2026-W24-bd5a7519
One pipeline fire, in full · weekly run of 2026-06-14 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-14/2026-W24-bd5a7519.md.
Run telemetry
- Items returned
- 3
- Duration
- 8m 13s
- Tool calls
- 8 WebFetch18 WebSearch5 bridge
- Cited sources
- 8 of 15 in slice
- Items returned
- 4
- Duration
- 9m 42s
- Tool calls
- 12 WebFetch15 WebSearch9 bridge
- Cited sources
- 2 of 15 in slice
Verification
Deep dive
—
Entries published (this run)
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored synthesis high
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU synthesis high
- CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest synthesis high
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass exploited by a Qilin affiliate synthesis notable
- Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open synthesis high
- Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave synthesis notable
- Maine breach-notification portal hoax — fraudulent filings against VRChat and Discord, then the portal goes dark synthesis notable
- CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy vulnerability notable
- CVE-2026-49261 — MariaDB Galera cluster: pre-auth lateral RCE via wsrep_notify_cmd vulnerability notable
- CVE-2026-44748 — SAP NetWeaver AS ABAP: SAML XML Signature Wrapping (CVSS 9.9) vulnerability notable
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix vulnerability notable
- Public administration — the week's centre of gravity synthesis notable
- Education — ShinyHunters' PeopleSoft campaign lands disproportionately on universities synthesis notable
- Healthcare & energy — large-scale personal-data exposure from theft and from mishandling synthesis notable
- France's Tchap government messenger — account-takeover scrapes 73,467 civil servants' metadata incident high
- Novo Nordisk — theft of non-public data including personal data incident notable
- Law-enforcement follow-through — Conti loader developer pleads guilty, AudiA6 laundering service dismantled incident notable
- South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key incident notable
- CrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents annual-report notable
- VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor synthesis notable
- Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion synthesis notable
- APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 synthesis notable
- European Commission refers France and Spain to the CJEU over NIS2 non-transposition policy high
- Germany's Bundestag opens first reading of the CRA domestic-implementation bill policy notable
- ENISA publishes the first EU-wide SBOM Adoption State of Play — consumption lags generation policy notable
- EDPB adopts a harmonised GDPR Article 33 breach-notification template policy notable
- CISA replaces the flat KEV 14-day rule with risk-tiered remediation (BOD 26-04) policy notable
- Looking ahead — 2026-W24 outlook notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url | 403 transport-403 persistent Cloudflare 403; no specific in-window article identified | none — rotation-priority gap |
| sophos-xops | https://news.sophos.com/en-us/feed/ | bridge:feed → websearch | 503 transport-5xx recurring 503; no in-window Sophos content found | none — no in-window content |
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url → websearch | 403 transport-403 Cloudflare managed challenge; bridge returned no body | none — NCSC-CH bridge covered Swiss items |
Bridge invocations (this run)
2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:ncsc-csh.recent ×1
- bridge:url ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #2 cap-breach
Cap-breach iteration recorded no per-finding detail. The dashboard cannot show WHAT the verifier flagged. See .claude/agents/cti-verification.md § Findings summary for the contract.
