2026-W22-da77963d
One pipeline fire, in full · weekly run of 2026-05-31 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-31/2026-W22-da77963d.md.
Run telemetry
- Items returned
- 13
- Duration
- 5m 11s
- Tool calls
- 10 WebFetch22 WebSearch4 bridge
- Cited sources
- 5 of 18 in slice
- Items returned
- 6
- Duration
- 6m 27s
- Tool calls
- 9 WebFetch10 WebSearch7 bridge
- Cited sources
- 3 of 14 in slice
Verification
Deep dive
—
Entries published (this run)
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor synthesis high
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel synthesis high
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain synthesis notable
- CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week synthesis high
- Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive synthesis high
- AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole synthesis notable
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day vulnerability notable
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8) vulnerability notable
- CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack vulnerability notable
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection vulnerability notable
- Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure synthesis notable
- Healthcare — administrative and imaging intermediaries remain the soft surface synthesis notable
- Transport — Iran-MOIS destructive breach against LACMTA with deliberate backup and VM destruction synthesis notable
- Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS synthesis notable
- AFC Ajax — 300,000+ fan accounts exposed via misconfigured API access control; Dutch suspect arrested incident notable
- UK Visa Portal — ~100,000 passport scans and selfies on a public-read S3 bucket behind a government-lookalike site incident notable
- Asocks residential-proxy botnet — Dutch Police + NCSC dismantle ~17M-device infrastructure hosted in the Netherlands incident notable
- ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances annual-report notable
- Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot annual-report notable
- The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle synthesis high
- Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit synthesis notable
- ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized synthesis notable
- Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks synthesis notable
- UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable synthesis notable
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign synthesis notable
- Germany's Cybersicherheitsstärkungsgesetz — federal cabinet approves active-cyber-defence powers; Bundestag passage still ahead policy notable
- EU 20th-package managed-security-services ban in force from 25 May — Switzerland adopted listings only; MSS prohibition deferred policy high
- ENISA NIS360 2026 — public administration, health and water sit in the NIS2 "risk zone" policy high
- EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations policy notable
- Data-protection enforcement converges on a health-data controls floor — CNIL fines IQVIA €5M; California AG sues over 23andMe policy notable
- Looking ahead — 2026-W22 outlook notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Bridge invocations (this run)
2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:ncsc-csh ×1
- bridge:databreaches-net ×1
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-W22-da77963d · weekly · Claude Opus 4.8 · 32 entries published
[SINGLE-SOURCE]items carried into this summary: the Cisco Talos DICOM/Orthanc heap analysis (§ 4, single research-lab source — a technical study, not an incident claim); the Red Canary Entra Agent ID privilege-escalation detection (§ 2, single-vendor); Delta DIAView CVE-2026-9642 (§ 3 table / § 9, Tenable-only, no vendor patch). Each is attributed to its single source in place.- Reduced confidence / single-primary: the EU CRA milestone item (§ 8) rests on the European Commission implementation factpage as a single primary — the dates are authoritative but uncorroborated by a second source this run. The Check Point Q1 2026 ransomware figures (§ 6) are single-vendor leak-site telemetry; group-share and victim-count numbers are treated as directional landscape signal, not precise measurement, and no vanity metrics were carried into the prose.
- Items dropped from this week's roll-up (cleared the daily bar, not the weekly W-PD-1 bar): the Underminr CDN domain-fronting research, Atos BYOVD-driver study, Google Cloud API-key deletion-latency, Tycoon 2FA AiTM detection-engineering, Lazarus RemotePE memory-only RAT, Wiz JINX-0164 crypto-targeting, and the SANS ISC Akira-from-syslog reconstruction were folded by reference or dropped — interesting in isolation but not inaction-=-incident / cross-day-pattern / strategic-horizon. The GitHub Enterprise SSRF (CVE-2026-9312) and the Rancher / Portainer / Veeam / GitLab patch clusters appear in the § 3 table without H3s (patched, no in-window exploitation). They may resurface if exploited.
- Carry-forwards resolved this week: the W21 watch on the UNC6671/BlackFile rebrand (GTIG profile + "shutting down under this name", § 7), on Shai-Hulud wave-6 registries (npm @antv ecosystem confirmed hit; Maven Central exposure via
mvnpmreported in secondary sourcing but not confirmed against a primary this run; Cargo status unverified, § 7), and on the SECO/MSS sanctions question (Switzerland deferred the MSS ban, § 8) are all closed. The GitHub internal-repo post-incident report remains outstanding and carries forward to W23. - Contradictions / open items: none unresolved this run. No European Commission interpretive guidance on the EU MSS-prohibition scope has been published, so a conservative reading stands (§ 8).
- Sub-agents: both horizon sub-agents (W1 long-horizon, W2 policy) ran on Claude Sonnet 4.6 and returned within budget (W1 311s, W2 387s). Both were cut off at the very end of their runs before emitting their closing Markdown return; their findings were recovered intact from the committed
work/2026-W22-da77963d/findings.W1.yaml/findings.W2.yaml, the agents' completion summaries, and theurl-liveness.tsvledger (every cited primary verified 200 OK). No candidate sources surfaced this run. - Verification iterations: 3 — iter-1 (Opus) NEEDS_FIXES (truth=3, editorial=1, advisory=1); iter-2 (Sonnet) NEEDS_FIXES (truth=4, editorial=1, advisory=1); iter-3 (Opus) CLEAN. Model rotation applied across iterations. Residuals: 0. Remediated across the loop: an unverified Maven/Cargo "confirmed" claim (downgraded to unconfirmed), an ENISA maturity-band miscategorisation, the Asocks name-attribution, the Samba config-dependence of both 10.0 paths, a CVE mislabel (CVE-2026-45585 is YellowKey, not MiniPlasma; MiniPlasma is CVE-2020-17103), the German-hackback per-agency overstatement, and an ESET "Sandworm vs NATO energy" overstatement (one rare Polish-energy incident).
- Coverage gaps: databreaches-net (403 — transport, bridge-routed); sophos-xops (503); inside-it-ch (Cloudflare 403); cert-fr-actu (feed stalled); ec-presscorner (SPA, no static content); bmi-bund-de (bridge returned empty); enisa-nis360-pdf (full PDF not fetched — analysis page used instead); GovCERT.ch (no Shai-Hulud developer advisory exists — confirmed absent, not a fetch failure).
Migrated from briefs/weekly/2026-W22.md (v2).
← Operations dashboard · day page 2026-05-31 · run-record contract: docs/pipeline.md