2026-W25-0aacfe65
One pipeline fire, in full · weekly run of 2026-06-22 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-22/2026-W25-0aacfe65.md.
Run telemetry
- Items returned
- 11
- Duration
- 10m 53s
- Tool calls
- 13 WebFetch12 WebSearch5 bridge
- Cited sources
- 11 of 19 in slice
- Items returned
- 8
- Duration
- 10m 48s
- Tool calls
- 9 WebFetch14 WebSearch10 bridge
- Cited sources
- 6 of 11 in slice
Verification
Deep dive
—
Entries published (this run)
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory synthesis high
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV synthesis high
- CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30 synthesis high
- ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure synthesis high
- The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named synthesis high
- CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation vulnerability notable
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV) vulnerability notable
- CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV) vulnerability notable
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV) vulnerability notable
- CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window vulnerability notable
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited vulnerability notable
- CVE-2026-50751 — Check Point Security Gateway IKEv1 VPN authentication bypass: public PoC, Qilin affiliate use vulnerability notable
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8) vulnerability notable
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to root command execution vulnerability notable
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH vulnerability notable
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical vulnerability notable
- Public administration — named European institutions and government data in the firing line synthesis notable
- Education — exposed CMS and forum software stack a structural risk synthesis notable
- Healthcare — third-party exposure and a 16-month notification gap synthesis notable
- Energy, water & OT — perimeter and process failures, with an OT-adjacent halt synthesis notable
- Technology & SaaS supply chain — the week's busiest victim class synthesis notable
- Law-enforcement momentum — Operation Endgame expands, Silver Fox mass-arrest, Conti loader plea incident notable
- Insider and process failures — Munich school data, a lost SSD, and an NHS records caution incident notable
- The third-party breach as the week's dominant entry vector incident notable
- Research: the AI agent and toolchain control plane became a concrete attack-surface class this week research high
- Research: ClickFix matured into a productised malware-as-a-service supply chain research notable
- Threat actor: DPRK Sapphire Sleet escalates npm supply-chain attacks with the Mastra compromise research notable
- Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit research notable
- Threat actor: INC ransomware's Rust rewrite and BYOVD evolution research notable
- Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon research notable
- DORA Year 1 — the ESAs' first annual ICT-incident report: 3,383 major incidents, a third cross-border, only ~10% cyber annual-report notable
- Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named annual-report notable
- Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds synthesis notable
- SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational synthesis notable
- EDPB adopts a harmonised GDPR Article 33 breach-notification template — consultation open to 5 August policy notable
- CRA reporting obligation lands 11 September — ENISA Single Reporting Platform access manual due, dry-runs before go-live policy notable
- NIS2 transposition remains incomplete — France and Spain still among the laggards policy notable
- G7 Évian cybersecurity declaration calls PQC an "urgent priority" — and the expected hacktivist DDoS materialised on day one policy high
- UK ICO left leaderless mid-restructure — Commissioner resigns with immediate effect policy notable
- NCSC-CH — fake Swiss Post "Avis de passage" QR-code phishing in French-speaking Switzerland policy notable
- Looking ahead — 2026-W25 outlook notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
1 added.
| Source | Change | From → To | Reason |
|---|---|---|---|
| cyberattaque-org | added | — → candidate | in-window primary for NoName057(16) G7/Haute-Savoie DDoS; France-nexus EU public-sector hacktivist tracker |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url | 403 transport-403 persistent Cloudflare 403; no in-window article retrieved | none — rotation-priority gap |
Bridge invocations (this run)
2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:ncsc-csh ×1
- bridge:cisa-kev ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 7 findings (truth=5, editorial=1, advisory=1) · Claude Opus 4.8 · 6m 57s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | annual-periodic-reports | DORA Year 1 ICT-incident report (§7) one-third figure | one-third is cross-border impact, not third-party-driven | reworded to cross-border impact; dropped §5 third-party echo fixed-clean |
| F4 hallucinated-fact | annual-periodic-reports | Check Point Q1 2026 (§7) EU ~20.7% of global victims | 20.7% is healthcare-sector Genesis targeting, not EU-wide | removed the 20.7% EU figure fixed-clean |
| F5 missing-citation | research-threat-actor | INC ransomware Germany #2 (§6) Germany #2 globally | true per Emsisoft but Emsisoft not cited on §6 item | dropped the Germany #2 figure from §6 (retained in §7 where Emsisoft is cited) fixed-clean |
