ctipilot.ch

2026-W26-b78503e7

One pipeline fire, in full · weekly run of 2026-06-28 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-28/2026-W26-b78503e7.md.

Run telemetry

2026-W26-b78503e7 weekly prompt v2.64
17m 39s duration 34 published 0 updates
unknown (unknown) main agent
W1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
9
Duration
8m 03s
Tool calls
10 WebFetch16 WebSearch10 bridge
Cited sources
10 of 35 in slice
W2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
10m 14s
Tool calls
12 WebFetch22 WebSearch4 bridge
Cited sources
3 of 27 in slice

Verification

#1 NEEDS_FIXES · Anthropic Claude (specific model not determined) · t=5 e=1 a=0 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=3 e=1 a=0 #3 NEEDS_FIXES · Anthropic Claude (specific model not determined) · t=3 e=0 a=2 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=4 e=2 a=3 #5 CLEAN · Anthropic Claude (specific model not determined) · t=0 e=0 a=3

Deep dive

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.

Bridge invocations (this run)

2 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

2 other
  • bridge:ncsc-ch-security-hub ×1
  • bridge:cisa-kev ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 6 findings (truth=5, editorial=1, advisory=0) · unknown · 5m 15s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
weekly-vuln-rollupCVE-2026-20245 — Cisco Catalyst SD-WAN chain
CSV-injection foothold ... CVE-2026-20262
Cited Mandiant page does not mention CVE-2026-20262 and frames CSV as priv-esc not footholdRewrote chain to peering bypass (CVE-2026-20127/20182) -> credential manipulation -> CVE-2026-20245 via CSV upload; removed 20262 fixed-clean
F3
claim-not-supported
weekly-vuln-rollupCVE-2025-67038 Lantronix BRIDGE:BREAK KEV
added to CISA KEV (Forescout URL); disclosed 06-22
Forescout/SecurityWeek do not state KEV; disclosure April 2026 not 06-22Re-anchored KEV claim to KEV listing date 2026-06-23 + daily 06-24; removed misattributed anchor and 06-22 date fixed-clean
F3
claim-not-supported
weekly-long-runningShinyHunters PeopleSoft — Nottingham 454,600
University of Nottingham was the first named public victim (~454,600 records)
Cited SecurityWeek confirms Nottingham but not the 454,600 figureDropped the 454,600 figure; kept 'among the first named public victims' anchored to SecurityWeek fixed-clean
F3
claim-not-supported
weekly-long-runningFortiBleed — June 15 date
on June 15 the operator completed offline Kerberos cracking
Security Affairs confirms the exfil but not the 'June 15' dateSoftened 'June 15' to 'mid-June' fixed-clean
F4
hallucinated-fact
weekly-researchMiasma — 13 AI coding tools
SessionStart hooks of 13 AI coding tools
Tenable names 4, Socket names 5; '13' unsupportedReplaced '13' with 'at least five' attributed to Socket; removed inflated count fixed-clean
F5
missing-citation
weekly-vuln-rollupGitea CVE-2026-20896 companion
companion Gitea-core auth bypass ... fixed in 1.26.3/1.26.4
No inline citation on companion claimAdded Gitea 1.26.3/1.26.4 release-notes inline link fixed-clean

Iteration #2 NEEDS_FIXES · 5 findings (truth=3, editorial=1, advisory=0) · Claude Sonnet 4.6 · 4m 55s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
broken-url
weekly-vuln-rollupCVE-2026-55200 libssh2 footerNCSC-NL URL redirects to homepageReplaced primary with GHSA-r8mh-x5qv-7gg2 (loads, supports claim); dropped NCSC-NL link; flagged [SINGLE-SOURCE] fixed-clean
F3
claim-not-supported
weekly-researchBluekit defeats FIDO2 + DBSC
defeats FIDO2 and Device Bound Session Credentials
Netcraft source mentions only DBSC, not FIDO2Dropped FIDO2; kept DBSC; reframed takeaway to session-binding controls (§6 + §0) fixed-clean
F4
hallucinated-attribution
weekly-multi-dayShinyHunters MSG vishing attribution
404 Media confirmed the MSG intrusion ... UNC6240
404 Media names no actor; Abnormal predates MSG; UNC6240 attribution unsupportedReframed: firmly-attributed events = PeopleSoft + Canvas; MSG hedged as technique-confirmed-by-404, ShinyHunters-link-per-operator-claims+Abnormal-TTP; softened fixed-clean
F4
figures-not-in-cited-sources
weekly-long-runningOperation Endgame figures
326 servers and 142 domains ... 384,000 compromised systems
Microsoft says 'over 200 domains'; Europol page lacked the numbersRe-anchored figures to BleepingComputer (supports 326/142/27M/385,000); corrected 384k->385k; Microsoft kept for infra analysis; added BleepingComputer to foote fixed-clean
F13
analytical-link-as-fact
weekly-multi-dayMSG-to-ShinyHunters link
three distinct tradecraft paths under one extortion banner
Same root as F4 — link asserted without supporting sourceSame remediation as F4; reframed as reported/adjacent, removed assertion of confirmed link fixed-clean

