@blamejs/exceptd-skills 0.11.14 → 0.12.0

package/CHANGELOG.md

@@ -1,5 +1,115 @@
 # Changelog
 
+## 0.12.0 — 2026-05-13
+
+**Minor: catalog freshness from minutes-old disclosures, not days.**
+
+Today's refresh sources (KEV / NVD / EPSS / IETF / MITRE) don't see a fresh-disclosure npm worm. KEV listing takes days; NVD takes ~10 days. The CVE-2026-45321 TanStack worm was caught publicly within 20 minutes — but the only feed that fired in that window was the GitHub Advisory Database. v0.12.0 adds GHSA as a refresh source, plus operator-driven single-advisory seeding, plus an editorial-enrichment helper.
+
+### GHSA as a refresh source
+
+`exceptd refresh` now pulls from GitHub Advisory Database (covers npm, PyPI, RubyGems, Maven, NuGet, Go, Composer, Swift, Erlang, Pub, Rust). Unauthenticated 60 req/hr; authenticated 5000 req/hr via `GITHUB_TOKEN` env var. New CVE IDs land as **drafts** flagged `_auto_imported: true` + `_draft: true`. The strict catalog validator treats drafts as warnings, not errors — so the nightly auto-PR pipeline can ship them without blocking on editorial review. Framework gaps + IoCs + ATLAS/ATT&CK refs are explicit nulls awaiting human or AI-assisted enrichment.
+
+(Note: npm Inc. does not publish a standalone JSON advisory feed; npm advisories are surfaced via GHSA. Adding `npm-advisories` as a separate source would duplicate GHSA data with no fidelity gain.)
+
+### `exceptd refresh --advisory <id>`
+
+Operator-driven single-advisory seeding. Accepts CVE-* or GHSA-* identifiers. Fetches the advisory from GHSA, normalizes to the catalog draft shape, prints (default) or writes (`--apply`). Always exits **3** ("draft prepared, editorial review pending") so CI pipelines surface the next step.
+
+```
+exceptd refresh --advisory CVE-2026-45321               # dry-run, prints draft
+exceptd refresh --advisory CVE-2026-45321 --apply       # writes draft into data/cve-catalog.json
+exceptd refresh --advisory GHSA-xxxx-xxxx-xxxx --json   # JSON output
+```
+
+Refuses to overwrite a human-curated entry. Honors `EXCEPTD_GHSA_FIXTURE` env var for offline tests.
+
+### `exceptd refresh --curate <CVE-ID>`
+
+Editorial-enrichment helper. Reads the draft entry from `data/cve-catalog.json`, cross-references against `data/atlas-ttps.json` + `data/attack-ttps.json` + `data/cwe-catalog.json` + `data/framework-control-gaps.json`, and emits structured **editorial questions** — one per null field — each with ranked candidates and a specific ASK for the reviewer.
+
+```
+{
+  "editorial_questions": [
+    {
+      "field": "atlas_refs",
+      "current_value": [],
+      "candidates": [{"id": "AML.T0010", "score": 68, "reason": "..."}],
+      "ask": "Which MITRE ATLAS techniques are present in the attack chain?"
+    },
+    {
+      "field": "framework_control_gaps",
+      "ask": "Which framework controls CLAIM to cover this CVE's category, and where do they fall short? Per AGENTS.md Hard Rule #6, every framework finding must include a test that distinguishes paper compliance from actual security."
+    },
+    ...
+  ]
+}
+```
+
+Pure heuristic — deterministic keyword-overlap scoring against existing catalogs. The reviewer (human or AI assistant) makes the final call on each candidate. Always exits **3** because editorial review is, by definition, pending.
+
+(The natural-language form `exceptd run cve-curation --advisory <id>` — wrapping this helper in a full seven-phase playbook with GRC closure — is scoped for v0.13. The helper itself ships in v0.12 so operators can use it now.)
+
+### Catalog schema
+
+- `data/cve-catalog.json` entries may now carry `_auto_imported`, `_draft`, `_draft_reason`, `_source_ghsa_id`, `_source_published_at` fields.
