2026-07-17T0409Z-intel
One pipeline fire, in full · intel run of 2026-07-17 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-17/2026-07-17T0409Z-intel.md.
Run telemetry
- Items returned
- 5
- Duration
- 11m 33s
- Tool calls
- 15 WebFetch14 WebSearch14 bridge
- Cited sources
- 4 of 11 in slice
- Items returned
- 1
- Duration
- 14m 17s
- Tool calls
- 20 WebFetch8 WebSearch14 bridge
- Cited sources
- 1 of 19 in slice
- Items returned
- 4
- Duration
- 12m 29s
- Tool calls
- 33 WebFetch9 WebSearch7 bridge
- Cited sources
- 4 of 11 in slice
- Items returned
- 2
- Duration
- 12m 15s
- Tool calls
- 11 WebFetch6 WebSearch14 bridge
- Cited sources
- 2 of 8 in slice
Verification
Deep dive
—
Entries published (this run)
- Abacus ERP: unauthenticated RCE (CVSS 9.8, no CVE) and authenticated path traversal in a widely-deployed Swiss ERP platform — flagged by NCSC-CH vulnerability high
- CVE-2026-58644 — SharePoint Server deserialization RCE moves from 'Exploitation More Likely' to confirmed exploited and CISA KEV-listed vulnerability high update
- Firefox 152.0.6 — chained WebAssembly memory-safety and DOM-navigation site-isolation flaws with public exploit code (CVE-2026-15718, CVE-2026-15719) vulnerability notable
- Garante fines Wind Tre EUR 1.7M over a vishing-enabled API-enumeration breach that exposed 365,048 telco customers incident notable
- Kaspersky: the HelloNet campaign blinds user-mode security tools by hooking raw AFD IOCTLs, persisting via DLL-sideload into a secure-network product's own auto-updater research notable
- Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix research notable
- Scattered Spider duo sentenced to 5.5 years each over the 2024 Transport for London intrusion — court evidence details the helpdesk-vishing/MFA-reset chain incident notable update
- Cisco Talos: UAT-11795 deploys the Python-based Starland RAT and a bespoke PowerShell C2 implant (WLDR), resolving fallback C2 through a Polygon blockchain dead-drop threat notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
9 last_successful_fetch.
| Source | Change | From → To | Reason |
|---|---|---|---|
| cisa-kev | last_successful_fetch | prior → 2026-07-17 | fetched + used (SharePoint/FortiSandbox KEV verification) |
| cisa-advisories | last_successful_fetch | prior → 2026-07-17 | fetched + used (SharePoint alert) |
| advisories-ncsc-nl | last_successful_fetch | prior → 2026-07-17 | fetched + used (Firefox NCSC-2026-0242) |
| ncsc-ch-security-hub | last_successful_fetch | prior → 2026-07-17 | fetched + used (Abacus post 12766) |
| talos | last_successful_fetch | prior → 2026-07-17 | fetched + used (UAT-11795) |
| kaspersky-securelist | last_successful_fetch | prior → 2026-07-17 | fetched + used (HelloNet) |
| msft-ti | last_successful_fetch | prior → 2026-07-17 | fetched + used (ACR Stealer) |
| bleepingcomputer | last_successful_fetch | prior → 2026-07-17 | fetched (S1/S4 corroboration/discovery) |
| databreaches-net | last_successful_fetch | prior → 2026-07-17 | fetched (S4 discovery feed) |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/2026/07/16/the-breach-that-wont-end-an-update-on-canvas | webfetch → bridge:jina → bridge:url | 403 transport-403 HTTP 403 Forbidden on the article; jina reader and bridge url transport also blocked. | none — item (Instructure/Canvas, US higher-ed, no stated CH/EU nexus) would have been borderline at best; not a coverage loss for this constituency. |
Bridge invocations (this run)
3 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- cisa-kev ×1
- ncsc-csh recent ×1
- cisa csaf-recent / cisa page ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 2 findings (truth=2, editorial=0, advisory=0) · Claude Opus 4.8 · 9m 36s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | — | The '7 million users / ~5,000 initially believed' figures were inline-cited to NCA and CPS, but neither fetched page carries them; both figures are on The Register (already a listed source). | Re-attributed the 7M/~5,000 clause to The Register; split the 148-systems clause to NCA (verbatim) and added the £29M remediation cost cited to CPS (which does | |
| F4 hallucinated-fact | — | The Register evidence[] quote joined two separate consecutive article paragraphs into one string — verbatim and in order but not a single contiguous substring. | Split into two separate evidence[] records, one per paragraph. |