Iteration #3 NEEDS_FIXES · 5 findings (truth=3, editorial=0, advisory=2) · unknown · 4m 48s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
broken-url
weekly-looking-aheadlibssh2 § 10 looking-ahead bulletSame NCSC-NL query-string URL (missed in § 10) returns a redirect stubReplaced with verified working URL https://advisories.ncsc.nl/2026/ncsc-2026-0210.html in both § 10 and § 3; restored NCSC-NL as § 3 corroborating source fixed-clean
F4
quantifier-without-source
weekly-multi-dayMiasma Socket date 06-27
On 06-27 Socket reported a fresh Miasma wave
Socket page dated 2026-06-25; 06-27 is the daily covering dateCorrected to '2026-06-25 ... (carried in the daily 06-27)' fixed-clean
F9
surface-contradiction
weekly-vuln-rolluplibssh2 no-patch vs fix-exists
the library-level fix had not landed by week-end / Status: no-patch
GHSA references fix commit; NCSC-NL titled as fix advisory — 'no-patch' contradicts sourcesStatus no-patch->patch-available; reworded to upstream-fix-commit with release-timing nuance; added § 11 caveat distinguishing upstream commit vs tagged release fixed-clean
F4
quantifier-without-source
weekly-multi-dayMastra date 06-21 (advisory)
On 06-21 Microsoft attributed the Mastra scope compromise
Microsoft/BleepingComputer dated 06-19/20; 06-21 is daily dateReworded to '(covered in the daily on 06-21)', removed date-as-event fixed-clean
F11
editorial-advisory
weekly-vuln-rollupKeycloak headline conflates CVE-2026-9800
Keycloak JWT algorithm-confusion (headline bundles both CVEs)
CVE-2026-9800 is a separate policy-enforcer authz bypass, not the JWT confusionRelabelled headline to attribute 11800=JWT-confusion, 9800=policy-enforcer authz bypass; added distinguishing clause in prose fixed-clean

Iteration #4 NEEDS_FIXES · 6 findings (truth=4, editorial=2, advisory=3) · Claude Sonnet 4.6 · 8m 07s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
weekly-looking-aheadScattered Spider sentencing date
15-16 July
NCA source says only 16 JulyCorrected to '16 July' in § 10 fixed-clean
F3
claim-not-supported
weekly-policyNIS2 approval-date citation gap
Tweede Kamer approved on 15 April 2026
Date accurate but cited nldigitalgovernment URL lacks itAdded Rijksoverheid 2026-04-15 source as co-source in prose + footer fixed-clean
F3
claim-not-supported
weekly-policyNIS2 'transposition is done'
The Dutch transposition is done
Eerste Kamer vote pending (scheduled 6-7 July), not yet ratified as of 06-28Reworded heading+prose: lower house cleared, Eerste Kamer vote pending, 1 July targeted; softened § 0 bullet fixed-clean
F3
claim-not-supported
weekly-vuln-rollupCVE-2026-46331 weaponised PoC
gained a weaponised PoC (Red Hat link)
Red Hat source does not mention a weaponised PoC; claim true per THNRepointed 'weaponised PoC' link to The Hacker News pedit-COW article; added to footer fixed-clean
F2
generic-url
weekly-looking-aheadEDPB Article 33 URL
.../news/news/2026/edpb-meets-eu-commissioner-mcgrath-...
URL lands on EDPB news listingReplaced with the specific EDPB template-adoption article URL fixed-clean
F9
single-source-unverified
weekly-long-runningSwitzerland second-most-targeted (The Gentlemen)
Switzerland the second-most-targeted European country
inside-it.ch 403; co-cited ESET does not state a European rankingAdded explicit § 11 single-source/unverified note; framing already attributed in §§ 0/8 fixed-degraded