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-W24-bd5a7519 · weekly · Claude Opus 4.8 · 28 entries published
- Items flagged
[SINGLE-SOURCE]this week: CrowdStrike 2026 Technology Threat Landscape Report (§ 6; vendor telemetry, directionally valid, no independent corroboration); APT28 tradecraft evolution (§ 7; Sekoia TDR sole source — reported as the actor's TTPs, attributed to the reporting, not asserted as new incidents); Check Point IKEv1 CVE-2026-50751 (§ 1; vendor PSIRT advisory is the canonical primary for the vendor's own product); Splunk CVE-2026-20253 (§ 3; Splunk advisory); SAP NetWeaver CVE-2026-44748 (§ 3; Onapsis analysis of SAP's HotNews note); WinRAR CVE-2025-8088 (§ 3; Trend Micro research). The § 8 Germany CRA bill (Bundestag), ENISA SBOM report, and EDPB Article 33 template are single-source from the disclosing government/EU body itself (carve-out applies). The § 2 Chaotic Eclipse Patch-Tuesday round-up is sourced to news aggregators (BleepingComputer, SecurityWeek) because patch-day reporting is inherently aggregator-led — reduced confidence on exact CVE-to-codename mapping, though the patched/unpatched split is corroborated across both. National-CERT / national-authority single sources covered by the verification carve-out: Germany CRA implementation bill (§ 8; Deutscher Bundestag primary), ENISA SBOM Adoption State of Play (§ 8; ENISA primary), NCSC-CH G7 Évian advisory (§ 8/§ 9; NCSC-CH primary), MariaDB CVE-2026-49261 (§ 3; NCSC-CH Security Hub primary, corroborated by MariaDB documentation). VerdantBamboo (§ 7) is now multi-source (Volexity primary + The Hacker News corroboration) and Velvet Ant (§ 7) leads with a verified-live The Hacker News relay because the Sygnia "Operation Highland" page returns automated-UA blocks (Imunify360/Cloudflare) — the page is likely reachable from a human browser. - Items dropped from this week's roll-up: 2026-06-07 overlap-day items belonging to the W23 window (Chrome 149 / CVE-2026-10881, FFmpeg AI-found zero-days / CVE-2026-39210, polyfill[.]io reactivation, Stripe-API Magecart, WeTransfer steganographic loader) — covered in the W23 cycle, no new in-window development; FIFA World Cup 2026 / Ghost Stadium PhaaS (tournament kicked off 11 June, no new primary research and no confirmed infrastructure attack in-window); TA4922 and Gamaredon (no new in-window development beyond W23 coverage — W1); OceanLotus/APT32 FireAnt supply-chain, JDY botnet, The Gentlemen ransomware (fully resolved in dailies, no weekly-qualifying delta); single-day research items not meeting W-PD-1 (Teams external-chat phishing, AI-brand-impersonation malware delivery, cloud-logging defense-evasion, Entra Agent ID OBO abuse, Imperva/Varonis OpenClaw prompt-injection, Agentjacking, Google v. "Outsider" PhaaS) — these were operationally useful in the dailies but are not cross-day patterns or horizon shifts.
- Contradictions: none unresolved this run.
- Reduced-confidence items: Atomic Arch AUR compromised-package count (§ 2) — reporting ranges from 900 (PrivacyGuides) to ~1,500 (end-of-day 12 June); W1 assessed this MEDIUM confidence. The delivery-mechanism change (
bun install js-digest) is the verified detail; the exact count is approximate. - Sub-agents: both W1 (long-horizon) and W2 (policy) returned within budget. W1 reported its
findings.W1.yamlended-timestamp consistent with its return; W2'sfindings.W2.yamlcarries an internal ended-timestamp that disagrees with its return-line timestamp — the authoritative**Timestamps:**return line (started 23:10:31Z, ended 23:20:13Z) was used for the run log. - Verification: 2 iterations (iter 1 Claude Opus 4.8 → NEEDS_FIXES, truth=4 all remediated: Splunk RCE-overstatement, stale NIS2 corroborating link, Novo Nordisk data-category over-itemisation, Atomic Arch count/Shai-Hulud attribution; iter 2 Claude Sonnet 4.6 → NEEDS_FIXES, truth=2 both remediated: ENISA SBOM consumption-gap reframed as the brief's inference rather than the report's stated finding, Coupang root cause corrected to key theft by a former employee). Residuals: 2 — published via the low-defect early-exit path (iteration-2 truth+editorial ≤ 2 with no broken-URL/hallucination findings; both residual findings were nonetheless remediated before publish rather than carried).
- Coverage gaps: databreaches-net (persistent HTTP 403, rotation-priority); sophos-xops (HTTP 503, persistent); inside-it-ch (Cloudflare 403, persistent); finma (no in-window guidance — quiet); ofcom-bakom (no in-window cyber publication — quiet); us-treasury-ofac (no in-window cyber sanctions action — quiet); cnil-fr (no in-window enforcement — quiet); ico-uk (no new in-window action — quiet).
— Source: run state · Tags: verification-notes · Region: global
Migrated from briefs/weekly/2026-W24.md (v2).
← Operations dashboard · day page 2026-06-14 · run-record contract: docs/pipeline.md