@blamejs/exceptd-skills 0.11.14 → 0.11.15

package/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## 0.11.15 — 2026-05-13
+
+**Patch: CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) — catalog + playbook + IoC sweep.**
+
+Adds detection for the npm supply-chain worm disclosed 2026-05-11 (84 malicious versions across 42 `@tanstack/*` packages, including `@tanstack/react-router` at ~12M weekly downloads, CVSS 9.6). The novel category: first documented npm package shipping VALID SLSA provenance while being malicious. Provenance proves which pipeline built the artifact, not that the pipeline behaved as intended.
+
+### Catalog
+
+- `data/cve-catalog.json` — new entry `CVE-2026-45321` with full RWEP scoring (78), the three chained primitives (`pull_request_target` co-resident with `id-token: write` and shared `actions/cache`), payload IoCs, persistence IoCs (`.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, macOS LaunchAgents, Linux systemd-user units), framework-gap analysis (SLSA L3 insufficient, NIST 800-218 SSDF PS.3/PO.3 gap), and the destructive-on-revocation behavior.
+
+### Playbook detections (sbom)
+
+- `tanstack-worm-payload-files` — find `node_modules/@tanstack/*/router_init.js` or `router_runtime.js`
+- `tanstack-worm-resolved-during-publish-window` — lockfile entries resolved 2026-05-11T19:20Z..19:26Z
+- `agent-persistence-claude-session-start-hook` — non-owner SessionStart hooks
+- `agent-persistence-vscode-folder-open-task` — folder-open tasks running staged setup scripts
+- `agent-persistence-os-level` — macOS LaunchAgents + Linux systemd-user units referencing in-repo `.mjs`
+- `ci-cache-poisoning-co-residency` — repo has `pull_request_target` + `id-token: write` + shared `actions/cache` (architectural pre-condition, even without payload)
+- `npm-registry-no-cooldown` — project consumes npm but `.npmrc` lacks `before=` or `minimumReleaseAge=`
+
+### Playbook detections (mcp)
+
+- Same `agent-persistence-*` indicators on the agentic-tooling side. MCP playbook covers the persistence vector; SBOM covers the supply-chain root.
+
+### Skill update
+
+- `skills/supply-chain-integrity/SKILL.md` — adds the CVE-2026-45321 case at the top of Threat Context with the chained-primitives explanation and the new SLSA-L3-insufficient framing.
+
+### Eating own dogfood
+
+- `.npmrc` — adds `before=72h` + `minimumReleaseAge=4320` so this repo refuses fresh-publish installs. Survives downgrade to older npm via both flags.
+
+### threat_currency_score bumps
+
+- `sbom` 95 → 97, `mcp` 96 → 97, both with `last_threat_review: 2026-05-13`.
+
 ## 0.11.14 — 2026-05-13
 