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-W26-b78503e7 · weekly · Anthropic Claude (specific model not determined) · 34 entries published

  • Single-source / attributed claims. The "second extortion group" in the Klue/Icarus item (§ 2) and its claim of ~195 listed organisations rest on a single primary (The Next Web, relaying a private Klue customer update obtained by TechCrunch); the allegation that Klue paid the original Icarus operator is unverified and is attributed as a claim, not stated as fact. The NAIC 3.1 TB figure is ShinyHunters' own claim relayed by tech press; NAIC confirms the breach and the rating-feed pause but not the volume. The "Switzerland is the second-most-targeted European country" ranking for The Gentlemen (§§ 0, 8) rests on a single source (inside-it.ch relaying Check Point data); the co-cited ESET paper does not state a European country ranking, and inside-it.ch returns 403 to the routine's fetcher, so the specific ranking could not be independently re-verified this run — it is attributed, not asserted as established fact.
  • Unresolved contradiction. Texas Parks & Wildlife (§ 5): the daily flagged a discrepancy between the public statement and the state AG filing over whether SSNs were exposed; unresolved this week, carried as a confidence caveat.
  • Items considered and dropped (may resurface). RoguePlanet (CVE-2026-50656) — carried in the W25 looking-ahead but no fresh in-window source on a Microsoft fix, so dropped rather than re-asserted stale. eBanking IPv4-mapped-IPv6 phishing (06-22), the Brazil Cell Broadcast hijack (single-source, beyond audience nexus beyond the § 4 mention), Arystinger botnet (06-22), Prinz Eugen ransomware (06-21) and Payouts King/Edgecution (06-25) did not clear W-PD-1 (inaction-=-incident / cross-day pattern / strategic horizon) and were left to the dailies. The MISP 2.5.42 CVEs (06-25) and ILIAS SQLi (06-23) are folded into §§ 3–4 rather than given standalone roll-up entries.
  • Reduced confidence. StrikeShark China-nexus attribution is Kaspersky's low-confidence assessment and is reported as such (§ 6).
  • libssh2 patch-status caveat (§ 3). The GHSA references an upstream fix commit and NCSC-NL NCSC-2026-0210 is titled as a fix advisory, so the item is marked patch-available; however, tagged-release availability lags across the binding/appliance ecosystem, so a given deployment may still be effectively unpatched pending its embedding vendor's release. Treat patch-available as "fix exists upstream," not "your appliance is fixed."
  • Sub-agents. Both horizon sub-agents (W1 threat-actor/campaign/research; W2 strategic/policy) returned within cap. No coverage axis was abandoned.
  • Verification iterations: 5 · residuals: 0 — verdict CLEAN on iteration 5, with model rotation across iterations (opus on 1/3/5, sonnet on 2/4). Iterations 1–4 remediated ~21 findings (URL corrections, an MSG→ShinyHunters attribution overclaim, a Miasma quantifier inflation, a Netherlands NIS2 "transposition done" factual overclaim, and several date/citation-anchor gaps); iteration 5 found no truth or editorial defects.
  • Coverage gaps: databreaches-net (transport-403, 3rd consecutive run — content reached via GTIG/SecurityWeek primaries instead); mandiant-gtig (RSS feed returned IncompleteRead, content obtained via WebSearch + the GTIG blog directly); inside-it-ch (Cloudflare-challenged for the W2 sub-agent UA, but the 06-26 Gentlemen article was reachable and is cited). W2 "outside-window" sources (cert-eu, edpb, bsi-de, enisa-nis360, cisa-directives) were quiet in-window, not failed fetches. The end-of-run tools/source_health.py accessibility probe did not complete inside its budget in this container (slow under the egress proxy) and was stopped so it would not block publish; the prior committed snapshot (from the 2026-06-28 daily run) stands and the next run re-probes.

Migrated from briefs/weekly/2026-W26.md (v2).

← Operations dashboard · day page 2026-06-28 · run-record contract: docs/pipeline.md