Iteration #3 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=1) · Claude Opus 4.8 · 6m 36s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | Entry claimed 'Chromium/Firefox' credential stores in summary and body, but the sole Microsoft source documents only Chromium-based browsers (Chrome/Edge) and Firefox does not use DPAPI — refutes iter | Changed 'Chromium/Firefox' to 'Chromium-based browser' in both the summary and the body. | |
| F11 editorial-advisory | — | Advisory (non-blocking): the Polygon smart-contract address appeared inside a verbatim Talos evidence[] quote — an attacker-controlled dead-drop identifier. | Removed that evidence[] record (the blockchain-dead-drop technique remains described in the body without the raw address), honouring the no-IOC invariant. |
Iteration #4 NEEDS_FIXES · 2 findings (truth=1, editorial=0, advisory=1) · Claude Sonnet 5 · 5m 52s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | The NCA evidence[] quote truncated the source sentence before 'and delays' and added an unearned closing period — a quote-fidelity defect (the 148-systems fact is correct). Both iteration-3 fixes were | Restored the exact verbatim NCA sentence ('a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and de | |
| F9 surface-contradiction | — | Advisory: the entry carried only Mozilla's qualitative 'Critical' impact label while the cited NCSC-NL CSAF record independently scores both CVEs CVSS 3.1 MEDIUM (4.3 / 5.4) — an unsurfaced cross-sour | Recorded the NCSC-NL base scores in cves[] (15718=4.3, 15719=5.4) and surfaced the Mozilla-Critical vs NCSC-NL-MEDIUM divergence in the sourcing_note and body. |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-17T0409Z-intel · Claude Opus 4.8 · window 26 h · 8 entries published
Verification & coverage notes
Verification. Five iterations (Opus/Sonnet rotation). All defects were minor and each was remediated: iter1 (Opus) — TfL figure misattribution (F3) + spliced Register evidence quote (F4); iter2 (Sonnet) — CLEAN; iter3 (Opus) — ACR Stealer "Firefox" overclaim (F4, Firefox does not use DPAPI) + Talos Polygon-address-in-evidence (F11 advisory, removed for no-IOC); iter4 (Sonnet) — TfL NCA quote truncation (F4) + Firefox Mozilla-Critical/NCSC-NL-MEDIUM severity divergence (F9, surfaced); iter5 (Opus) — CLEAN. Published fail-open on the single final CLEAN at the cap (iter4 was NEEDS_FIXES, leaving no room for a confirming pass) — see verification.confirmation_waived. No broken URL and no unresolved hallucinated fact remained; entries_dropped_by_verification: 0.
Window. Standard 26 h window (gap 24 h since the previous run 2026-07-16T0409Z-intel). No scheduler outage; no closed-source intel drops (no S5). All four research sub-agents returned within cap (longest S2 at 857 s). Main run 38 min — well inside the watchdog budget.
Published (8): 6 new + 2 updates.
abacus-erp-unauth-rce-path-traversal-ncsc-ch(vuln, high) — Swiss home-region flagship: unauthenticated RCE (vendor-rated CVSS 9.8, no CVE assigned) in the Abacus client-server protocol, plus an authenticated path traversal in the AbaClik/AbaClik.ai APIs; NCSC-CH flagged both 2026-07-16. Included on the strong Switzerland/public-sector nexus + pre-auth severity + national-CERT flag despite no confirmed exploitation.cve-2026-58644-sharepoint-confirmed-exploited-kev(vuln, high, update_of 2026-07-15) — exploitation-status delta: CISA now lists CVE-2026-58644 among actively-exploited on-prem SharePoint CVEs and KEV-listed it 2026-07-16. Framed around the exploitation confirmation, not the US FCEB deadline (PD-13).firefox-152-0-6-wasm-site-isolation-public-exploit(vuln, notable) — CVE-2026-15718/-15719 chained WASM/site-isolation flaws, public exploit code, no confirmed ITW; NCSC-NL flag 2026-07-16.talos-uat-11795-starland-rat-wldr-c2(threat, notable) — new actor UAT-11795; Starland RAT + Polygon blockchain dead-drop + bespoke WLDR PowerShell C2.kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl(research, notable) — transferable technique (trusted-updater DLL sideload + AFD-IOCTL interception blinding user-mode EDR); framed around the technique, not the Russian victimology.microsoft-acr-stealer-two-clickfix-intrusion-chains(research, notable) — two ClickFix chains (WebDAV/EtherHiding + fileless MSHTA/steganography), reusable discriminators.garante-wind-tre-vishing-api-enumeration-fine(incident, notable) — EU/telco DPA enforcement; transferable vishing→cert-theft→unprotected-secondary-API enumeration TTP.scattered-spider-tfl-sentencing-helpdesk-vishing(incident, notable, update_of 2026-06-23) — sentencing + court-record helpdesk-vishing/MFA-reset chain detail.
