2026-07-08T2009Z-intel
One pipeline fire, in full · intel run of 2026-07-08 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-08/2026-07-08T2009Z-intel.md.
Run telemetry
- Items returned
- 5
- Duration
- 9m 48s
- Tool calls
- 14 WebFetch9 WebSearch26 bridge
- Cited sources
- 2 of 14 in slice
- Items returned
- 4
- Duration
- 11m 22s
- Tool calls
- 21 WebFetch11 WebSearch16 bridge
- Cited sources
- 4 of 18 in slice
- Items returned
- 5
- Duration
- 18m 43s
- Tool calls
- 22 WebFetch24 WebSearch9 bridge
- Cited sources
- 5 of 16 in slice
- Items returned
- 1
- Duration
- 8m 50s
- Tool calls
- 9 WebFetch16 WebSearch3 bridge
- Cited sources
- 2 of 7 in slice
Verification
Deep dive
2026-07-08/ghostlock-cve-2026-43499-linux-kernel-rtmutex-uaf-lpe
Entries published (this run)
- Accenture confirms a data-theft incident after '888' advertises 35 GB of internal source code, keys and Azure credentials incident notable
- CVE-2026-40138/-40139/-40140/-40141 — BeyondTrust Remote Support / Privileged Remote Access: critical pre-auth bypass, flagged by NCSC-CH vulnerability high
- CrySome RAT freight-phishing chain: AMSI bypass, ICMLuaUtil UAC bypass and an open-source Defender-disruption tool threat notable
- CVE-2026-20744 — Hydro-Québec EV-charging backend: unauthenticated OCPP WebSocket endpoint enables privilege escalation vulnerability notable
- CVE-2026-48282 — Adobe ColdFusion path-traversal RCE now actively exploited and CISA KEV-listed vulnerability high update
- CVE-2026-55255 — Langflow cross-tenant IDOR now CISA KEV-listed, chained with the pre-auth RCE CVE-2026-33017 vulnerability high
- GhostLock (CVE-2026-43499) — Linux kernel rtmutex use-after-free with a public, 97%-reliable root and container-escape exploit vulnerability high
- CVE-2026-48908 / CVE-2026-56290 — two Joomla page-builder extensions hit CISA KEV the same day for unauth file-upload RCE zero-days vulnerability notable
- Cisco Talos: China-nexus UAT-7810 expands its ORB network with LONGLEASH/DOGLEASH/JARLEASH via unpatched Ruckus and ASUS routers threat notable
- Ubiquiti UniFi SAB-066 — 25 vulnerabilities incl. unauthenticated CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746) vulnerability notable
- Unit 42: Factory-v3 loader-builder abuses fraudulent code-signing and 491 MB file inflation to smuggle Vidar and XMRig past sandboxes threat notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
1 last_successful_fetch bumped to 2026-07-08 + fetch/quiet failure counters reset for 42 sources confirmed reached this run (essential CERT/KEV/regulator set incl. bridged CISA hosts + NCSC-CH/NCSC-NL; the reached S3 research slice; the reached S4 incident/regulator/news set). NOTE: cisa-advisories, cisa-directives and cisa-news — all flagged as fetch_gaps (403) by the last run's rotation candidates — recovered via the reader-proxy bridge this run, clearing those rotation-priority flags..
