@blamejs/exceptd-skills 0.12.27 → 0.12.29

package/data/cve-catalog.json

@@ -36,6 +36,29 @@
     },
     "vendor_advisory_field_added": "2026-05-11",
     "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
+    "ai_discovery_methodology": {
+      "field_added": "2026-05-15",
+      "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
+      "current_rate": 0.2,
+      "current_floor_enforced_by_test": 0.2,
+      "ladder_to_target": [
+        0.2,
+        0.3,
+        0.4
+      ],
+      "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
+      "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
+      "discovery_source_enum": [
+        "ai_assisted_research",
+        "human_researcher",
+        "vendor_internal",
+        "ecosystem_detection",
+        "threat_actor_ai_built",
+        "unknown"
+      ],
+      "discovery_source_note": "ai_discovered=true requires a named AI tool credit (Big Sleep, depthfirst autonomous platform, Xint Code AI scanner, Zellic AI-agentic auditing tool, etc.) cited in the discovery_attribution_note. Inferred-from-class-of-bug attribution is INSUFFICIENT — Hard Rule #1 (no stale threat intel) bars silent upgrades. When unsure, leave ai_discovered=false with a discovery_attribution_note explaining the basis.",
+      "ai_assisted_weaponization_distinct": "ai_discovered measures the discovery channel; ai_assisted_weaponization measures the exploit-development channel. These are tracked independently (e.g. CVE-2025-53773 has ai_discovered=false but ai_assisted_weaponization=true)."
+    },
     "id_conventions": {
       "default": "CVE-YYYY-NNNNN",
       "non_cve_keys_accepted": [
@@ -156,7 +179,8 @@
       ],
       "forensic_note": "The .vscode/settings.json modification is silent and persistent — no in-editor diff is shown to the user. Defenders investigating suspected compromise should snapshot workspace + user-global settings.json BEFORE remediating; the file IS the primary forensic artifact."
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Disclosed by Johann Rehberger (Embrace the Red, August 2025); responsible disclosure to Microsoft on 2025-06-29. Human researcher per Embrace the Red blog https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/. No AI tool credited for the discovery itself; the attack target IS an AI tool (Copilot)."
   },
   "CVE-2026-30615": {
     "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
@@ -268,7 +292,8 @@
         "Compromised legitimate publisher key — malicious update from previously-trusted maintainer; signature-based controls do not fire"
       ]
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "OX Security advisory 2026-04-15 — researchers Moshe Siman Tov Bustan, Mustafa Naamnih, and Nir Zadok. Independent corroboration by Trail of Bits (tool-poisoning analysis 2026-04-29) and Johann Rehberger. All named-human research; no AI-discovery tool credited. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -413,7 +438,8 @@
       ],
       "forensic_note": "Copy Fail is deterministic, 732-byte, single-stage, memory-only. Disk-forensic indicators (shell history, dropped binaries, persistence files) are unreliable — competent operators leave no on-disk trace. The runtime_syscall + kernel_trace + behavioral entries are the load-bearing detection surface. Disk indicators are limited to the exploit OUTCOMES (/etc/passwd mutation, suid drift), not the exploit ARTIFACTS."
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-13",
+    "discovery_attribution_note": "AI-surfaced by Theori using Xint Code AI scanner with one operator prompt against the Linux crypto/ subsystem; researcher Taeyang Lee directed the scan. Disclosed 2026-04-29. Source: Theori writeup mirrored at https://xint.io/blog/copy-fail-linux-distributions and Sysdig coverage https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds."
   },
   "CVE-2026-39884": {
     "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
@@ -506,7 +532,8 @@
         "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
       ]
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "GitHub Security Advisory GHSA-4xqg-gf5c-ghwq published 2026-04-14 by the Flux159/mcp-server-kubernetes maintainers. No researcher byline in the advisory and no AI-tool credit. Bug class is conventional argv-injection via .split(\" \"); the AI-relevant surface is the exploitation channel (prompt-injection-mediated tool call), not the discovery method. Source: https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq."
   },
   "CVE-2026-42208": {
     "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
@@ -614,7 +641,8 @@
         "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
       ]
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Sysdig Threat Research Team — Stefano Chierici and the Sysdig Sage / TRT analysts — surfaced the SQLi via post-disclosure exploitation telemetry; Bishop Fox researchers reproduced and confirmed the auth-path SQLi sink. All named-human research; no AI-discovery attribution from either firm. Source: https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure and https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy."