+- `lib/validate-cve-catalog.js` recognizes drafts: prints them as `DRAFT` lines (not `FAIL`), does not exit-fail. The summary line includes a `<N> draft(s) (auto-imported)` count.
+- `lib/schemas/cve-catalog.schema.json` is unchanged; the draft fields are absorbed by `additionalProperties: true`.
+
+### Tests
+
+7 new regression cases. 366 total. Coverage: ghsa fixture fetch, advisory normalization (draft shape + cisa_kev_pending heuristic for critical), `refresh --advisory` dry-run + apply paths, `refresh --curate` editorial-question generation, refusal-on-human-curated, validator draft-tolerance.
+
+### Operator workflow
+
+The end-to-end flow for a fresh-disclosure CVE the nightly job hasn't caught yet:
+
+```
+$ exceptd refresh --advisory CVE-2026-XXXXX --apply       # seeds draft from GHSA
+$ exceptd refresh --curate CVE-2026-XXXXX                  # surfaces editorial questions + candidates
+# review the questions, fill the catalog entry, add a zeroday-lessons.json entry,
+# remove _auto_imported and _draft flags, then:
+$ npm run predeploy                                        # strict gate now passes
+```
+
+The nightly auto-PR mechanism handles the GHSA pull automatically; this surface is for "I want this CVE today, not tomorrow."
+
+## 0.11.15 — 2026-05-13
+
+**Patch: CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) — catalog + playbook + IoC sweep.**
+
+Adds detection for the npm supply-chain worm disclosed 2026-05-11 (84 malicious versions across 42 `@tanstack/*` packages, including `@tanstack/react-router` at ~12M weekly downloads, CVSS 9.6). The novel category: first documented npm package shipping VALID SLSA provenance while being malicious. Provenance proves which pipeline built the artifact, not that the pipeline behaved as intended.
+
+### Catalog
+
+- `data/cve-catalog.json` — new entry `CVE-2026-45321` with full RWEP scoring (78), the three chained primitives (`pull_request_target` co-resident with `id-token: write` and shared `actions/cache`), payload IoCs, persistence IoCs (`.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, macOS LaunchAgents, Linux systemd-user units), framework-gap analysis (SLSA L3 insufficient, NIST 800-218 SSDF PS.3/PO.3 gap), and the destructive-on-revocation behavior.
+
+### Playbook detections (sbom)
+
+- `tanstack-worm-payload-files` — find `node_modules/@tanstack/*/router_init.js` or `router_runtime.js`
+- `tanstack-worm-resolved-during-publish-window` — lockfile entries resolved 2026-05-11T19:20Z..19:26Z
+- `agent-persistence-claude-session-start-hook` — non-owner SessionStart hooks
+- `agent-persistence-vscode-folder-open-task` — folder-open tasks running staged setup scripts
+- `agent-persistence-os-level` — macOS LaunchAgents + Linux systemd-user units referencing in-repo `.mjs`
+- `ci-cache-poisoning-co-residency` — repo has `pull_request_target` + `id-token: write` + shared `actions/cache` (architectural pre-condition, even without payload)
+- `npm-registry-no-cooldown` — project consumes npm but `.npmrc` lacks `before=` or `minimumReleaseAge=`
+
+### Playbook detections (mcp)
+
+- Same `agent-persistence-*` indicators on the agentic-tooling side. MCP playbook covers the persistence vector; SBOM covers the supply-chain root.
+
+### Skill update
+
+- `skills/supply-chain-integrity/SKILL.md` — adds the CVE-2026-45321 case at the top of Threat Context with the chained-primitives explanation and the new SLSA-L3-insufficient framing.
+
+### Eating own dogfood
+
+- `.npmrc` — adds `before=72h` + `minimumReleaseAge=4320` so this repo refuses fresh-publish installs. Survives downgrade to older npm via both flags.
+
+### threat_currency_score bumps
+
+- `sbom` 95 → 97, `mcp` 96 → 97, both with `last_threat_review: 2026-05-13`.
+
 ## 0.11.14 — 2026-05-13
 