| Source | Change | From → To | Reason |
|---|---|---|---|
| (bookkeeping) | last_successful_fetch bumped to 2026-07-08 + fetch/quiet failure counters reset for 42 sources confirmed reached this run (essential CERT/KEV/regulator set incl. bridged CISA hosts + NCSC-CH/NCSC-NL; the reached S3 research slice; the reached S4 incident/regulator/news set). NOTE: cisa-advisories, cisa-directives and cisa-news — all flagged as fetch_gaps (403) by the last run's rotation candidates — recovered via the reader-proxy bridge this run, clearing those rotation-priority flags. | — → — | Autonomous source-lifecycle bookkeeping (Phase 5). Routine bumps, not lifecycle transitions — no status changes, no demotions. Preserved canonical serialization (indent=1, ensure_ascii=False) to avoid full-file reserialization churn. |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| industrialcyber-co | https://industrialcyber.co/ | webfetch → bridge:url → bridge:jina → websearch | 403 transport-403 UA-403 on WebFetch, bridge:url AND jina reader (documented recurring Cloudflare-class block); confirmed still fully blocked this run (S3 tested a specific artic | WebSearch substitute used (S3/S4); surfaced only out-of-window content (a Feb-2026 Dragos annual-report re-hash). 403 is transport blocking, not source death — |
Bridge invocations (this run)
6 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- ×6
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #? NEEDS_FIXES · 6 findings (truth=4, editorial=0, advisory=2) · Claude Opus 4.8 · 12m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F13 ? | — | The 'China-nexus actor breached US Treasury Dec 2024 via CVE-2024-12356/-12686' attribution was cited to the THN 2026-07-07 article, which contains no Treasury/China/Silk text and pairs -12356 with -1 | Reworded body + summary to what THN actually supports ('BeyondTrust RS/PRA flaws have come under repeated exploitation in the past to deploy web shells and back | |
| F4 hallucinated-fact | — | THN evidence quote was not verbatim — dropped the hedge 'is said to have been' → 'was' and 'by means of an' → 'via'. | Replaced with the verbatim THN string ('CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP | |
| F4 hallucinated-fact | — | SOCRadar evidence quote elided the clause 'Whether the alleged data is current,' and compressed 'any keys, tokens, or credentials' to 'any keys' without ellipsis. | Restored the full verbatim SOCRadar sentence. | |
| F4 hallucinated-fact | — | 'subscription-based .NET RAT sold via a public web portal' provenance is not stated by the sole cited source (LevelBlue), which only notes CrySome is documented in prior public reporting. | Softened to 'a modular .NET remote-access trojan the lab notes has been covered in prior public reporting' in the entry (summary + body) and the registry summar | |
| F11 editorial-advisory | — | Vendor PSIRT (BeyondTrust bt26-03 / Ubiquiti SAB-066) is the true first-party disclosure; adding it as a source would anchor first-party sourcing. | Not applied — both vendor pages were unreachable this run (bt26-03 returned 403; the Ubiquiti SAB-066 page is a JS-only SPA shell). Link discipline forbids citi | |
| F11 editorial-advisory | — | A references cross-link to the 2026-07-04 JADEPUFFER Langflow-exploitation entry (same product + research lab) would help the reader connect the thread. | Added references: [2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce]. |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-08T2009Z-intel · Claude Opus 4.8 · window 64 h · 11 entries published
Verification & coverage notes
Catch-up intel run — gap ~62 h to the previous fire (2026-07-06T06:09Z-intel; both 2026-07-06 runs were quiet, zero entries). window_hours=64 (gap+2, catch-up class), developing_window_hours=86. Coverage window: catch-up of 62 h (previous run 2026-07-06T0609Z-intel). Dedup (PD-8) ran against the full 14-day prior_coverage.json (140 records — every brief in the window loaded into context) plus the store-wide CVE index (484 ids). Prompt version v3.11. Outcome: 11 entries (10 new + 1 update), one deep-dive (GhostLock, linux-lpe), no critical. Composition: 7 vulnerability (incl. the ColdFusion update + the GhostLock deep-dive), 3 threat, 1 incident — a diverse landscape, not a per-vendor patch feed.
No critical this run — by construction. The two actively-exploited KEV items (ColdFusion CVE-2026-48282, Langflow CVE-2026-55255) are high, not critical: both have patches available and neither is mass-exploitation-imminent for this constituency (ColdFusion ~800 internet-exposed instances globally; Langflow a single observed operator). No candidate cleared the extreme critical bar (newly weaponised + active-ITW/mass-exploitation-imminent + hour/day-critical defender action).