| F4 hallucinated-fact | research-threat-actor | INC NHS victims (§6) NHS Dumfries & Galloway / Alder Hey | named victims not in cited fetchable sources | dropped specific victim names; reworded to sourced non-US/sector framing fixed-clean |
| F4 hallucinated-fact | long-running-campaigns | SocGholish 1.4M sites (§8) 1.4M compromised WordPress sites | cited Proofpoint has over 100 servers / 14,971 sites, not 1.4M | reworded to over 100 servers and 14,971 sites remediated fixed-clean |
| F14 quantifier-without-source | multi-day-campaigns | Council of Europe 'first' (§0,§2) first European-institution victim | 'first' not in cited sources | softened to 'only named to date per W1 assessment' / 'a European institution' fixed-clean |
| F11 editorial-advisory | multi-day-campaigns | GTIG citation date (§2) 2026-06-17 vs fetched 11 June | date discrepancy; substance verifies | dropped explicit date from inline mention and footer fixed-clean |
Iteration #2 NEEDS_FIXES · 8 findings (truth=5, editorial=1, advisory=2) · Claude Sonnet 4.6 · 5m 59s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | long-running-campaigns | SocGholish clusters (§8) five clusters | Proofpoint names seven clusters (adds GeoTDS, tdsshop) | updated to seven clusters with full list fixed-clean |
| F3 claim-not-supported | policy | EDPB template structure (§9) 120-field / 7 sections / 27 forms | structural specifics not in cited EDPB release | removed field/section/27-form specifics; kept sourced general framing fixed-clean |
| F3 claim-not-supported | policy | NCSC-CH e-vignette (§9) e-vignette email campaign | not in cited Wochenrückblick (QR letterbox only) | removed e-vignette claim; paragraph reworded fixed-clean |
| F4 hallucinated-fact | research-threat-actor | Mastra 88 minutes (§6) 88 minutes | Microsoft states ~20-minute window | changed to ~20-minute window fixed-clean |
| F4 hallucinated-fact | multi-day-campaigns | Klue Sprout Social (§2) Sprout Social | not in Klue/Huntress primaries | removed Sprout Social from victim list fixed-clean |
| F10 missed-angle | vuln-rollup | Rockwell ENISA companion (§3) ENISA ICS guidance | did not check for ENISA companion EU-operator guidance | not pursued — minor missed angle, CISA+NCSC-CH coverage sufficient deferred |
| F11 editorial-advisory | multi-day-campaigns | ESET date (§2) 2026-06-19 vs 18 Jun | ESET article dated 18 June | corrected to 2026-06-18 fixed-clean |
| F11 editorial-advisory | policy | NCSC-CH paragraph coherence (§9) post e-vignette removal | ensure paragraph reads coherently | reworded paragraph to QR-only fixed-clean |
Iteration #3 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=1) · Claude Opus 4.8 · 4m 24s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | research-threat-actor | INC non-US/education (§6) non-US targets; education | THN says 65%+ US victims, no education listed | reframed around globally-relevant BYOVD tradecraft; stated majority-US victims; dropped education fixed-clean |
| F4 hallucinated-fact | policy | NIS2/CER referral (§9) 29 April CER referral, seven states, 1 July agenda | cited sources don't support the CER-referral/seven-state/1-July specifics; Viktoria contradicts the agenda line | stripped to defensible claims (transposition incomplete; France/Spain laggards; France not yet enacted; obligations not enforceable) fixed-degraded |
| F14 quantifier-without-source | research-threat-actor | Mastra 'around 13 June' (§6) around 13 June | Microsoft dates publication 16-17 June; conflicts with first-covered 06-18 | changed to 'in the days before the 17 June disclosure' fixed-clean |
| F9 internal-inconsistency | long-running-campaigns | SocGholish cluster count (§8/§6) five vs seven | heading said five, body said seven | set heading to seven; dropped the number in §6 fixed-clean |
| F11 editorial-advisory | multi-day-campaigns | Storm-2697 alias (§2) Storm-2697 | alias not in cited ESET/Record sources | dropped the parenthetical alias from the §2 heading fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-W25-0aacfe65 · weekly · Claude Opus 4.8 · 42 entries published
- Items flagged
[SINGLE-SOURCE]this week: HCRG Care Group breach (§ 4; single HIPAA-focused outlet, no independent corroboration in-window); Amazon One Medical ShinyHunters 8.8 TB claim (§ 2; victim confirmed a legacy-storage breach but the data-volume figure is attacker-asserted and unverified). National-authority single sources covered by the verification carve-out: EDPB Article 33 template (§ 9; EDPB primary), CRA SRP reporting (EC Digital Strategy / ENISA primaries), NCSC-CH Week 24 Wochenrückblick (NCSC-CH primary), G7 CWG declaration (ANSSI host primary). Check Point State of Ransomware Q1 2026 (§ 7) is vendor telemetry, corroborated by Emsisoft. Tolerated single/aggregator-source items (check_brief.pyWARNs, accepted): the § 8 SocGholish status-update rests on a single Proofpoint research-lab primary (acceptable — Proofpoint is the disclosing analyst); the § 3 FortiSandbox status-update is corroborated only by two aggregators (Security Affairs, Help Net Security) reflecting the still-unconfirmed-by-Fortinet exploitation report (reduced confidence on the exploitation claim accordingly). - Contradiction (resolved in favour of the primary): the 06-17 daily framed PAN-OS CVE-2026-0257 as an "exploitation wave with Impacket post-compromise," but the cited Unit 42 primary states "No post-access behavior or lateral movement has been identified as of this time." The weekly uses Unit 42's wording in § 3 — active exploitation confirmed, downstream lateral movement not yet observed by the primary. The Impacket detail may originate from a secondary (Rapid7/Arctic Wolf) report not re-verified this run.