 **Patch: items 129-134 + freshness surface — claims-vs-reality gap closure + opt-in registry-check.**

package/bin/exceptd.js

@@ -72,6 +72,7 @@ const COMMANDS = {
   prefetch:        () => path.join(PKG_ROOT, "lib", "prefetch.js"),
   refresh:         () => path.join(PKG_ROOT, "lib", "refresh-external.js"),
   "refresh-network": () => path.join(PKG_ROOT, "lib", "refresh-network.js"),
+  "refresh-curate":  () => path.join(PKG_ROOT, "lib", "cve-curation.js"),
   "build-indexes": () => path.join(PKG_ROOT, "scripts", "build-indexes.js"),
   verify:          () => path.join(PKG_ROOT, "lib", "verify.js"),
   scan:            () => path.join(PKG_ROOT, "orchestrator", "index.js"),
@@ -252,9 +253,19 @@ v0.11.0 canonical surface
                                                     catalog snapshot from npm registry,
                                                     verify against local keys/public.pem,
                                                     swap data/ in place (no CLI/lib reload)
+                             --advisory <id>        (v0.12.0) seed a catalog entry from a
+                                                    CVE-* or GHSA-* ID via GitHub Advisory
+                                                    Database. Writes draft with
+                                                    _auto_imported:true. Use --apply to
+                                                    write to disk.
+                             --curate <CVE-ID>      (v0.12.0) emit editorial questions +
+                                                    ranked candidates (ATLAS/ATT&CK/CWE/
+                                                    framework gaps) for a draft entry.
                              --prefetch             populate offline cache
                              --from-cache           consume offline cache
                              --indexes-only         rebuild indexes only
+                             Sources: kev|epss|nvd|rfc|pins|ghsa (v0.12.0).
+                                                    ghsa drafts pass validator as warnings.
 
 v0.10.x compatibility (will be removed in v0.12)
 ────────────────────────────────────────────────
@@ -414,6 +425,12 @@ function main() {
     // data slice without requiring a full package upgrade.
     effectiveCmd = "refresh-network";
     effectiveRest = rest.filter(a => a !== "--network");
+  } else if (cmd === "refresh" && rest.includes("--curate")) {
+    // v0.12.0: --curate <CVE-ID> emits editorial questions + ranked
+    // candidates (atlas/attack/cwe/framework) for a draft catalog entry.
+    // Operator or AI assistant fills the null editorial fields.
+    effectiveCmd = "refresh-curate";
+    effectiveRest = rest;
   }
 
   const resolver = COMMANDS[effectiveCmd];