 **Patch: items 129-134 + freshness surface — claims-vs-reality gap closure + opt-in registry-check.**

package/data/_indexes/_meta.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T02:04:13.785Z",
+  "generated_at": "2026-05-13T02:21:22.318Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "75707bfee79c57f6d7c6999c9da7292a574cb33669b17cf60e32160a5a2fa0d2",
+    "manifest.json": "8231ac5cd18201c56fd29b5925a86f279708e32eb8fcc8fff35823a7fec0ee3a",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
-    "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
+    "data/cve-catalog.json": "e9a3a4ce988caa051e50a467f1cd9c0dcbf9e8f6f3e9522610baf196217b7bdc",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",
     "data/d3fend-catalog.json": "b5cd14669e2a931d0df81bb8402f3c8ac08b0d2613e595eaecd8cc4631a57587",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
@@ -14,7 +14,7 @@
     "data/framework-control-gaps.json": "25db4d0cc9e6242e1143494178393ae8eab3384672ca0d685bd55c537f028c83",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
     "data/rfc-references.json": "23ffeb970af5403e9a733844dcea9b45cbae689623085f030dec826c492682e3",
-    "data/zeroday-lessons.json": "56d63821686403c6894c93b9ff9ef318ca8e08d7027e8517131068811d529beb",
+    "data/zeroday-lessons.json": "0840eacd580d4ee5bd7dc44ccea6d52bfa95096576af0ccf67132eea05bedd55",
     "skills/kernel-lpe-triage/skill.md": "c00e0a77e8b7b1a1ebcb7267dd728b39ec2671d1260bf4f6a4842f10101a69b0",
     "skills/ai-attack-surface/skill.md": "3f5c59f1823f1552efe8a5cb32656d34d6407609ddaa1eed254c263864563453",
     "skills/mcp-agent-trust/skill.md": "716d0d65499f8be21e0389a06a1fcaf6abd1cd2e90f068cab54471dd67127f74",
@@ -34,7 +34,7 @@
     "skills/attack-surface-pentest/skill.md": "f639b6d9c19def5908eddbbb79f0514e168e74661c0894b737d7c76cbb550841",
     "skills/fuzz-testing-strategy/skill.md": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837",
     "skills/dlp-gap-analysis/skill.md": "041c4c6a5299057383b1d6bd4328c1ef578f8c5c6bade8750d339c7b51020027",
-    "skills/supply-chain-integrity/skill.md": "b7fbb5bfcce53d774c51be3fe2231c5f371850a5bdb8d7edfced3342dd99dbb8",
+    "skills/supply-chain-integrity/skill.md": "94527929c150bf9bc7a5a61a596373d49a88ae9114adf841b2d3771e25fb8d51",
     "skills/defensive-countermeasure-mapping/skill.md": "634f0805597a0ab417248a7413eed39b08afbc820e7c6bd257eebaa663d8990d",
     "skills/identity-assurance/skill.md": "e8f3958ef8dd89f9276f2a62a0a1b418a206a3312bb8ff228729c8f358603dc7",
     "skills/ot-ics-security/skill.md": "7c6eb389e7ace5b2c6e092f8dfcf4795ce1b0aefaa2738c6e383cb0fef4d6287",
@@ -67,13 +67,13 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 453,
-    "chains_cve_entries": 5,
+    "chains_cve_entries": 6,
     "chains_cwe_entries": 34,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 38,
     "summary_cards": 38,
     "section_offsets_skills": 38,
-    "token_budget_total_approx": 334394,
+    "token_budget_total_approx": 334832,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -172,7 +172,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-11",
@@ -349,7 +349,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-01",

package/data/_indexes/catalog-summaries.json

@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2026-43284",
@@ -216,7 +216,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -1751,6 +1751,23 @@
       ]
     }
   },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "rwep": 45,
+    "cvss": 9.6,
+    "cisa_kev": false,
+    "epss_score": 0.78,
+    "epss_percentile": 0.97,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-787": {
     "name": "Out-of-bounds Write",
     "category": "Memory Safety",

package/data/_indexes/section-offsets.json

@@ -1868,8 +1868,8 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "total_bytes": 37908,
-      "total_lines": 319,
+      "total_bytes": 39667,
+      "total_lines": 320,
       "frontmatter": {
         "line_start": 1,
         "line_end": 65,
@@ -1882,70 +1882,70 @@
           "normalized_name": "threat-context",
           "line": 69,
           "byte_start": 1820,
-          "byte_end": 5452,
-          "bytes": 3632,
+          "byte_end": 7211,
+          "bytes": 5391,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 87,
-          "byte_start": 5452,
-          "byte_end": 15935,
+          "line": 88,
+          "byte_start": 7211,
+          "byte_end": 17694,
           "bytes": 10483,
           "h3_count": 1
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 132,
-          "byte_start": 15935,
-          "byte_end": 19063,
+          "line": 133,
+          "byte_start": 17694,
+          "byte_end": 20822,
           "bytes": 3128,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 155,
-          "byte_start": 19063,
-          "byte_end": 23644,
+          "line": 156,
+          "byte_start": 20822,
+          "byte_end": 25403,
           "bytes": 4581,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 172,
-          "byte_start": 23644,
-          "byte_end": 31101,
+          "line": 173,
+          "byte_start": 25403,
+          "byte_end": 32860,
           "bytes": 7457,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 246,
-          "byte_start": 31101,
-          "byte_end": 33203,
+          "line": 247,
+          "byte_start": 32860,
+          "byte_end": 34962,
           "bytes": 2102,
           "h3_count": 9
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 286,
-          "byte_start": 33203,
-          "byte_end": 35491,
+          "line": 287,
+          "byte_start": 34962,
+          "byte_end": 37250,
           "bytes": 2288,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 302,
-          "byte_start": 35491,
-          "byte_end": 37908,
+          "line": 303,
+          "byte_start": 37250,
+          "byte_end": 39667,
           "bytes": 2417,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1337563,
-    "total_approx_tokens": 334394,
+    "total_chars": 1339318,
+    "total_approx_tokens": 334832,
     "skill_count": 38
   },
   "skills": {
@@ -1090,16 +1090,16 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "bytes": 37908,
-      "chars": 37778,
-      "lines": 319,
-      "approx_tokens": 9445,
+      "bytes": 39667,
+      "chars": 39533,
+      "lines": 320,
+      "approx_tokens": 9883,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
-          "bytes": 3632,
-          "chars": 3622,
-          "approx_tokens": 906
+          "bytes": 5391,
+          "chars": 5377,
+          "approx_tokens": 1344
         },
         "framework-lag-declaration": {
           "bytes": 10483,