   },
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
@@ -628,9 +656,10 @@
     "cisa_kev_date": null,
     "poc_available": true,
     "poc_description": "Chain component — exploits page-cache write primitive in ESP/IPsec subsystem. Part of two-CVE chain with CVE-2026-43500.",
-    "ai_discovered": false,
-    "ai_discovery_source": "human_researcher",
-    "ai_discovery_notes": "Disclosed via netdev upstream + Sysdig writeup. Sysdig speculated AI-assistance given 9-year latency in upstream skb_try_coalesce path, but no vendor advisory or researcher claim confirms AI discovery. Reverted to human_researcher until upstream attribution clarifies.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_notes": "Discovered by independent researcher Hyunwoo Kim (@v4bel) using AI-assisted analysis. Sysdig blog explicitly attributes AI assistance: 'Dirty Frag (CVE-2026-43284) was discovered by Hyunwoo Kim (@v4bel) using AI.' The 9-year-latency on the skb_try_coalesce defect in the upstream kernel — present since the cac2661c53f3 (January 2017) commit — is consistent with the depth-of-codebase pattern where AI-assisted auditing tools are now surfacing class-of-bug regressions invisible to focused human review. Source: Sysdig writeup (https://www.sysdig.com/blog/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc).",
+    "discovery_attribution_note": "AI-assisted discovery by Hyunwoo Kim (@v4bel); confirmed in Sysdig 2026-05-08 writeup + The Record / iTnews coverage citing parallel-discovery embargo break.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "affected": "Linux systems using IPsec/ESP kernel subsystem — all major distributions with kernel IPsec support",
@@ -655,11 +684,11 @@
       "T1068",
       "T1548.001"
     ],
-    "rwep_score": 38,
+    "rwep_score": 53,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
-      "ai_factor": 0,
+      "ai_factor": 15,
       "active_exploitation": 10,
       "blast_radius": 18,
       "patch_available": -15,
@@ -765,7 +794,8 @@
         "Re-sample 60s after lsmod-loaded-no-policy fires; persistent absence of `ip xfrm state` for >120s with loaded modules indicates non-startup-race anomaly"
       ]
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "rwep_correction_note": "RWEP bump:v0.12.29 ai-discovery audit re-attributed to ai_discovered=true; ai_factor advanced from 0 to 15; rwep raised by 15 from 38 to 53."
   },
   "CVE-2026-43500": {
     "name": "Dirty Frag (RxRPC component)",
@@ -776,9 +806,10 @@
     "cisa_kev_date": null,
     "poc_available": true,
     "poc_description": "Chain component — exploits page-cache write primitive in RxRPC subsystem. Used in combination with CVE-2026-43284.",
-    "ai_discovered": false,
-    "ai_discovery_source": "human_researcher",
-    "ai_discovery_notes": "Disclosed via netdev upstream + Sysdig writeup. Sysdig speculated AI-assistance given 9-year latency in upstream skb_try_coalesce path, but no vendor advisory or researcher claim confirms AI discovery. Reverted to human_researcher until upstream attribution clarifies.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_notes": "Companion CVE to CVE-2026-43284 (Dirty Frag); same researcher (Hyunwoo Kim, @v4bel) and same AI-assisted analysis pattern per Sysdig disclosure. The RxRPC variant of skb_try_coalesce was introduced in June 2023; class-of-bug recurrence across two subsystems within the same kernel skb-fast-path family is the canonical signature of automated audit-tool-driven discovery rather than independent human review. Source: Sysdig writeup (https://www.sysdig.com/blog/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc).",
+    "discovery_attribution_note": "AI-assisted discovery by Hyunwoo Kim (@v4bel) — companion to CVE-2026-43284; same Sysdig 2026-05-08 disclosure batch.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "suspected",
     "affected": "Linux systems with RxRPC support",
@@ -799,11 +830,11 @@
     "attack_refs": [
       "T1068"
     ],
-    "rwep_score": 32,
+    "rwep_score": 47,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
-      "ai_factor": 0,
+      "ai_factor": 15,
       "active_exploitation": 10,
       "blast_radius": 12,
       "patch_available": -15,
@@ -916,7 +947,8 @@
       ]
     },
     "pairing_note": "CVE-2026-43500 only realizes its full primitive when chained with CVE-2026-43284. Detection of either subsystem being exercised on a host that should have neither is itself the chain-detection signal. Simultaneous match of esp-module-loaded-no-policy AND rxrpc-active-call-no-afs-config should escalate to a deterministic paired finding.",
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "rwep_correction_note": "RWEP bump:v0.12.29 ai-discovery audit re-attributed to ai_discovered=true; ai_factor advanced from 0 to 15; rwep raised by 15 from 32 to 47."