package/data/_indexes/_meta.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T02:04:13.785Z",
+  "generated_at": "2026-05-13T02:34:42.448Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "75707bfee79c57f6d7c6999c9da7292a574cb33669b17cf60e32160a5a2fa0d2",
+    "manifest.json": "31cfbef4aa2a73ae93de1837209c958f5318fadbfc4481f06459617048fec44c",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
-    "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
+    "data/cve-catalog.json": "e9a3a4ce988caa051e50a467f1cd9c0dcbf9e8f6f3e9522610baf196217b7bdc",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",
     "data/d3fend-catalog.json": "b5cd14669e2a931d0df81bb8402f3c8ac08b0d2613e595eaecd8cc4631a57587",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
@@ -14,7 +14,7 @@
     "data/framework-control-gaps.json": "25db4d0cc9e6242e1143494178393ae8eab3384672ca0d685bd55c537f028c83",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
     "data/rfc-references.json": "23ffeb970af5403e9a733844dcea9b45cbae689623085f030dec826c492682e3",
-    "data/zeroday-lessons.json": "56d63821686403c6894c93b9ff9ef318ca8e08d7027e8517131068811d529beb",
+    "data/zeroday-lessons.json": "0840eacd580d4ee5bd7dc44ccea6d52bfa95096576af0ccf67132eea05bedd55",
     "skills/kernel-lpe-triage/skill.md": "c00e0a77e8b7b1a1ebcb7267dd728b39ec2671d1260bf4f6a4842f10101a69b0",
     "skills/ai-attack-surface/skill.md": "3f5c59f1823f1552efe8a5cb32656d34d6407609ddaa1eed254c263864563453",
     "skills/mcp-agent-trust/skill.md": "716d0d65499f8be21e0389a06a1fcaf6abd1cd2e90f068cab54471dd67127f74",
@@ -34,7 +34,7 @@
     "skills/attack-surface-pentest/skill.md": "f639b6d9c19def5908eddbbb79f0514e168e74661c0894b737d7c76cbb550841",
     "skills/fuzz-testing-strategy/skill.md": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837",
     "skills/dlp-gap-analysis/skill.md": "041c4c6a5299057383b1d6bd4328c1ef578f8c5c6bade8750d339c7b51020027",
-    "skills/supply-chain-integrity/skill.md": "b7fbb5bfcce53d774c51be3fe2231c5f371850a5bdb8d7edfced3342dd99dbb8",
+    "skills/supply-chain-integrity/skill.md": "94527929c150bf9bc7a5a61a596373d49a88ae9114adf841b2d3771e25fb8d51",
     "skills/defensive-countermeasure-mapping/skill.md": "634f0805597a0ab417248a7413eed39b08afbc820e7c6bd257eebaa663d8990d",
     "skills/identity-assurance/skill.md": "e8f3958ef8dd89f9276f2a62a0a1b418a206a3312bb8ff228729c8f358603dc7",
     "skills/ot-ics-security/skill.md": "7c6eb389e7ace5b2c6e092f8dfcf4795ce1b0aefaa2738c6e383cb0fef4d6287",
@@ -67,13 +67,13 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 453,
-    "chains_cve_entries": 5,
+    "chains_cve_entries": 6,
     "chains_cwe_entries": 34,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 38,
     "summary_cards": 38,
     "section_offsets_skills": 38,
-    "token_budget_total_approx": 334394,
+    "token_budget_total_approx": 334832,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -172,7 +172,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-11",
@@ -349,7 +349,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-01",

package/data/_indexes/catalog-summaries.json

@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2026-43284",
@@ -216,7 +216,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -1751,6 +1751,23 @@
       ]
     }
   },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "rwep": 45,
+    "cvss": 9.6,
+    "cisa_kev": false,
+    "epss_score": 0.78,
+    "epss_percentile": 0.97,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-787": {
     "name": "Out-of-bounds Write",
     "category": "Memory Safety",

package/data/_indexes/section-offsets.json

@@ -1868,8 +1868,8 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "total_bytes": 37908,
-      "total_lines": 319,
+      "total_bytes": 39667,
+      "total_lines": 320,
       "frontmatter": {
         "line_start": 1,
         "line_end": 65,
@@ -1882,70 +1882,70 @@
           "normalized_name": "threat-context",
           "line": 69,
           "byte_start": 1820,
-          "byte_end": 5452,
-          "bytes": 3632,
+          "byte_end": 7211,
+          "bytes": 5391,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 87,
-          "byte_start": 5452,
-          "byte_end": 15935,
+          "line": 88,
+          "byte_start": 7211,
+          "byte_end": 17694,
           "bytes": 10483,
           "h3_count": 1
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 132,
-          "byte_start": 15935,
-          "byte_end": 19063,
+          "line": 133,
+          "byte_start": 17694,
+          "byte_end": 20822,
           "bytes": 3128,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 155,
-          "byte_start": 19063,
-          "byte_end": 23644,
+          "line": 156,
+          "byte_start": 20822,
+          "byte_end": 25403,
           "bytes": 4581,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 172,
-          "byte_start": 23644,
-          "byte_end": 31101,
+          "line": 173,
+          "byte_start": 25403,
+          "byte_end": 32860,
           "bytes": 7457,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 246,
-          "byte_start": 31101,
-          "byte_end": 33203,
+          "line": 247,
+          "byte_start": 32860,
+          "byte_end": 34962,
           "bytes": 2102,
           "h3_count": 9
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 286,
-          "byte_start": 33203,
-          "byte_end": 35491,
+          "line": 287,
+          "byte_start": 34962,
+          "byte_end": 37250,
           "bytes": 2288,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 302,
-          "byte_start": 35491,
-          "byte_end": 37908,
+          "line": 303,
+          "byte_start": 37250,
+          "byte_end": 39667,
           "bytes": 2417,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1337563,
-    "total_approx_tokens": 334394,
+    "total_chars": 1339318,
+    "total_approx_tokens": 334832,
     "skill_count": 38
   },
   "skills": {
@@ -1090,16 +1090,16 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "bytes": 37908,
-      "chars": 37778,
-      "lines": 319,
-      "approx_tokens": 9445,
+      "bytes": 39667,
+      "chars": 39533,
+      "lines": 320,
+      "approx_tokens": 9883,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
-          "bytes": 3632,
-          "chars": 3622,
-          "approx_tokens": 906
+          "bytes": 5391,
+          "chars": 5377,
+          "approx_tokens": 1344
         },
         "framework-lag-declaration": {
           "bytes": 10483,