- Items dropped from this week's roll-up: VerdantBamboo / UNC5221 BRICKSTORM (Volexity 2026-06-04, out of the 8-day window and already consolidated in the W24 weekly — no fresh in-window delta); Velvet Ant "Operation Highland" (Sygnia 2026-06-11; already consolidated in the W24 weekly § long-running, no fresh delta this week beyond what W24 carried); Prinz Eugen ransomware (06-19 daily deep-dive; new Go family with a French public-sector victim but a single-day item with no cross-day weekly delta — may resurface if it acquires more EU victims); single-day daily items not meeting W-PD-1 (Rokarolla Android banker, the crypto clipboard-hijacker VirusTotal-reputation abuse, the Microsoft USB-LNK Tor worm, UpdraftPlus/phpBB/Zammad patch-only items beyond the § 3 roundup line).
- Reduced-confidence items: the NoName057(16) G7/Haute-Savoie DDoS attribution (§ 9) rests on the group's Telegram self-claim with no independent technical corroboration in-window (W2 assessed MEDIUM); the Kodak and One Medical breach-volume figures are attacker-asserted.
- Sub-agents: both W1 (threat-actor/research/report horizon) and W2 (policy horizon) returned within budget; both ran on Claude Sonnet 4.6. Timestamp anomaly: W1's return-line and
findings.W1.yamlreportended_at=2026-06-21T23:52:00Z/duration_seconds=2694, which disagrees with W1's on-disk.ended_atcheckpoint (23:17:59Z) and the wall-clock observed by the main agent (both W-checkpoints present by ~23:18Z). The checkpoint/observed time was used for the run log; the self-reported 45-minute duration is implausible against the observed ~11-minute run. - Verification: 4 iterations, model-rotated (iter 1 Claude Opus 4.8 → NEEDS_FIXES truth=5; iter 2 Claude Sonnet 4.6 → NEEDS_FIXES truth=5, all 7 iter-1 remediations confirmed; iter 3 Claude Opus 4.8 → NEEDS_FIXES truth=3; iter 4 Claude Sonnet 4.6 → CLEAN). All findings were truth-class accuracy corrections — sub-agent-asserted specifics that did not trace to the cited primaries on independent re-fetch — and every one was remediated before publish: DORA "one-third" reframed from third-party to cross-border impact; Check Point EU-% figure removed (it was healthcare-sector, not EU-wide); INC ransomware victim geography corrected (majority-US, not non-US) and unverifiable NHS victim names dropped; SocGholish figures aligned to Proofpoint (over 100 servers / 14,971 sites / seven residual clusters); EDPB template structural specifics and the NCSC-CH e-vignette claim removed as unsourced; Mastra publish-window and Klue victim-list corrected; the NIS2/CER item stripped to source-supportable claims. Residual count: 0 (clean publish at iteration 4).
- Coverage gaps: databreaches-net (persistent HTTP 403, rotation-priority); inside-it-ch (Cloudflare 403, persistent); finma-ch (no in-window guidance — quiet); ofcom-bakom (no in-window publication — quiet); ncsc-ch-week-25 (Week 25 Wochenrückblick not yet published, HTTP 404 as of run end); acronis-tru (HTTP 403, content recovered via The Hacker News); bleepingcomputer (HTTP 403 on two articles, recovered via secondary sourcing).
— Source: run state · Tags: verification-notes · Region: global
Migrated from briefs/weekly/2026-W25.md (v2).
← Operations dashboard · day page 2026-06-22 · run-record contract: docs/pipeline.md