@blamejs/exceptd-skills 0.12.32 → 0.12.33

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 0.12.33 — 2026-05-15
+
+Same-day CVE intake (node-ipc supply-chain compromise) + cycle 13 audit fixes. Closes the long-standing `cred-stores` skill-vs-playbook semantic confusion that's surfaced in every audit since cycle 9.
+
+### Features
+
+**`MAL-2026-NODE-IPC-STEALER` — npm node-ipc supply-chain compromise (2026-05-14).** Three malicious versions (`9.1.6`, `9.2.3`, `12.0.1`) published by `atiertant`. Novel attack class: not credential theft, not typosquat, not lifecycle-hook worm — the attacker re-registered the maintainer's expired email domain (`atlantis-software.net`, expired and grabbed via Namecheap PrivateEmail on 2026-05-07) and abused npm's email-based password-reset flow to gain publish rights. 80 KB obfuscated IIFE in `node-ipc.cjs` fires on every `require()` (no hooks needed) and exfiltrates AWS / GCP / Azure / SSH / Kubernetes / Vault / Claude AI / Kiro IDE credentials via DNS TXT queries to an Azure-lookalike spoofed domain. 3.35M monthly downloads. Carries `kev_scope_note` per the cycle 11 ecosystem-package CISA-KEV-scope precedent. RWEP 43.
+
+**Three new control requirements in `zeroday-lessons`** capture the structural lesson: **NEW-CTRL-047 PACKAGE-MAINTAINER-DOMAIN-EXPIRY-MONITORING** (continuous WHOIS expiry monitoring on every critical-path maintainer email domain + dual-factor account recovery); **NEW-CTRL-048 NPM-MAINTAINER-MFA-ENFORCEMENT** (registry-side mandatory MFA on publish-enabled accounts); **NEW-CTRL-049 LOCKFILE-INTEGRITY-VERIFIED-AT-CI-BOOT** (`npm ci` / `--frozen-lockfile` / `--immutable` catches the swap even after a successful publish — `--ignore-scripts` does NOT mitigate because the payload ships in the main module, not a postinstall hook).
+
+**`D3-EFA` (Executable File Analysis) added to D3FEND catalog.** `sector-telecom` skill cited it but the entry didn't exist — cycle 13 finding. Distinct from `D3-EAL` (Executable Allowlisting): EAL blocks at execute-time; EFA inspects bytes at file-write / image-pull / artifact-fetch time and gates the allowlist decision itself.
+
+**CLI envelope-shape contract tests.** `tests/cli-output-envelope-shape.test.js` pins the EXACT top-level key set on `attest list --json`, `attest verify --json` (error path), and `version`. A contributor adding a new top-level field to these verbs now gets a forcing-function test failure that requires updating the contract. Expanded coverage to `run` / `ci` / `discover` / `brief` / `doctor` / `watchlist` deferred to future cycles as their shapes stabilize.
+
+### Bugs
+
+**`cred-stores` skill-vs-playbook semantic finally cleaned up.** Cycles 9, 12, and 13 all flagged that the 3 IR playbooks and 3 IR skills referenced `cred-stores` in `skill_preload` / `skill_chain` / Hand-Off sections as if it were a skill — but it's actually a playbook. Operators (and any tooling resolving these refs against `manifest.json.skills`) failed. Fixes: removed `cred-stores` from `data/playbooks/{idp-incident,cloud-iam-incident}.json` `skill_preload` + `skill_chain` (hand-off is via `_meta.feeds_into`, which was already present); annotated `cred-stores` / `framework` references in `skills/{idp-incident-response,cloud-iam-incident,ransomware-response}/skill.md` Hand-Off sections as *(playbook chain, not a skill)* with the explicit note that hand-off is via the playbook chain, not a skill load. Predeploy playbook validator now warning-free (was 6 warnings every release).
+
+### Internal
+
+- CVE catalog 36 → 37 entries; zeroday-lessons 21 → 22 entries.
+- AI-discovery rate stays at 16.2% (one more vendor/ecosystem-discovered entry dilutes the observed rate; floor remains 0.15).
+- D3FEND catalog 28 → 29 entries.
+- `tests/v0_12_33-node-ipc-coverage.test.js` pins MAL-2026-NODE-IPC-STEALER entry shape (iocs object with ≥1 category, kev_scope_note presence, NEW-CTRL-047 in lessons).
+- Reverse-ref regen: 3 CWE entries updated with the new MAL-* CVE evidence; 1 D3FEND skill_referencing prune (sector-telecom now correctly anchored against D3-EFA).
+- Test count 1109 → 1119.
+- 14/14 predeploy gates green.
+
+
 ## 0.12.32 — 2026-05-15
 
 Cycle 11 CLI polish + cycle 12 catalog hardening. The headline closes a silent regression where the 6 CVEs advertised by v0.12.31 were shipped as `_draft: true` and therefore invisible to default `cross-ref-api` queries — operators running `exceptd` against Exchange would have gotten a clean bill on CVE-2026-42897.