Deep-dive: GhostLock (CVE-2026-43499), category linux-lpe — selection criterion 3 (substantive new technical analysis with a public, actionable exploit). No linux-lpe deep-dive in the prior 30 days (rotation clear); deep_dives_today=0. Public 97%-reliable root + container-escape exploit against a 15-year-exposure kernel UAF present on the default CONFIG_FUTEX_PI justifies the long-form treatment.
Borderline drops (recoverable audit trail)
- borderline-drop: Compass Security (Swiss lab) CRA compliance methodology (IP-camera IEC 62443-4-2 SL2 assessment) (S2) — single-source first-party methodology/compliance-assessment piece; genuinely Swiss and well-executed, but it is procurement/compliance guidance, not operational threat/detection intel. Fails PD-11 actionability (changes no patch/hunt/block/detect decision for a Tier 2/3 responder). No ATT&CK/detection surface.
- borderline-drop: Krebs on Security — IRIS C2 exploit-acquisition startup run by convicted fraudsters (S3) — vendor/procurement-risk investigative journalism; no technical vulnerability, TTP or detection content. Interesting for public-sector procurement/vendor-risk teams but not actionable for a SOC responder (PD-11 actionability gate).
- borderline-drop: Swiss Post 2026 e-voting bug bounty (6–24 July, outer network-security layer removed for a test cohort, up to EUR 230k) (S2) — direct Swiss-federal-e-gov nexus and a real "don't mis-triage authorised adversarial traffic" angle, but fundamentally a program-announcement / awareness news item (PD-11 "drop without ceremony"); single-source (Swiss Post's own post 301-redirected during the run; only SwissCybersecurity.net was fetched) and no clean operational entry-kind fit. Logged here for recoverability — if anomalous traffic against Swiss federal e-voting segments is observed in-window, this is the authorised-testing context.
Out-of-window drops (S3 flagged these as strong near-misses for a catch-up window; all fail recency PD-7 — primary source before the 86 h developing cutoff of 2026-07-05T06:09Z)
- Check Point "Browser-Only Ransomware" LLM-hallucination-to-attack technique (primary 2026-07-01).
- "Bad Epoll" CVE-2026-46242 Linux epoll UAF LPE, ~99% reliable exploit (primary/THN 2026-07-03) — the in-window Linux-LPE-with-public-exploit beat is already carried by GhostLock, so no blind spot.
- ChocoPoC trojanised-PoC campaign (Sekoia/YesWeHack 2026-07-01); PolinRider DPRK supply-chain (Socket 2026-07-04); ClickFix 3,000-payload analysis (kqlquery.com 2026-07-01, THN 07-07 is a rewrite); Dragos 2026 OT Year-in-Review (orig 2026-02-17); Kaspersky ICS CERT Q1 2026 (report dated 2026-06-09, listing mis-dated 07-07).
Verification / sourcing notes
- Single-source (research-lab primary, reported as the lab's own original analysis): CrySome (LevelBlue SpiderLabs), UAT-7810 (Cisco Talos), Factory-v3 (Palo Alto Unit 42) — each
verification: single-sourcewith asourcing_note; same-day outlet rewrites are not independent corroboration. - Single-source-national-cert: Hydro-Québec OCPP (CISA ICSA-26-188-01) — national-authority carve-out; the CSAF JSON is the same authority's structured record.
- Accenture (incident): the incident is confirmed multi-source (Accenture's own statement + four outlets), but the claimed SCOPE (35 GB, credential classes, specific repo) is the actor's unverified advertisement — "888" has a documented scope-inflation history (a June 2024 Accenture claim of 32,826 employee records proved to contain only three genuine ones). Framed as an actor claim throughout;
confidence: medium,classification: B3. - ColdFusion update discipline (PD-8): CVE-2026-48282 shipped as
update_of: 2026-07-02/cve-2026-48276-48277-48281-48282-48283-48316-adobe-coldfusio— delta only (exploitation-status change: patched-no-exploitation → actively-exploited + KEV within a week); the original entry (which correctly stated "no exploitation reported yet") is untouched. - Ubiquiti dedup: SAB-066 (CVE-2026-50746 et al.) is a distinct, larger disclosure from the 2026-06-24 UniFi OS chain (CVE-2026-34908/-34909/-34910) — different CVEs, broader product scope — so a new entry, not an update.