Dropped — duplicate coverage (dedup):
- FortiSandbox CVE-2026-25089/-39808 KEV addition — the CVEs and campaign (
campaign:fortisandbox-triple-active-exploitation) are already covered by existing entries; today's only delta is the KEV listing, which per policy never opens an update entry (exploitation already confirmed and published ~2026-06-17). - Siemens SICAM 8 CISA ICSA-26-197-05 — CVE-2026-54798/-54799/-54800/-54801 already covered by
entries/2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass.md; the CISA advisory is the US relay of the same Siemens SSA-229470 disclosure.
borderline-drop: Unit 42 AI-lens IR-report revisit — low technical/detection depth; a strategic-horizon trend synthesis revisiting a 5-month-old (Feb 2026) report, which belongs to the weekly run, not an operational intel fire; cites JADEPUFFER already covered.
Out-of-window / not-established (logged for the next run):
- Hoymiles solar-inverter DTU-protocol flaw (CCC) and BSI Windows Hello for Business analysis — primary publications 2026-07-15, before the 26 h cutoff; energy-CI-relevant Hoymiles item re-enters if exploitation or a fresher advisory lands.
- Cursor IDE
git.exeauto-execution zero-day (Mindgard) — out-of-window (2026-07-14), dev-tooling. - borderline-drop: Zoom Windows-client account-takeover CVE-2026-53412 — single trade-press (heise) mention 2026-07-16; no confirmed exploitation, no public PoC, no pre-auth detail establishing out-of-band urgency, so not established as beyond the regular patch cycle.
Single-source / carve-outs. Abacus is carried as multi-source (vendor PSIRT for its own product + NCSC-CH national relay, both Admiralty A). UAT-11795 (Talos), HelloNet (Kaspersky) and ACR Stealer (Microsoft TI) are single-source — each a high-reliability research lab reporting its own investigation, with sourcing_note stating so. Firefox is multi-source (Mozilla MFSA + NCSC-NL). SharePoint update, Wind Tre and TfL are multi-source.
Source-quality flag carried into composition. At least one aggregator (Qualys ThreatPROTECT) headlined the Firefox CVEs as an exploited zero-day, contradicting Mozilla's own advisory ("exploit code is public … not aware of any attacks in the wild"). The entry carries Mozilla's primary-source status and explicitly does not carry the aggregator over-claim.
Attribution discipline. HelloNet's Chinese-speaking attribution is Kaspersky's own low-confidence assessment on artifacts it flags as possibly unintentional/false-flag; no nexus tag is asserted on the entry or the registry record.
Deep dive: none. No candidate cleared the reserved bar — no item combined active in-the-wild exploitation with constituency exposure or a home-region nexus (criteria 1–2); the strongest technical items (UAT-11795, ACR Stealer) are cross-sector opportunistic crimeware, covered adequately as standard entries. deep_dives_today was 0 before this run.
Watchlist: not applicable — no product or supplier watchlist configured for this deployment (S1 products checked=0, S4 suppliers checked=0).
Essential-coverage: missed=cisa-directives (not attempted this run; CISA binding operational directives are low-frequency and none is in-window — attempt restored to S1's allocation next run).
Coverage gaps: censys-blog (empty feed at research time; probed OK in Phase 5 health sweep); govcert-at (RSS empty/possibly-stale — CERT.at EN blog checked directly, newest post 1 June, no in-window item); cnil-fr, edpb (SPA/JS-rendered listings returned navigation chrome only via the reader — recommend a structured-endpoint recipe); group-ib, sophos-threat-research, nozomi-networks (JS-only listings with no visible dates — no confirmed in-window item, treated as unconfirmed not empty).
← Operations dashboard · run-record contract: docs/pipeline.md