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-16T04:00:50.186Z",
+  "generated_at": "2026-05-16T04:40:25.150Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4fdf61fee00b774deaec5cc6cc8d2241d9f073b3b9ee58e990565f5fe336e342",
+    "manifest.json": "e7956bcec2b7aee7f469013be4aff46698c0cb269786775ad54a5096fd348920",
     "data/atlas-ttps.json": "259e76e4252c7a56c17bbe96982a5e37ac89131c2d37a547fe38d64dcacfd763",
     "data/attack-techniques.json": "51f60819aef36e960fd768e44dcc725e137781534fbbb028e5ef6baa21defa1d",
-    "data/cve-catalog.json": "f2bb3210f29fecaaedf2fa71ded77b545ad57bfcb36d3e2678b93b6592893b01",
-    "data/cwe-catalog.json": "e843729d4d1b688abadeab51ef261f16161eb25b05b7a44f5bc995f60525e089",
-    "data/d3fend-catalog.json": "35f076cd65d82ac97db90b72e884ec7ab2895c052567ee7d0c579c1965e6baaf",
+    "data/cve-catalog.json": "55aa571423fd254e6581b22a189a1c0eeb76d467b0ef645d1dfa39f74b28c569",
+    "data/cwe-catalog.json": "6e7349a0fac39bdf9c4cb4598e101e51400f67d64c5d653bbca462f28bc1a0cb",
+    "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
     "data/framework-control-gaps.json": "f88c5757553e3626981546ad1772189c6d40f9ddc24f730def949414cbab9cd0",
     "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "d9b9c13b0bb5bc18c933b5e2f41c9422c4a2d1f639e20a0f2979f94a2494f1e3",
+    "data/zeroday-lessons.json": "c927653e6d9d86d1a36c23a3d782b099a49675ccd928cdc204887c79b0cfbbf1",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79",
     "skills/mcp-agent-trust/skill.md": "3cec1dce668deec44cb7330e165e89cee8379dd90833519004d566baf72c038c",
@@ -53,11 +53,11 @@
     "skills/container-runtime-security/skill.md": "f06260f0c468d6a4f0409294899017edab45c98d71db1fedd7a630fe6a7bf53a",
     "skills/mlops-security/skill.md": "e6a296fc67724aa3b026c0039f44867b44cf0926eade4fe616bfd0a4c77310bf",
     "skills/incident-response-playbook/skill.md": "8ef7ce1246dc1329b6df3cc9de8d79d35e2c02c703dcef20f35b312b1c24fd52",
-    "skills/ransomware-response/skill.md": "ffe07ba8c196aabceb69b07dafa7a9c3ca2ec8e5ce079107f4eec82512a01be1",
+    "skills/ransomware-response/skill.md": "603126d81f6c3619f0b2f6d81ea1d6b64f9c8c1296f877ad2e6d802ddab09165",
     "skills/email-security-anti-phishing/skill.md": "b5a7693b3ddbd6cd83303d092bc5e324db431245d25c4945d9f65fcffa1995e7",
     "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d",
-    "skills/cloud-iam-incident/skill.md": "35a9dd108679103c0eca54ea0c5b8f3db0a199975f87e20660b2c3a11440f40b",
-    "skills/idp-incident-response/skill.md": "39b5b492914e9092fe1c0b2be5af83d4ed869939996b6a201f2d0cd8142ab8f3"
+    "skills/cloud-iam-incident/skill.md": "10e2af2cf8292f457cd3877bcee37f6ee30c80037a3ef5b367fba25195c7a791",
+    "skills/idp-incident-response/skill.md": "3d75d7a0fc5b9a3c584ac5c6510f8b6bd63b7b780488541eb193250ae795b4e2"
   },
   "skill_count": 42,
   "catalog_count": 11,
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 397336,
+    "token_budget_total_approx": 397485,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -87,7 +87,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 21
+      "entry_count": 22
     },
     {
       "date": "2026-05-15",
@@ -102,7 +102,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 36
+      "entry_count": 37
     },
     {
       "date": "2026-05-13",
@@ -118,7 +118,7 @@
       "artifact": "data/d3fend-catalog.json",
       "path": "data/d3fend-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 28
+      "entry_count": 29
     },
     {
       "date": "2026-05-11",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 36,
+      "entry_count": 37,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -106,7 +106,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 28,
+      "entry_count": 29,
       "sample_keys": [
         "D3-EAL",
         "D3-EHB",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 21,
+      "entry_count": 22,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -3041,6 +3041,22 @@
       ]
     }
   },
+  "MAL-2026-NODE-IPC-STEALER": {
+    "name": "node-ipc credential-stealer (expired-domain account-recovery compromise)",
+    "rwep": 43,
+    "cvss": 9.8,
+    "cisa_kev": false,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-20": {
     "name": "Improper Input Validation",
     "category": "Validation",