package/data/cve-catalog.json

@@ -492,5 +492,119 @@
       }
     ],
     "last_updated": "2026-05-11"
+  },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "type": "supply-chain-worm",
+    "cvss_score": 9.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_pending": true,
+    "cisa_kev_pending_reason": "Attack disclosed 2026-05-11. Active in-the-wild exploitation of 42 @tanstack/* packages with combined ~150M weekly downloads. CISA KEV listing expected within standard review window.",
+    "poc_available": true,
+    "poc_description": "Confirmed in-the-wild — 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. The worm itself IS the PoC; payload analysis published by multiple researchers within 20 minutes.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Attack methodology is engineering-grade — chained primitives across CI/CD, pnpm cache, and OIDC token handling. No evidence of AI-assisted exploit development; attribution: TeamPCP.",
+    "active_exploitation": "confirmed",
+    "affected": "Anyone consuming any of 42 @tanstack/* npm packages (router, table, form, store, virtual, etc.) — combined ~150M+ weekly downloads. @tanstack/react-router alone ships to ~12M weekly. Excludes @tanstack/react-query (not in the affected set).",
+    "affected_versions": [
+      "84 specific malicious versions published 2026-05-11 19:20-19:26 UTC across 42 @tanstack/* packages — all yanked; check `npm view <pkg> time` for the publish-time window. Any package-lock.json or pnpm-lock.yaml resolved during that window is suspect."
+    ],
+    "vector": "Three chained primitives — none sufficient alone: (1) pull_request_target on TanStack's bundle-size.yml ran fork-PR code with base-repo permissions (classic Pwn Request); (2) that run wrote poison into the actions/cache pnpm-store under the key Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} that release.yml later restored; (3) on next main push, release.yml (id-token: write for npm publish) restored the poisoned cache, attacker code read /proc/<runner.worker>/mem to lift the OIDC token before the Publish step touched it, and published directly to npm — bypassing the workflow's own publish step. Result: malicious tarballs shipped with VALID SLSA provenance.",
+    "complexity": "high",
+    "complexity_notes": "Requires upstream maintainer to have (a) pull_request_target trigger on a non-publishing workflow with sufficient permissions, (b) cache that publish workflow later consumes, and (c) id-token: write scoped broadly enough that an in-process actor can scrape it. Each link is fixable individually; the chain is what's novel.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "npm yank — registry has removed the malicious versions",
+      "Pin or rollback affected @tanstack/* packages in package-lock.json / pnpm-lock.yaml to a pre-2026-05-11-19:20Z resolved version",
+      "Set npm registry cooldown: .npmrc `before=72h` (npm 11+) or `minimumReleaseAge=4320` to refuse any fresh-publish under 72 hours"
+    ],
+    "framework_control_gaps": {
+      "SLSA-L3": "FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance only proves WHICH pipeline built the artifact, not that the pipeline BEHAVED AS INTENDED. SLSA L3 build integrity is necessary but insufficient against cache-poisoning attacks within the build.",
+      "NIST-800-53-SA-12": "Supply chain protection treats provenance + signing as the trust anchor. CVE-2026-45321 demonstrates both can be intact on a malicious package.",
+      "NIST-800-218-SSDF": "PS.3 + PO.3 don't address cache poisoning between sibling workflows in the same repo. SSDF presumes per-workflow trust isolation that GitHub Actions' shared actions/cache breaks.",
+      "EU-CRA-Art13": "Required vulnerability handling doesn't cover the case where the upstream maintainer is unwitting — the maintainer was a victim, not a participant.",
+      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check.",
+      "DORA-Art28": "ICT third-party risk doesn't cover transitive cache poisoning in upstream CI/CD."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0018",
+      "AML.T0048"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1078.004",
+      "T1574",
+      "T1059.007"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP cap of 30 on blast_radius understates the real exposure (42 packages, ~150M+ weekly downloads combined). Operationally treat as P0; the formula caps blast_radius regardless of magnitude. Once CISA KEV-lists this CVE, the +25 boost will lift score to 70 (P1 territory).",
+    "epss_score": 0.78,
+    "epss_percentile": 0.97,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45321",
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45321",
+      "https://github.com/advisories?query=CVE-2026-45321",
+      "https://www.npmjs.com/advisories?search=tanstack"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "TanStack",
+        "advisory_id": null,
+        "url": "https://github.com/TanStack/query/security/advisories",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      },
+      {
+        "vendor": "npm Inc.",
+        "advisory_id": null,
+        "url": "https://www.npmjs.com/advisories?search=CVE-2026-45321",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      },
+      {
+        "vendor": "GitHub Security Advisories",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=CVE-2026-45321",
+        "severity": "critical",
+        "published_date": "2026-05-11"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "node_modules/@tanstack/*/router_init.js",
+        "node_modules/@tanstack/*/router_runtime.js"
+      ],
+      "persistence_artifacts": [
+        ".claude/settings.json hooks.SessionStart entry running `node .vscode/setup.mjs`",
+        ".vscode/tasks.json folder-open task pointing at .vscode/setup.mjs",
+        "~/Library/LaunchAgents/com.tanstack.*.plist (macOS persistence)",
+        "~/.config/systemd/user/*.service referencing the staged setup.mjs (Linux systemd-user persistence)"
+      ],
+      "behavioral": [
+        "Build job restores actions/cache key matching Linux-pnpm-store-<hash> written by a non-publishing workflow",
+        "Same repo has pull_request_target trigger anywhere AND id-token: write anywhere AND actions/cache used by both",
+        "@tanstack/* package resolved within publish window 2026-05-11T19:20Z..2026-05-11T19:26Z"
+      ],
+      "destructive": "Payload triggers wipe on token-revocation — operators rotating npm tokens after suspected exposure should snapshot affected hosts first."
+    },
+    "last_updated": "2026-05-13"
   }
 }