package/data/cve-catalog.json

@@ -492,5 +492,119 @@
       }
     ],
     "last_updated": "2026-05-11"
+  },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "type": "supply-chain-worm",
+    "cvss_score": 9.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_pending": true,
+    "cisa_kev_pending_reason": "Attack disclosed 2026-05-11. Active in-the-wild exploitation of 42 @tanstack/* packages with combined ~150M weekly downloads. CISA KEV listing expected within standard review window.",
+    "poc_available": true,
+    "poc_description": "Confirmed in-the-wild — 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. The worm itself IS the PoC; payload analysis published by multiple researchers within 20 minutes.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Attack methodology is engineering-grade — chained primitives across CI/CD, pnpm cache, and OIDC token handling. No evidence of AI-assisted exploit development; attribution: TeamPCP.",
+    "active_exploitation": "confirmed",
+    "affected": "Anyone consuming any of 42 @tanstack/* npm packages (router, table, form, store, virtual, etc.) — combined ~150M+ weekly downloads. @tanstack/react-router alone ships to ~12M weekly. Excludes @tanstack/react-query (not in the affected set).",
+    "affected_versions": [
+      "84 specific malicious versions published 2026-05-11 19:20-19:26 UTC across 42 @tanstack/* packages — all yanked; check `npm view <pkg> time` for the publish-time window. Any package-lock.json or pnpm-lock.yaml resolved during that window is suspect."
+    ],
+    "vector": "Three chained primitives — none sufficient alone: (1) pull_request_target on TanStack's bundle-size.yml ran fork-PR code with base-repo permissions (classic Pwn Request); (2) that run wrote poison into the actions/cache pnpm-store under the key Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} that release.yml later restored; (3) on next main push, release.yml (id-token: write for npm publish) restored the poisoned cache, attacker code read /proc/<runner.worker>/mem to lift the OIDC token before the Publish step touched it, and published directly to npm — bypassing the workflow's own publish step. Result: malicious tarballs shipped with VALID SLSA provenance.",
+    "complexity": "high",
+    "complexity_notes": "Requires upstream maintainer to have (a) pull_request_target trigger on a non-publishing workflow with sufficient permissions, (b) cache that publish workflow later consumes, and (c) id-token: write scoped broadly enough that an in-process actor can scrape it. Each link is fixable individually; the chain is what's novel.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "npm yank — registry has removed the malicious versions",
+      "Pin or rollback affected @tanstack/* packages in package-lock.json / pnpm-lock.yaml to a pre-2026-05-11-19:20Z resolved version",
+      "Set npm registry cooldown: .npmrc `before=72h` (npm 11+) or `minimumReleaseAge=4320` to refuse any fresh-publish under 72 hours"
+    ],
+    "framework_control_gaps": {
+      "SLSA-L3": "FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance only proves WHICH pipeline built the artifact, not that the pipeline BEHAVED AS INTENDED. SLSA L3 build integrity is necessary but insufficient against cache-poisoning attacks within the build.",
+      "NIST-800-53-SA-12": "Supply chain protection treats provenance + signing as the trust anchor. CVE-2026-45321 demonstrates both can be intact on a malicious package.",
+      "NIST-800-218-SSDF": "PS.3 + PO.3 don't address cache poisoning between sibling workflows in the same repo. SSDF presumes per-workflow trust isolation that GitHub Actions' shared actions/cache breaks.",
+      "EU-CRA-Art13": "Required vulnerability handling doesn't cover the case where the upstream maintainer is unwitting — the maintainer was a victim, not a participant.",
+      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check.",
+      "DORA-Art28": "ICT third-party risk doesn't cover transitive cache poisoning in upstream CI/CD."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0018",
+      "AML.T0048"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1078.004",
+      "T1574",
+      "T1059.007"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP cap of 30 on blast_radius understates the real exposure (42 packages, ~150M+ weekly downloads combined). Operationally treat as P0; the formula caps blast_radius regardless of magnitude. Once CISA KEV-lists this CVE, the +25 boost will lift score to 70 (P1 territory).",
+    "epss_score": 0.78,
+    "epss_percentile": 0.97,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45321",
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45321",
+      "https://github.com/advisories?query=CVE-2026-45321",
+      "https://www.npmjs.com/advisories?search=tanstack"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "TanStack",
+        "advisory_id": null,
+        "url": "https://github.com/TanStack/query/security/advisories",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      },
+      {
+        "vendor": "npm Inc.",
+        "advisory_id": null,
+        "url": "https://www.npmjs.com/advisories?search=CVE-2026-45321",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      },
+      {
+        "vendor": "GitHub Security Advisories",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=CVE-2026-45321",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "node_modules/@tanstack/*/router_init.js",
+        "node_modules/@tanstack/*/router_runtime.js"
+      ],
+      "persistence_artifacts": [
+        ".claude/settings.json hooks.SessionStart entry running `node .vscode/setup.mjs`",
+        ".vscode/tasks.json folder-open task pointing at .vscode/setup.mjs",
+        "~/Library/LaunchAgents/com.tanstack.*.plist (macOS persistence)",
+        "~/.config/systemd/user/*.service referencing the staged setup.mjs (Linux systemd-user persistence)"
+      ],
+      "behavioral": [
+        "Build job restores actions/cache key matching Linux-pnpm-store-<hash> written by a non-publishing workflow",
+        "Same repo has pull_request_target trigger anywhere AND id-token: write anywhere AND actions/cache used by both",
+        "@tanstack/* package resolved within publish window 2026-05-11T19:20Z..2026-05-11T19:26Z"
+      ],
+      "destructive": "Payload triggers wipe on token-revocation — operators rotating npm tokens after suspected exposure should snapshot affected hosts first."
+    },
+    "last_updated": "2026-05-13"
   }
 }

