped.
- Miasma / "Mini Shai-Hulud" npm worm (LeoPlatform/RStreams wave) — covered as a § 4 UPDATE on 2026-06-27; S3 returned the same Socket.dev analysis with no fresh delta, dropped.
- Vulnerabilities assessed but below the § 2 inclusion bar:
- GitLab CE/EE 19.1.1 / 19.0.3 / 18.11.6 incl. CVE-2026-10712 (Web IDE XSS, CVSS 8.0) — already assessed-and-dropped in the 2026-06-26 and 2026-06-27 briefs (stored XSS, not RCE, no exploitation, below the CVSS-9 gate). Self-managed CH/EU public-sector instances should still update on the normal change cycle (NCSC-NL NCSC-2026-0211).
- PowerDNS Recursor advisory 2026-08 / DNSdist 2026-09 (DNS cache-poisoning / DNSSEC-bypass class, max CVSS 7.5) — no exploitation, no PoC, below the § 2 gate; carried as a normal-cycle patch in § 6 given its relevance to EU/CH government DNS resolvers (PowerDNS, 2026-06-25; BSI WID-SEC-2026-2091).
- Items dropped — outside the recency window (PD-7;
window_hours=36, developing 72 h):- Tata Electronics / World Leaks (Hunters International rebrand) 630 GB leak — primary disclosure 2026-06-24 (~96 h), no fresh in-window development; rolled forward.
- KDDI shared email-platform breach (up to 14.22 M mailbox credentials) — primary 2026-06-24 (~96 h); APAC nexus; the multi-tenant shared-platform lesson noted for a future weekly. Rolled forward.
- River Financial Corp SEC 8-K ransomware disclosure — filing 2026-06-25,
[SINGLE-SOURCE](SEC 8-K/StockTitan only), low CH/EU relevance; rolled forward.
- Items dropped — relevance / novelty:
- SANS ISC "Terrabot" IoT botnet (Mirai/Gafgyt variant exploiting decade-old D-Link / GPON / MVPower flaws)
[SINGLE-SOURCE]— pedagogically useful but the campaign exploits ~2016–2018-era vulnerabilities with no new development; dropped to keep signal density.
- SANS ISC "Terrabot" IoT botnet (Mirai/Gafgyt variant exploiting decade-old D-Link / GPON / MVPower flaws)
- Reduced-confidence / attribution items: the Jaguar Land Rover Russian attribution (§ 1) is MEDIUM confidence — sourced to a New York Times investigation relayed via TechCrunch / The Next Web, not an official UK government attribution or a CERT advisory. Reported as the investigators' claim per the fake-news guard.
- Single-source (primary research) items: the Cisco Talos COM-abuse primer (§ 3) is single-source by nature (the lab's own research); included under the primary-research carve-out.
- Contradictions: the Keycloak fixed-version reporting differed across sub-agents (official Keycloak release notes name 26.6.4, 2026-06-26; BSI/GitHub references also cite 26.4.x / 26.6.x backport branches). The brief cites the official Keycloak release-notes version (26.6.4) as authoritative and points Red Hat Build of Keycloak users to the matching RHSA errata.
- Verification remediation (Phase 5.7): an iteration-3 truth finding removed an unsupported claim from the JLR item — the cited TechCrunch / The Next Web articles do not carry the "UK Cyber Monitoring Centre Category-3 systemic event / surpassing WannaCry" wording (and the Evidence quote attributed to The Next Web was not in the source). The supported facts are retained: the investigators'/NYT Russian-attribution framing, the ~six-week production halt, ~£1.9 bn / $2.5 bn economic impact, and 5,000+ affected suppliers. Earlier iterations corrected NAIC granular file counts, the PowerDNS CVE id, the missing PeopleSoft CVE (CVE-2026-35273), and the Bluekit/Varonis source URL and date.
- Sub-agents: all four research sub-agents (S1–S4, Claude Sonnet 4.6) returned within the window (250–665 s).
- Source-health probe:
tools/source_health.pydid not complete within this run's time budget (full 150-source sweep); the prior snapshot (2026-06-27) is retained and the weekly GitHub Action re-probes. No per-source accessibility action derived this run. - Coverage gaps: ncsc-ch-security-hub (Week 26 Wochenrückblick HTTP 404 — not yet published; no in-window NCSC-CH post); cert-eu (latest advisory 2026-06-10, out of window); cert-fr / anssi-fr (avis latest 2026-06-18, feed otherwise stale with 2025 items); databreaches-net (per-article drill-down 403 for a fourth consecutive run — transport block, not demoted; the RSS feed served and the stories reached the brief via primary pivots); mandiant-gtig (Feedburner stale/empty — direct article fetch used); sophos-xops (feed 404, no in-window research); dfirreport (feed accessible but all items older than 72 h).
Unmatched action items (migrated)
- Verify Oracle PeopleSoft exposure and hunt for the pivot pattern (§ 1, NAIC): confirm patch status for CVE-2026-35273 (pre-auth RCE in PeopleTools 8.61/8.62) against the in-the-wild campaign, least-privilege PeopleSoft integration/service accounts, and alert on bulk export volumes from PeopleSoft data-bus repositories (DLP + off-hours staging).
- Patch PowerDNS Recursor / DNSdist on the normal change cycle (§ 7): no exploitation reported, but the 2026-08/2026-09 advisories (cache-poisoning / DNSSEC-bypass class) matter for EU/CH government DNS resolvers — upgrade Recursor to 5.2.11 / 5.3.8 / 5.4.3 and DNSdist to 1.9.15 / 2.0.7.
- Tune identity and endpoint detections from § 3 research: add hunts for
rrweb/BitM relay indicators against M365/Entra logins (Bluekit), .NET.configfiles written next to signed PEs (AppDomainManager injection / TinyRCT), COM-based scheduled-task / BITS / WMI activity from unexpected processes (Talos), and review browser-extension governance for<all_urls>extensions (BadBlocker).
Migrated from briefs/2026-06-28.md (v2).
← Operations dashboard · day page 2026-06-28 · run-record contract: docs/pipeline.md