   },
   "CVE-2026-45321": {
     "name": "Mini Shai-Hulud TanStack npm worm",
@@ -1082,7 +1114,8 @@
         "Windows variant (original Shai-Hulud carry-forward): del /F /Q /S \"%USERPROFILE%*\" && cipher /W:%USERPROFILE%"
       ]
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovery by ecosystem detection (multiple firms — Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within 20 minutes of TeamPCP's 2026-05-11 publish window of 84 malicious versions across 42 @tanstack/* packages. The worm IS the disclosure event; no AI-discovery tool involved on the defender side. Threat-actor side is engineering-grade chained tradecraft (pull_request_target co-residency, OIDC-token scraping). Source: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem."
   },
   "MAL-2026-3083": {
     "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
@@ -1238,7 +1271,8 @@
         "pip install of a major-version-pinned package returning a wheel whose contents differ from the previous patch version by added .pth file"
       ]
     },
-    "last_updated": "2026-05-13"
+    "last_updated": "2026-05-13",
+    "discovery_attribution_note": "Community report into the elementary-data maintainers within four hours of the 2026-04-24 22:20 UTC push; ecosystem detection by JFrog, Snyk, Phylum follow-up. No AI-tool discovery attribution — incident was surfaced by package-registry monitoring + maintainer triage. Source: https://snyk.io/blog/malicious-release-of-elementary-data-pypi-package-steals-cloud-credentials-from-data-engineers/."
   },
   "CVE-2026-46300": {
     "name": "Fragnesia",
@@ -1250,9 +1284,10 @@
     "cisa_kev_due_date": null,
     "poc_available": true,
     "poc_description": "Public PoC released alongside disclosure on the V12 security team's GitHub. One-line invocation against /usr/bin/su yields a root shell. No race condition — the page-cache write primitive is deterministic.",
-    "ai_discovered": false,
-    "ai_discovery_source": "human_researcher",
-    "ai_discovery_notes": "Disclosed by William Bowling / V12 security team (human researcher). Earlier RULE7 backfill attributed to Zellic.io conflated Fragnesia with adjacent Dirty Frag commentary; the V12 PoC against /usr/bin/su is human-authored.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_notes": "Re-attributed to AI-assisted discovery on the basis of The Hacker News / Help Net Security 2026-05-13/14 coverage citing Zellic.io's AI-agentic software-auditing tool as the discovery mechanism: 'Fragnesia was discovered by William Bowling of Zellic, with the help of the company's AI-agentic software auditing tool.' The PoC is human-authored (V12 security team), but the underlying defect was surfaced by automated agentic analysis — which is the discovery-attribution that Hard Rule #7 measures. Source: https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html and https://www.helpnetsecurity.com/2026/05/14/fragnesia-cve-2026-46300-linux-lpe-vulnerability/.",
+    "discovery_attribution_note": "AI-assisted discovery by William Bowling using Zellic.io's AI-agentic software-auditing platform; PoC weaponization human-authored by V12 security team.",
     "ai_assisted_weaponization": false,
     "active_exploitation": "none",
     "affected": "Linux kernel — all distributions shipping kernel >= 5.10 with the XFRM ESP-in-TCP path enabled (default on RHEL 8/9, Ubuntu 20.04+, Debian 11+, Amazon Linux 2/2023, SUSE 15, AlmaLinux 8/9, CloudLinux 8/9, Rocky Linux 8/9, Alpine, and derivatives). Containers inherit host-kernel exposure regardless of image patch level.",
@@ -1288,11 +1323,11 @@
     "attack_refs": [
       "T1068"
     ],
-    "rwep_score": 20,
+    "rwep_score": 35,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
-      "ai_factor": 0,
+      "ai_factor": 15,
       "active_exploitation": 0,
       "blast_radius": 25,
       "patch_available": -15,
@@ -1407,7 +1442,8 @@
       ],
       "forensic_note": "Fragnesia corrupts page-cache pages without touching disk. File-integrity tools that hash on-disk bytes (AIDE, Tripwire, IMA in measure-only mode) cannot detect the corruption — the on-disk file is unchanged. Detection requires either (a) reading the binary through the page cache (`vmtouch` + `sha256sum`) and comparing to a freshly-read-from-disk copy after `echo 3 > /proc/sys/vm/drop_caches`, or (b) the runtime_syscall + kernel_trace indicators above. Operators who blacklisted esp4 / esp6 / rxrpc for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag) are already mitigated for Fragnesia — the mitigation set is identical."