package/data/playbooks/mcp.json

@@ -1,10 +1,22 @@
 {
   "_meta": {
     "id": "mcp",
-    "version": "1.0.0",
-    "last_threat_review": "2026-05-11",
-    "threat_currency_score": 96,
+    "version": "1.1.0",
+    "last_threat_review": "2026-05-13",
+    "threat_currency_score": 97,
     "changelog": [
+      {
+        "version": "1.1.0",
+        "date": "2026-05-13",
+        "summary": "Cross-cuts CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) on the agent-persistence side. The worm installs SessionStart hooks in .claude/settings.json + folder-open tasks in .vscode/tasks.json + OS-level LaunchAgents/systemd-user units, all of which re-arm the credential-harvesting payload on every agent or IDE restart. Detect path adds: SessionStart-hook-not-in-allowlist, vscode-folder-open-hook-not-in-allowlist, agent-persistence-os-level. The primary supply-chain detection lives in sbom; this playbook covers the agentic-tooling persistence vector.",
+        "cves_added": [
+          "CVE-2026-45321"
+        ],
+        "framework_gaps_updated": [
+          "nist-800-53-AC-2-AI-hook-allowlist",
+          "eu-ai-act-art15-agent-persistence"
+        ]
+      },
       {
         "version": "1.0.0",
         "date": "2026-05-11",
@@ -68,7 +80,8 @@
       "T1190"
     ],
     "cve_refs": [
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-45321"
     ],
     "cwe_refs": [
       "CWE-345",