package/data/_indexes/frequency.json

@@ -2508,6 +2508,7 @@
     "d3fend_refs": [
       "D3-ANCI",
       "D3-CH",
+      "D3-EFA",
       "D3-EI",
       "D3-FCR",
       "D3-KBPI",

package/data/_indexes/section-offsets.json

@@ -3731,7 +3731,7 @@
     },
     "ransomware-response": {
       "path": "skills/ransomware-response/skill.md",
-      "total_bytes": 48211,
+      "total_bytes": 48543,
       "total_lines": 375,
       "frontmatter": {
         "line_start": 1,
@@ -3817,8 +3817,8 @@
           "normalized_name": "hand-off",
           "line": 360,
           "byte_start": 44725,
-          "byte_end": 48211,
-          "bytes": 3486,
+          "byte_end": 48543,
+          "bytes": 3818,
           "h3_count": 0
         }
       ]
@@ -4013,7 +4013,7 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "total_bytes": 44433,
+      "total_bytes": 44569,
       "total_lines": 420,
       "frontmatter": {
         "line_start": 1,
@@ -4099,15 +4099,15 @@
           "normalized_name": "hand-off",
           "line": 400,
           "byte_start": 41396,
-          "byte_end": 44433,
-          "bytes": 3037,
+          "byte_end": 44569,
+          "bytes": 3173,
           "h3_count": 0
         }
       ]
     },
     "idp-incident-response": {
       "path": "skills/idp-incident-response/skill.md",
-      "total_bytes": 46225,
+      "total_bytes": 46352,
       "total_lines": 353,
       "frontmatter": {
         "line_start": 1,
@@ -4193,8 +4193,8 @@
           "normalized_name": "hand-off",
           "line": 335,
           "byte_start": 42384,
-          "byte_end": 46225,
-          "bytes": 3841,
+          "byte_end": 46352,
+          "bytes": 3968,
           "h3_count": 0
         }
       ]

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1589324,
-    "total_approx_tokens": 397336,
+    "total_chars": 1589917,
+    "total_approx_tokens": 397485,
     "skill_count": 42
   },
   "skills": {
@@ -2175,10 +2175,10 @@
     },
     "ransomware-response": {
       "path": "skills/ransomware-response/skill.md",
-      "bytes": 48211,
-      "chars": 48033,
+      "bytes": 48543,
+      "chars": 48363,
       "lines": 375,
-      "approx_tokens": 12008,
+      "approx_tokens": 12091,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2222,9 +2222,9 @@
           "approx_tokens": 945
         },
         "hand-off": {
-          "bytes": 3486,
-          "chars": 3460,
-          "approx_tokens": 865
+          "bytes": 3818,
+          "chars": 3790,
+          "approx_tokens": 948
         }
       }
     },
@@ -2340,10 +2340,10 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "bytes": 44433,
-      "chars": 44275,
+      "bytes": 44569,
+      "chars": 44411,
       "lines": 420,
-      "approx_tokens": 11069,
+      "approx_tokens": 11103,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2387,18 +2387,18 @@
           "approx_tokens": 1017
         },
         "hand-off": {
-          "bytes": 3037,
-          "chars": 3009,
-          "approx_tokens": 752
+          "bytes": 3173,
+          "chars": 3145,
+          "approx_tokens": 786
         }
       }
     },
     "idp-incident-response": {
       "path": "skills/idp-incident-response/skill.md",
-      "bytes": 46225,
-      "chars": 46095,
+      "bytes": 46352,
+      "chars": 46222,
       "lines": 353,
-      "approx_tokens": 11524,
+      "approx_tokens": 11556,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2442,9 +2442,9 @@
           "approx_tokens": 1130
         },
         "hand-off": {
-          "bytes": 3841,
-          "chars": 3817,
-          "approx_tokens": 954
+          "bytes": 3968,
+          "chars": 3944,
+          "approx_tokens": 986
         }
       }
     }