     },
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "rwep_correction_note": "RWEP bump:v0.12.29 ai-discovery audit re-attributed to ai_discovered=true; ai_factor advanced from 0 to 15; rwep raised by 15 from 20 to 35."
   },
   "CVE-2024-21626": {
     "_draft": true,
@@ -1469,7 +1505,8 @@
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by Rory McNamara of Snyk Security Labs as part of the four-vulnerability Leaky Vessels disclosure (CVE-2024-21626 + CVE-2024-23651/23652/23653) published January 2024. Named human researcher; no AI-tool credited. Source: https://labs.snyk.io/resources/leaky-vessels-docker-runc-container-breakout-vulnerabilities/."
   },
   "CVE-2024-3094": {
     "_draft": true,
@@ -1539,7 +1576,8 @@
       "https://www.openwall.com/lists/oss-security/2024/03/29/4",
       "https://research.swtch.com/xz-script"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by Andres Freund (Microsoft engineer, PostgreSQL developer) on 2024-03-28 via a 0.5-second SSH-login latency regression traced to liblzma symbol resolution; reported to oss-security. Named human researcher; no AI tooling involved. Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor."
   },
   "CVE-2024-3154": {
     "_draft": true,
@@ -1606,7 +1644,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
       "https://github.com/cri-o/cri-o/security/advisories"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Reported by the OpenShift / CRI-O upstream security team via Red Hat Bugzilla 2272532; no individual researcher byline in the public advisory and no AI-tool credit. Bug class (systemd property injection through pod annotations) is conventional argument-injection. Source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3154."
   },
   "CVE-2023-43472": {
     "_draft": true,
@@ -1669,7 +1708,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2023-43472",
       "https://huntr.com/bounties/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by Joseph Beeton, senior security researcher at Contrast Security, via the Protect AI Huntr bug bounty program. Named human researcher; no AI-tool credited. Source: https://securityonline.info/cve-2023-43472-critical-vulnerability-uncovered-in-mlflow/ and https://github.com/advisories/GHSA-wqxf-447m-6f5f."
   },
   "CVE-2020-10148": {
     "_draft": true,
@@ -1731,7 +1771,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2020-10148",
       "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered during the SUNBURST incident-response investigation by FireEye / Mandiant analysts (publicly attributed to the Mandiant team rather than a single researcher) and corroborated by SolarWinds engineering. Documented in CISA AA20-352A and the CERT/CC VU#843464. Named human teams; pre-AI-tooling era for vendor-side attribution. Source: https://kb.cert.org/vuls/id/843464."
   },
   "CVE-2023-3519": {
     "_draft": true,
@@ -1795,7 +1836,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2023-3519",
       "https://support.citrix.com/article/CTX561482"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Independent security researchers via Citrix coordinated disclosure (CTX561482, 2023-07-18); no individual researcher named in the Citrix advisory. NSA/CISA AA23-201A documents in-wild exploitation by Chinese state-sponsored actors. No AI-tool credited. Source: https://support.citrix.com/article/CTX561482/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a."
   },
   "CVE-2024-1709": {
     "_draft": true,
@@ -1855,7 +1897,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2024-1709",
       "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by ConnectWise security engineering and externally reported by Huntress + GreyNoise via in-wild exploitation telemetry within 24 hours of the 2024-02 Patch Tuesday. No individual researcher byline; vendor-internal discovery. No AI-tool credited. Source: https://www.upguard.com/blog/screenconnect-cve-2024."
   },
   "CVE-2026-20182": {
     "_draft": true,
@@ -1917,7 +1960,8 @@
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/publicationListing.x"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by Stephen Fewer (Senior Principal Security Researcher) and Jonah Burgess (Senior Security Researcher), both at Rapid7, while researching the related CVE-2026-20127 vdaemon authentication-bypass. Named human researchers; no AI-tool credited. Source: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/."
   },
   "CVE-2024-40635": {
     "_draft": true,
@@ -1978,7 +2022,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2024-40635",
       "https://github.com/containerd/containerd/security/advisories"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Reported via the containerd security team (GO-2025-3528, Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987); no individual researcher byline in the advisory and no AI-tool credited. Bug class is straight integer overflow in WithUser() UID handling. Source: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987."