package/data/playbooks/sbom.json

@@ -1,10 +1,22 @@
 {
   "_meta": {
     "id": "sbom",
-    "version": "1.0.0",
-    "last_threat_review": "2026-05-11",
-    "threat_currency_score": 95,
+    "version": "1.1.0",
+    "last_threat_review": "2026-05-13",
+    "threat_currency_score": 97,
     "changelog": [
+      {
+        "version": "1.1.0",
+        "date": "2026-05-13",
+        "summary": "Adds CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm, 2026-05-11). Novel category: FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance proves which pipeline built it, not that the pipeline behaved as intended. Detect path includes chained-primitives signature (pull_request_target + actions/cache + id-token:write co-residency), IoC sweep for .claude/settings.json SessionStart hooks + .vscode/tasks.json folder-open hooks + LaunchAgent / systemd-user persistence, registry-cooldown mitigation (.npmrc before=72h or minimumReleaseAge=4320).",
+        "cves_added": [
+          "CVE-2026-45321"
+        ],
+        "framework_gaps_updated": [
+          "slsa-l3-insufficient-vs-cache-poisoning",
+          "nist-800-218-SSDF-PS3-PO3"
+        ]
+      },
       {
         "version": "1.0.0",
         "date": "2026-05-11",
@@ -80,7 +92,8 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-45321"
     ],
     "cwe_refs": [
       "CWE-1357",
@@ -505,6 +518,48 @@
           "description": "Authoritative catalog for matched-CVE correlation.",
           "required": true,
           "air_gap_alternative": "Catalog is shipped with exceptd; available offline."
+        },
+        {
+          "id": "tanstack-payload-sweep",
+          "type": "file_path",
+          "source": "find node_modules -path '*/@tanstack/*' \\( -name 'router_init.js' -o -name 'router_runtime.js' \\) 2>/dev/null",
+          "description": "CVE-2026-45321 IoC sweep — payload markers inside any installed @tanstack/* package. Captures both flat npm and pnpm-style nested layouts.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-claude-settings",
+          "type": "config_file",
+          "source": ".claude/settings.json and $HOME/.claude/settings.json — read `hooks` keys, in particular SessionStart entries",
+          "description": "CVE-2026-45321 persistence vector — read every Claude Code settings file in scope to inspect hook entries.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-vscode-tasks",
+          "type": "config_file",
+          "source": ".vscode/tasks.json — read `tasks[].runOptions.runOn` for any folderOpen entries",
+          "description": "CVE-2026-45321 persistence vector — VS Code folder-open hooks re-arm the worm on every IDE re-open.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-os-level",
+          "type": "config_file",
+          "source": "$HOME/Library/LaunchAgents/*.plist (macOS) AND $HOME/.config/systemd/user/*.service (Linux) — list and read",
+          "description": "CVE-2026-45321 OS-level persistence — outlives any IDE/agent restart.",
+          "required": false
+        },
+        {
+          "id": "npmrc-cooldown-policy",
+          "type": "config_file",
+          "source": "Read .npmrc (project) and $HOME/.npmrc (user) — look for `before=` or `minimumReleaseAge=` settings",
+          "description": "Mitigation status for CVE-2026-45321 and similar fresh-publish worms. Absence is a high-confidence finding for any project that consumes npm packages.",
+          "required": false
+        },
+        {
+          "id": "github-workflows",
+          "type": "config_file",
+          "source": "Read .github/workflows/*.yml and *.yaml — extract `on:` triggers, `permissions:`, and `uses: actions/cache@*` step references",
+          "description": "CVE-2026-45321 architectural pre-condition check — detects pull_request_target + id-token:write + shared actions/cache co-residency in the same repo.",
+          "required": false
         }
       ],
       "collection_scope": {
@@ -628,6 +683,68 @@
           "description": "KEV-listed match — fast-path escalation required.",
           "confidence": "deterministic",
           "deterministic": true
+        },
+        {
+          "id": "tanstack-worm-payload-files",
+          "type": "file_path",
+          "value": "node_modules/@tanstack/*/router_init.js exists OR node_modules/@tanstack/*/router_runtime.js exists",
+          "description": "CVE-2026-45321 (Mini Shai-Hulud) payload markers — these files do not exist in clean TanStack packages.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "tanstack-worm-resolved-during-publish-window",
+          "type": "log_pattern",
+          "value": "Lockfile entry for any @tanstack/* package resolved within 2026-05-11T19:20Z..2026-05-11T19:26Z (the malicious publish window)",
+          "description": "CVE-2026-45321 timing match — any @tanstack/* package whose lockfile-recorded resolution timestamp falls inside the 6-minute attacker publish window is suspect even if the payload markers were since cleaned.",
+          "confidence": "high",
+          "deterministic": false,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "agent-persistence-claude-session-start-hook",
+          "type": "file_path",
+          "value": ".claude/settings.json contains hooks.SessionStart referencing .vscode/setup.mjs OR any non-blamejs-installed script",
+          "description": "CVE-2026-45321 persistence vector — worm installs a SessionStart hook to re-arm on next Claude Code launch. Any SessionStart hook running an in-repo .mjs that the operator didn't author is suspect.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1574"
+        },
+        {
+          "id": "agent-persistence-vscode-folder-open-task",
+          "type": "file_path",
+          "value": ".vscode/tasks.json contains a runOptions.runOn=folderOpen task pointing at .vscode/setup.mjs or similar",
+          "description": "CVE-2026-45321 persistence vector — folder-open hook re-arms on every VS Code re-open of the directory.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1547"
+        },
+        {
+          "id": "agent-persistence-os-level",
+          "type": "file_path",
+          "value": "~/Library/LaunchAgents/com.tanstack.*.plist exists (macOS) OR ~/.config/systemd/user/*.service references an in-repo staged setup.mjs (Linux)",
+          "description": "CVE-2026-45321 OS-level persistence — outlives any IDE/agent restart. Targets macOS LaunchAgents + Linux systemd-user units.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1547"
+        },
+        {
+          "id": "ci-cache-poisoning-co-residency",
+          "type": "log_pattern",
+          "value": "Repo .github/workflows/ contains BOTH (a) a workflow with `on: pull_request_target` AND (b) any workflow with `permissions: id-token: write` AND (c) any actions/cache step shared between the two",
+          "description": "Architectural pre-condition for CVE-2026-45321-style chained-primitives attacks. Even without the payload, this co-residency means any successful fork-PR exploit can poison the cache that the publish workflow restores. Mitigation: separate cache namespaces, or remove pull_request_target.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "npm-registry-no-cooldown",
+          "type": "file_path",
+          "value": ".npmrc and ~/.npmrc both lack `before=` or `minimumReleaseAge=` settings, AND project consumes any npm package",
+          "description": "Mitigation gap for CVE-2026-45321 and similar fresh-publish worms. Without a registry cooldown, `npm install` will accept a version published seconds ago. Recommended: `before=72h` (npm 11+) or `minimumReleaseAge=4320` minutes. The worm was caught publicly within 20 minutes; 72h is overkill-safe.",
+          "confidence": "high",
+          "deterministic": false
         }
       ],
       "false_positive_profile": [