package/data/cve-catalog.json

@@ -39,7 +39,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.167,
+      "current_rate": 0.162,
       "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
         0.15,
@@ -3441,5 +3441,133 @@
     "discovery_attribution_note": "Picus Security ('BlueHammer' / RedSun research) published a working PoC before Microsoft released the patch — true zero-day disclosure 2026-04-22; CISA KEV listed same day with a 14-day due date. No AI-tool credit on the discovery; conventional Windows-Defender internals research. Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained and https://www.cisa.gov/known-exploited-vulnerabilities-catalog.",
     "_editorial_promoted": "2026-05-15",
     "_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
+  },
+  "MAL-2026-NODE-IPC-STEALER": {
+    "name": "node-ipc credential-stealer (expired-domain account-recovery compromise)",
+    "type": "supply-chain-credential-stealer",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_correction_note": "No NVD CVE assigned as of 2026-05-15; CVSS synthesized per OSSF Malicious-Packages convention: unauthenticated code execution on `require('node-ipc')` against a 3.35M-monthly-download package with confirmed credential exfiltration. AV:N because the malicious payload reaches the victim over the npm registry network channel; UI:R because a developer / CI must invoke `npm install`; S:C because exfiltrated AWS / GCP / Azure / SSH / kubeconfig / Vault material extends the blast radius beyond the consuming process.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV historically excludes ecosystem-package compromises (npm / PyPI / RubyGems malicious-package events) — its scope is federally-deployable products with assigned CVE identifiers. The node-ipc 2026-05-14 publish event is OSSF-MAL-catalogued (MAL-2026-NODE-IPC-STEALER) without a NVD CVE as of 2026-05-15; `cisa_kev: false` is correct, and `active_exploitation: confirmed` reflects the live malicious payload in the registry. Operators should consume CISA-KEV-equivalent guidance from the OpenSSF MAL feed + ecosystem-specific advisories (Socket, StepSecurity, Semgrep, Datadog Security Labs, Snyk) for this class.",
+    "poc_available": true,
+    "poc_description": "Live payload — three malicious versions (node-ipc 9.1.6, 9.2.3, 12.0.1) were published to the public npm registry by attacker-controlled account `atiertant` on 2026-05-14 and remained installable for the exposure window before npm yank. The malicious build IS the PoC.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "No AI-tool credited for discovery. Concurrent ecosystem telemetry detection by Socket, StepSecurity, Semgrep, and Datadog Security Labs within hours of publication; The Hacker News surfaced the consolidated report. ai_discovery_source set to `vendor_research` because the enum does not include an `ecosystem_detection` value; the attribution note records the actual provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-tooling credit on the payload-development side. The 80 KB obfuscated IIFE follows a conventional minifier-plus-string-encoding pattern; no AI-generated code fingerprint reported by the responding firms.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "The three malicious versions executed credential harvesting on every `require('node-ipc')` against installed hosts during the exposure window. Datadog Security Labs and Socket each observed real consumer-side installs of the malicious versions before yank.",
+    "affected": "node-ipc package on npm — versions 9.1.6, 9.2.3, 12.0.1 published 2026-05-14 by publisher `atiertant` (contact `a.tiertant@atlantis-software.net`). Package carries approximately 3.35M monthly downloads per npm registry telemetry; secondary reports cite 822K weekly (Socket) and 10M weekly (The Hacker News) — see source-data ambiguity note in verification_sources. Architectural impact reaches every transitive consumer that resolves any of the three malicious versions during the exposure window.",
+    "affected_versions": [
+      "node-ipc == 9.1.6 (malicious, published 2026-05-14)",
+      "node-ipc == 9.2.3 (malicious, published 2026-05-14)",
+      "node-ipc == 12.0.1 (malicious, published 2026-05-14)"
+    ],
+    "vector": "Novel supply-chain account-recovery abuse via expired maintainer email domain. (1) `atlantis-software.net` — the email domain associated with the legitimate node-ipc maintainer account — lapsed and was re-registered by the attacker on 2026-05-07 via Namecheap PrivateEmail. (2) Attacker invoked the npm password-reset flow, which delivered the reset link to the now-attacker-controlled mailbox. (3) Attacker published three malicious versions (9.1.6, 9.2.3, 12.0.1) with an 80 KB obfuscated IIFE appended to `node-ipc.cjs` that fires on every `require('node-ipc')` — no lifecycle / postinstall hook required, so consumer-side `--ignore-scripts` does NOT mitigate. (4) Payload exfiltrates AWS credentials, GCP service-account keys, Azure tokens, SSH private keys, Kubernetes kubeconfig, HashiCorp Vault tokens, Claude AI configs, and Kiro IDE configs via DNS TXT queries to an Azure-lookalike spoofed domain controlled by the attacker. Class: registry-side account-recovery abuse mediated by DNS lifecycle, NOT credential-dump or token-theft.",