- Contradictions: none.
Completeness sweep (PD-11)
Re-read all four findings sets including every borderline/near-miss candidate. Everything genuinely relevant and in-window is published: the two actively-exploited KEV clusters, the home-authority (NCSC-CH) BeyondTrust advisory, the NCSC-NL Ubiquiti bulletin, the public-exploit kernel LPE, the OT/EV-charging transferable weakness, three substantive research-lab TTP analyses, and the one in-scope supply-chain incident (Accenture). The three borderline drops are awareness/compliance/procurement items that fail the actionability gate, not blind spots; the out-of-window set is genuinely stale (all primaries before the 86 h developing cutoff), and where a theme could have left a gap (Linux LPE) an in-window item (GhostLock) already covers it. No relevant item was thinned to control volume — volume here reflects a genuinely eventful 62 h catch-up (a same-day CISA KEV batch of exploited CVEs plus two national-CERT advisories), not padding.
Coverage gaps
- industrialcyber-co (recurring UA-403 on WebFetch + bridge + jina — recorded in
fetch_failures; WebSearch substitute found nothing in-window). Standard-tier, not essential. - Slow-cadence / quiet sources (fetched clean, no in-window content — not failures): cert-eu (newest 2026-06-10), cert-at (2026-06-01), cert-pl (2026-06-12), enisa (2026-07-01 NIS360), trendmicro-research (2026-06-29), snyk-research (2026-06-29), mozilla-mfsa (2026-07-05 moderate iOS spoofing, below bar), sekoia (2026-07-01 ChocoPoC, out of window), truesec (2026-07-03 repackage of Sysdig JADEPUFFER, already covered), socprime (2026-06-19), withsecure-labs (month-granularity, newest May 2026), shadowserver (2026-06-25).
- Recipe-quality gaps (host healthy, extraction weak): ncsc-uk (reports-advisories index returned page chrome only this pass), prodaft (Next.js SPA shell, no dated /blog list), trellix (JS-only blog listing never surfaces post links even via jina — recommend a sitemap.xml probe recipe), oracle-cpu (security-alerts index nav-only; next quarterly CPU due mid-July, not yet published).
- Recipe note (fixed-forward): sans-newsbites — the jina/url bridge failed (connection reset / 422) but plain WebFetch succeeded on the canonical issue URL; recommend the recipe prefer WebFetch over jina for this host.
- Standard-tier not attempted this run (time budget prioritised essentials + strong KEV/NCSC pivots): shadowserver (S1), socprime (S1), trustwave-spiderlabs (S1 — note S3 reached it as LevelBlue), sonatype, flatt-security, jpcert, exodus-intelligence. Recommended for priority pickup next rotation.
- Essential-coverage: no miss — every essential-tier source was attempted and resolved (CERT/KEV/regulator set incl. bridged CISA hosts and NCSC-CH/NCSC-NL).
- Watchlist: not reported —
config/org-profile.yamlconfigures no product or supplier watchlists; the S1 product-sweep and S4 supplier-sweep were documented no-ops. - Source-health (standing repair order):
python3 tools/source_health.pyran to completion (the first attempt hit a 320 s wrapper timeout and was re-run with a longer budget;state/source_health.jsonwas untouched by the killed attempt and regenerated cleanly by the retry). Result: 95 ok · 58 bridge-ok · 1 jina-ok · 154× actionnone— zero UNSOLVED / needs-bridge / needs-demote. Nothing to repair this run; evenindustrialcyber-co(the run's one live fetch_failure at 403) probes as handled, and the previously-flaggedccn-cert-estransport-block fix is holding. No demotions (rule A1).
← Operations dashboard · day page 2026-07-08 · run-record contract: docs/pipeline.md