package/data/zeroday-lessons.json

@@ -373,5 +373,98 @@
       "basis": "No vendor management or supply chain control covers MCP servers. 150M+ affected downloads suggests extremely broad exposure.",
       "theater_pattern": "vendor_management_ai"
     }
+  },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "lesson_date": "2026-05-13",
+    "attack_vector": {
+      "description": "Three chained primitives across one repository's CI: (1) pull_request_target on a non-publishing workflow ran fork-PR code with base-repo permissions, (2) that run poisoned actions/cache under a key the publish workflow would later restore, (3) on next main push the publish workflow restored the poisoned cache, attacker code read /proc/<runner>/mem to lift the OIDC token before the official publish step, and shipped malicious tarballs to npm with VALID SLSA provenance. 84 versions across 42 @tanstack/* packages published in a 6-minute window 2026-05-11 19:20-19:26 UTC.",
+      "privileges_required": "Any GitHub account that can open a pull request to the target repository (no maintainer access required).",
+      "complexity": "engineering-grade — chained primitives, deep CI knowledge, /proc/<pid>/mem token-scraping under id-token:write",
+      "ai_factor": "None observed. Engineering-grade tradecraft attributed to TeamPCP. Notable for what it didn't need: AI didn't make this attack possible. CI-trust-boundary misuse + cache co-residency made it possible."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Forbid pull_request_target co-residency with id-token:write workflows in the same repo, OR isolate actions/cache namespaces per trigger class so fork-PR runs cannot write to a key any tag/main run will read.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Architectural — eliminates the chain. Hardest part is auditing every repo for the architectural pre-condition; this is what the sbom playbook's `ci-cache-poisoning-co-residency` indicator checks."
+      },
+      "detection": {
+        "what_would_have_worked": "Consumer-side fresh-publish cooldown (.npmrc before=72h or minimumReleaseAge=4320 minutes). External researchers caught this worm within 20 minutes of publish; 72h is overkill-safe.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Defense in depth — operators who would have installed the malicious version on 2026-05-11 19:25Z would not have, because the cooldown would have rejected it."
+      },
+      "response": {
+        "what_would_have_worked": "Token rotation triggered by the npm yank notice, paired with host-snapshot BEFORE rotation (the worm payload carries a destructive wipe on token-revocation).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Reduces blast radius post-exploitation. The destructive-on-revocation property means hasty rotation can lose evidence."
+      }
+    },
+    "framework_coverage": {
+      "SLSA-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA L3 build-integrity is necessary but insufficient against cache-poisoning attacks within the build. The malicious tarballs shipped with VALID SLSA provenance — provenance proves which pipeline built the artifact, not that the pipeline behaved as intended."
+      },
+      "NIST-800-218-SSDF": {
+        "covered": true,
+        "adequate": false,
+        "gap": "PS.3 + PO.3 don't address cache poisoning between sibling workflows in the same repo. SSDF presumes per-workflow trust isolation that GitHub Actions' shared actions/cache breaks."
+      },
+      "NIST-800-53-SA-12": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain protection treats provenance + signing as the trust anchor. CVE-2026-45321 demonstrates both can be intact on a malicious package."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability-handling provisions presume detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check."
+      },
+      "NIS2-Art21-2d": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain risk management presumes detectable signal at consumption."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-008",
+        "name": "CI-WORKFLOW-TRUST-BOUNDARY-ISOLATION",
+        "description": "Forbid pull_request_target co-residency with id-token:write workflows in the same repository. If co-residency is required, isolate actions/cache namespaces per trigger class.",
+        "evidence": "CVE-2026-45321 — chained primitives required exactly this co-residency to succeed",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "SLSA-L3"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-009",
+        "name": "REGISTRY-COOLDOWN-POLICY",
+        "description": "Consumer-side registry cooldown (.npmrc before=72h or minimumReleaseAge=4320 minutes) refuses to install any version published within the last 72 hours.",
+        "evidence": "CVE-2026-45321 — caught publicly within 20 minutes; 72h is overkill-safe",
+        "gap_closes": [
+          "NIST-800-53-SA-12",
+          "NIS2-Art21-2d"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-010",
+        "name": "AGENT-PERSISTENCE-HOOK-ALLOWLIST",
+        "description": "AI coding assistants must allowlist hooks. SessionStart hooks in .claude/settings.json + folder-open tasks in .vscode/tasks.json + OS-level LaunchAgents/systemd-user units that reference in-repo staged scripts must be approved by the operator before execution.",
+        "evidence": "CVE-2026-45321 — the worm installs persistence via all three hook surfaces",
+        "gap_closes": [
+          "ALL-AI-AGENT-PERSISTENCE"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "SLSA L3 + provenance + signing all pass on the malicious package. Standard supply-chain audits (SBOM check, provenance verify, signature verify) all give green. The architectural pre-condition (pull_request_target + id-token:write + shared actions/cache) is not in any compliance framework's control catalog. Combined ~150M+ weekly downloads across 42 packages = extremely broad exposure.",
+      "theater_pattern": "provenance_signed_therefore_safe"
+    }
   }
 }