+    "complexity": "low",
+    "complexity_notes": "Consumer-side exploitation is automatic on any process that calls `require('node-ipc')` from a malicious version. No race condition, no user interaction beyond `npm install` resolving to a malicious version. The novel attack precondition (expired-domain re-registration + npm password reset) is itself low-complexity for any attacker who monitors maintainer-email-domain expirations.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "npm audit (yank-aware after npm registry-side removal of the malicious versions)",
+      "Socket (registry-side install-time blocking)",
+      "StepSecurity Harden-Runner (CI-side egress + install-time blocking)",
+      "Snyk (advisory-driven CI policy block)",
+      "Datadog Security Labs CI integrations (telemetry-driven block)",
+      "Semgrep Supply Chain (lockfile audit against the malicious version set)"
+    ],
+    "vendor_update_paths": [
+      "npm yanked the three malicious versions 2026-05-14",
+      "Pin to node-ipc <= 9.1.5 OR >= the post-yank clean republication (consult package security tab on npm for the current clean version range)",
+      "Lockfile audit: scan package-lock.json / yarn.lock / pnpm-lock.yaml for resolved tarball SHAs matching the three malicious version IDs; rotate any credentials reachable from a host that resolved them during the exposure window"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF": "Reused-OSS-component control assumes maintainer-account integrity; does not address maintainer-email-domain expiry as a supply-chain risk class.",
+      "EU-CRA-Art13": "SBOM requirement does not address freshness-of-published-version OR maintainer-account-recovery integrity — pinning to a malicious version is SBOM-compliant.",
+      "NIS2-Art21-supply-chain": "Generic supply chain controls without npm-ecosystem-specific guidance (postinstall vs main-module payload distinction, maintainer-domain-expiry monitoring, registry-account MFA enforcement).",
+      "NIST-800-53-IA-5-Federated": "Authenticator-management control covers operator-side credentials but does not extend to upstream-maintainer-account recovery flow on third-party package registries.",
+      "SLSA-v1.0-Build-L3": "Source / build provenance attestations do not address account-takeover-via-domain-expiry — provenance asserts who built, not whether `who` is still the legitimate maintainer."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0020"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1078",
+      "T1552.001",
+      "T1059.007"
+    ],
+    "rwep_score": 43,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS coverage does not extend to non-CVE OSSF-MAL identifiers as of 2026-05-15.",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-829",
+      "CWE-1357"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html",
+      "https://socket.dev/blog/node-ipc-package-compromised",
+      "https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack",
+      "https://semgrep.dev/blog/2026/not-your-ipc-but-node-ipc-npm-hit-again-with-supply-chain-attack-but-this-time-its-not-a-worm/",
+      "https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "npm (GitHub Advisory Database)",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=node-ipc",
+        "severity": "critical",
+        "published_date": "2026-05-14"
+      },
+      {
+        "vendor": "Socket",
+        "advisory_id": null,
+        "url": "https://socket.dev/blog/node-ipc-package-compromised",
+        "severity": "critical",
+        "published_date": "2026-05-14"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "node-ipc.cjs file SHA / size diff vs the prior clean version — three malicious versions (9.1.6, 9.2.3, 12.0.1) ship an 80 KB obfuscated IIFE appended to the main module export. Lockfile-resolved tarball integrity hash for any of these three versions IS the primary artifact IoC.",
+        "package.json publisher metadata: `_npmUser.name == 'atiertant'` OR maintainer email `a.tiertant@atlantis-software.net` on a node-ipc tarball — both are attacker-controlled and distinct from the legitimate historical publisher account."
+      ],
+      "behavioral": [