package/data/playbooks/mcp.json

@@ -1,10 +1,22 @@
 {
   "_meta": {
     "id": "mcp",
-    "version": "1.0.0",
-    "last_threat_review": "2026-05-11",
-    "threat_currency_score": 96,
+    "version": "1.1.0",
+    "last_threat_review": "2026-05-13",
+    "threat_currency_score": 97,
     "changelog": [
+      {
+        "version": "1.1.0",
+        "date": "2026-05-13",
+        "summary": "Cross-cuts CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) on the agent-persistence side. The worm installs SessionStart hooks in .claude/settings.json + folder-open tasks in .vscode/tasks.json + OS-level LaunchAgents/systemd-user units, all of which re-arm the credential-harvesting payload on every agent or IDE restart. Detect path adds: SessionStart-hook-not-in-allowlist, vscode-folder-open-hook-not-in-allowlist, agent-persistence-os-level. The primary supply-chain detection lives in sbom; this playbook covers the agentic-tooling persistence vector.",
+        "cves_added": [
+          "CVE-2026-45321"
+        ],
+        "framework_gaps_updated": [
+          "nist-800-53-AC-2-AI-hook-allowlist",
+          "eu-ai-act-art15-agent-persistence"
+        ]
+      },
       {
         "version": "1.0.0",
         "date": "2026-05-11",
@@ -68,7 +80,8 @@
       "T1190"
     ],
     "cve_refs": [
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-45321"
     ],
     "cwe_refs": [
       "CWE-345",