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAbyrz9k9voneYsqY63g6A5y4jTcuiJd0FEDtk4li5uIE=
+MCowBQYDK2VwAyEAc7dTqpdkqSacW3fFwlplSF3i9c845VcTA118wKCxuvE=
 -----END PUBLIC KEY-----

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-13T01:22:11.901Z",
+  "_generated_at": "2026-05-13T02:18:38.639Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.14",
+  "version": "0.11.15",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-13T01:22:11.489Z",
+      "signed_at": "2026-05-13T02:18:38.231Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-13T01:22:11.491Z",
+      "signed_at": "2026-05-13T02:18:38.233Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-13T01:22:11.492Z",
+      "signed_at": "2026-05-13T02:18:38.233Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-13T01:22:11.492Z"
+      "signed_at": "2026-05-13T02:18:38.233Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-13T01:22:11.493Z"
+      "signed_at": "2026-05-13T02:18:38.234Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-13T01:22:11.493Z"
+      "signed_at": "2026-05-13T02:18:38.234Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-13T01:22:11.493Z",
+      "signed_at": "2026-05-13T02:18:38.235Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-13T01:22:11.493Z",
+      "signed_at": "2026-05-13T02:18:38.235Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-13T01:22:11.494Z",
+      "signed_at": "2026-05-13T02:18:38.235Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-13T01:22:11.494Z"
+      "signed_at": "2026-05-13T02:18:38.235Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-13T01:22:11.494Z"
+      "signed_at": "2026-05-13T02:18:38.236Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-13T01:22:11.495Z"
+      "signed_at": "2026-05-13T02:18:38.236Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-13T01:22:11.495Z",
+      "signed_at": "2026-05-13T02:18:38.237Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-13T01:22:11.496Z"
+      "signed_at": "2026-05-13T02:18:38.237Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-13T01:22:11.496Z",
+      "signed_at": "2026-05-13T02:18:38.237Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-13T01:22:11.496Z"
+      "signed_at": "2026-05-13T02:18:38.238Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-13T01:22:11.496Z"
+      "signed_at": "2026-05-13T02:18:38.238Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-13T01:22:11.497Z"
+      "signed_at": "2026-05-13T02:18:38.238Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-13T01:22:11.497Z"
+      "signed_at": "2026-05-13T02:18:38.238Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -954,8 +954,8 @@
         "EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027",
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
-      "signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
-      "signed_at": "2026-05-13T01:22:11.497Z"
+      "signature": "YhvlD+6gdFGg7P6QtpWeb0n54/Ujlxc7I6o/bXtpkfPiy/JY4OJo5xdreb+mbytHkasmUErL5LsDtTCAVq0QAA==",
+      "signed_at": "2026-05-13T02:18:38.239Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-13T01:22:11.497Z"
+      "signed_at": "2026-05-13T02:18:38.239Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-13T01:22:11.498Z"
+      "signed_at": "2026-05-13T02:18:38.239Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-13T01:22:11.498Z"
+      "signed_at": "2026-05-13T02:18:38.239Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-13T01:22:11.498Z"
+      "signed_at": "2026-05-13T02:18:38.240Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-13T01:22:11.499Z"
+      "signed_at": "2026-05-13T02:18:38.240Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-13T01:22:11.499Z"
+      "signed_at": "2026-05-13T02:18:38.241Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-13T01:22:11.499Z"
+      "signed_at": "2026-05-13T02:18:38.241Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-13T01:22:11.500Z"
+      "signed_at": "2026-05-13T02:18:38.241Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-13T01:22:11.500Z"
+      "signed_at": "2026-05-13T02:18:38.241Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-13T01:22:11.500Z"
+      "signed_at": "2026-05-13T02:18:38.242Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-13T01:22:11.501Z"
+      "signed_at": "2026-05-13T02:18:38.242Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-13T01:22:11.501Z"
+      "signed_at": "2026-05-13T02:18:38.243Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-13T01:22:11.501Z"
+      "signed_at": "2026-05-13T02:18:38.243Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-13T01:22:11.501Z"
+      "signed_at": "2026-05-13T02:18:38.243Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-13T01:22:11.502Z"
+      "signed_at": "2026-05-13T02:18:38.244Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-13T01:22:11.502Z"
+      "signed_at": "2026-05-13T02:18:38.244Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-13T01:22:11.502Z"
+      "signed_at": "2026-05-13T02:18:38.244Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-13T01:22:11.503Z"
+      "signed_at": "2026-05-13T02:18:38.245Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.14",
+  "version": "0.11.15",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:2b865076-6e1d-44d0-91ea-867b74a17143",
+  "serialNumber": "urn:uuid:93e97dc7-2dd1-4a28-98cd-dfc04174a943",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-13T01:22:12.418Z",
+    "timestamp": "2026-05-13T02:18:39.132Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.14",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.15",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.14",
+      "version": "0.11.15",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.14",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.15",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.14"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.15"
         },
         {
           "type": "vcs",