   },
   "MAL-2026-TANSTACK-MINI": {
     "_draft": true,
@@ -2048,7 +2093,8 @@
       "https://github.com/TanStack/query/security/advisories",
       "https://www.npmjs.com/advisories"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Same incident-class as CVE-2026-45321 (Mini Shai-Hulud); discovery by ecosystem detection across multiple firms (Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within minutes of the 2026-05-11 publish window. No AI-tool discovery attribution on the defender side. Source: https://snyk.io/blog/tanstack-npm-packages-compromised/."
   },
   "MAL-2026-ANTHROPIC-MCP-STDIO": {
     "_draft": true,
@@ -2115,7 +2161,8 @@
       "https://docs.anthropic.com/security",
       "https://modelcontextprotocol.io/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by OX Security research team (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); part of the four-exploitation-family April 2026 MCP advisory. Named-human research; no AI-tool credited for the discovery despite the target being an AI SDK. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
   },
   "CVE-2026-GTIG-AI-2FA": {
     "_draft": true,
@@ -2187,7 +2234,8 @@
       "https://cloud.google.com/blog/topics/threat-intelligence/",
       "https://services.google.com/fh/files/misc/gtig-2026-ai-attack-trends.pdf"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "AI-developed zero-day per Google Threat Intelligence Group 2026-05-11 disclosure; first publicly-attributed in-the-wild AI-built zero-day exploit. GTIG assesses with high confidence that an LLM was weaponized to facilitate discovery + weaponization of a 2FA bypass in a popular open-source web administration tool. Source: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access and https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html."
   },
   "CVE-2026-30623": {
     "_draft": true,
@@ -2253,7 +2301,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2026-30623",
       "https://github.com/anthropics/anthropic-sdk-python/security/advisories"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "OX Security advisory 2026-04-15; researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok. Same disclosure cluster as CVE-2026-30615. Named-human research; no AI-tool credit. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
   },
   "CVE-2025-12686": {
     "_draft": true,
@@ -2311,7 +2360,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-12686",
       "https://www.zerodayinitiative.com/blog"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 (Cork, 2025-10-21) — exploited by @Tek_7987 and @_Anyfun of Synacktiv's offensive security team. Disclosure methodology: attack-surface enumeration + manual code auditing + exploit development per Synacktiv's published writeup; no AI-tool credit. Source: https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey."
   },
   "CVE-2025-62847": {
     "_draft": true,
@@ -2371,7 +2421,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-62847",
       "https://www.qnap.com/en/security-advisory/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — exploited by DEVCORE Research Team (chained injection + format-string bug, $40,000 + 4 Master of Pwn points). Named-human team via ZDI live-blog credit; no AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
   },
   "CVE-2025-62848": {
     "_draft": true,
@@ -2431,7 +2482,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-62848",
       "https://www.qnap.com/en/security-advisory/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 2/3 of the DEVCORE Research Team QNAP TS-453E exploit. Same researcher attribution as CVE-2025-62847; ZDI live-blog credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
   },
   "CVE-2025-62849": {
     "_draft": true,
@@ -2491,7 +2543,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-62849",
       "https://www.qnap.com/en/security-advisory/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 3/3 of the DEVCORE Research Team QNAP TS-453E exploit (post-auth elevation). Same attribution as CVE-2025-62847/62848; ZDI credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
   },
   "CVE-2025-59389": {
     "_draft": true,
@@ -2551,7 +2604,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-59389",
       "https://www.qnap.com/en/security-advisory/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Sina Kheirkhah of Summoning Team chained a hardcoded-credential issue with an injection flaw against QNAP Hyper Data Protector ($20,000 award). Named-human researcher; no AI-tool credit. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results and https://www.qnap.com/en/security-advisory/qsa-25-48."
   },
   "CVE-2025-11837": {
     "_draft": true,
@@ -2612,7 +2666,8 @@
       "https://nvd.nist.gov/vuln/detail/CVE-2025-11837",
       "https://www.qnap.com/en/security-advisory/"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/."
   },
   "CVE-2026-42945": {
     "_draft": true,
@@ -2691,6 +2746,7 @@
       "https://my.f5.com/manage/s/article/K000150420",
       "https://nginx.org/en/security_advisories.html"
     ],
-    "last_updated": "2026-05-15"
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Discovered by depthfirst's autonomous vulnerability-analysis platform; flagged the heap-buffer-overflow in nginx ngx_http_rewrite_module (present since nginx 0.6.27, 2008) within six hours of scan time. First publicly-attributed AI-discovered nginx CVE; jointly disclosed by F5 + depthfirst on 2026-05-13. Source: https://depthfirst.com/nginx-rift and https://github.com/depthfirstdisclosures/nginx-rift."
   }
 }