package/skills/supply-chain-integrity/skill.md

@@ -61,7 +61,7 @@ d3fend_refs:
   - D3-CBAN
   - D3-EAL
   - D3-EHB
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-13"
 ---
 
 # Supply-Chain Integrity Assessment
@@ -72,6 +72,7 @@ The supply chain has expanded far beyond "a vulnerable dependency in npm or PyPI
 
 The defining incidents driving this expansion:
 
+- **CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm, 2026-05-11)** — 84 malicious versions across 42 `@tanstack/*` packages were published in a six-minute window (19:20-19:26 UTC); `@tanstack/react-router` alone ships ~12M weekly downloads. **First documented npm package shipping VALID SLSA provenance while being malicious.** Provenance proves which pipeline built the artifact; it does not prove that the pipeline behaved as intended. The attack chain was three primitives, none sufficient alone: (1) `pull_request_target` on TanStack's `bundle-size.yml` ran fork-PR code with base-repo permissions (classic *Pwn Request*); (2) that run wrote poison into the `actions/cache` pnpm-store under key `Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')}` that the publish workflow later restored; (3) on the next `main` push, `release.yml` (with `id-token: write` for legit npm publishing) restored the poisoned cache, attacker code read `/proc/<runner.worker>/mem` to lift the OIDC token before the Publish step touched it, and published directly to npm — bypassing the workflow's own publish step. The payload (2.3 MB obfuscated) does credential harvesting from 100+ paths and installs persistence via `.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, plus macOS LaunchAgents / Linux systemd-user units. A destructive wipe fires on token revocation. Implication for this skill: SLSA L3 is necessary-but-insufficient against cache-poisoning attacks within the build; the new minimum is workflow trust-boundary isolation (no `pull_request_target` co-resident with `id-token: write`, distinct cache namespaces per trigger class) plus consumer-side fresh-publish cooldowns (`.npmrc before=72h` or `minimumReleaseAge=4320`).
 - **CVE-2026-30615 (Windsurf MCP zero-interaction RCE)** — a developer tool, distributed without enforced manifest signing or provenance attestation, executed attacker-controlled code with zero user interaction. The vulnerability class is reachable across the AI coding-assistant ecosystem (150M+ combined downloads). See the `mcp-agent-trust` skill for the trust-boundary analysis; this skill addresses the supply-chain artifact-integrity layer.
 - **AI-generated code is opaque-provenance code.** GitHub Copilot, Cursor, Claude Code, Windsurf, Codex, and Gemini CLI emit code that is committed without attestation of which model produced it, against what context, with what training cutoff. SBOM completeness claims that omit AI-generated code are theater — the SBOM lists `npm:lodash@4.17.21` but not "function `parseUrl` was emitted by Copilot from a docstring that contained an indirect prompt injection."
 - **Model weights are native binary artifacts that execute on load.** PyTorch `.pt` checkpoints in code-executing serialization formats distributed via Hugging Face / GitHub LFS are CWE-502 deserialization vectors. Hash-pinning a malicious blob does not prevent execution; only signature verification against a pinned publishing key (Sigstore keyless or OpenSSF model-signing) plus a non-executing format (safetensors) closes the class.