+        "Process executing `require('node-ipc')` issues outbound DNS TXT queries to an Azure-lookalike domain controlled by the attacker — high-entropy subdomain labels carrying base64 / hex chunks of harvested credential material. DNS-layer telemetry (Resolved, Cloudflare DNS, internal Unbound logs) captures the exfil channel even when HTTP egress is blocked.",
+        "Process executing `require('node-ipc')` performs read access to ANY of: ~/.aws/credentials, ~/.aws/config, ~/.config/gcloud/, ~/.azure/, ~/.ssh/id_*, ~/.kube/config, ~/.vault-token, ~/.config/Claude/, ~/.kiro/ — read pattern is the credential-harvest fingerprint regardless of whether the exfil channel succeeded.",
+        "node binary parent-process executes a `require('node-ipc')` call path AND opens a non-process-typical egress connection within the same scheduler tick — temporal correlation between module load and exfil DNS lookup is near-deterministic on first invocation."
+      ],
+      "version_exposure": [
+        "Lockfile (package-lock.json / yarn.lock / pnpm-lock.yaml) contains a `node-ipc` entry resolved to version 9.1.6, 9.2.3, or 12.0.1 — exact-version match is sufficient; the integrity hash will also differ from any pre-2026-05-14 cache.",
+        "package.json declares a node-ipc dependency range that includes any of the three malicious versions AND the lockfile was regenerated during the 2026-05-14 exposure window (lockfile mtime + node-ipc resolution check)."
+      ],
+      "registry_account_recovery": [
+        "npm account audit: any maintainer account whose primary contact email domain has WHOIS expiry within 90 days. Cross-reference with `npm whoami` + `npm owner ls <package>` for every critical-path dependency. This is the upstream IoC class — once it fires, the package is recoverable by any attacker who registers the domain before the legitimate maintainer renews."
+      ],
+      "forensic_note": "DNS TXT exfiltration is invisible to HTTP egress filtering and to most network IDS rules tuned for HTTPS. Defenders investigating suspected compromise should pull DNS resolver logs for the full exposure window — the exfil channel is the only telemetry that proves the payload fired AND succeeded (file-read alone does not prove successful exfil). Snapshot node_modules/node-ipc tarball before remediating; the tarball IS the primary forensic artifact."
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Concurrent ecosystem-detection by Socket (https://socket.dev/blog/node-ipc-package-compromised), StepSecurity (https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack), Semgrep (https://semgrep.dev/blog/2026/not-your-ipc-but-node-ipc-npm-hit-again-with-supply-chain-attack-but-this-time-its-not-a-worm/), and Datadog Security Labs (https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/) within hours of the 2026-05-14 publish window. Consolidated coverage by The Hacker News (https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html). No single human researcher credited; no AI-tool credit on the defender side. Discovery class: ecosystem-detection (telemetry-driven, no AI tool). Source-data ambiguity noted: monthly-download figure reported as 3.35M (npm registry direct) but Socket cited 822K weekly and The Hacker News cited 10M weekly — npm-registry-direct figure carried in the affected description; alternative figures retained in this note so future audits can reconcile against npm's API once the live counter rolls forward past the yank.",
+    "_editorial_promoted": "2026-05-15",
+    "_editorial_note": "Cycle 13 intake (v0.12.33): cycle 13 agent C surfaced node-ipc 2026-05-14 publish event in the 24h-window check. Novel attack precondition (expired-domain re-registration + npm password-reset abuse) makes this a distinct supply-chain class from the Shai-Hulud (token-compromise) and elementary-data (typosquat + orphan-commit) precedents; warrants its own NEW-CTRL-047 in zeroday-lessons.json. RWEP factors satisfy Shape B invariant (0 + 20 + 0 + 20 + 28 - 15 - 10 + 0 = 43); discovery_attribution_note cites multiple firms with URLs."
   }
 }

package/data/cwe-catalog.json

@@ -1127,7 +1127,8 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1413,7 +1414,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "ISO-27001-2022-A.8.30"
@@ -1652,7 +1655,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "ISO-27001-2022-A.5.21",

package/data/d3fend-catalog.json

@@ -1043,5 +1043,51 @@
     "ai_pipeline_applicability": "Self-managed AI hosts: standard FIM applies to MCP server configs, ~/.claude, ~/.cursor settings. Serverless: equivalent is image-immutability + read-only rootfs (modifications outside writable tmpfs are structurally impossible).",
     "lag_notes": "SI-7 covers software/firmware integrity; user-space configuration FIM is implicit not explicit. Framework audits accept 'FIM is deployed' without sampling whether the rule set covers AI-assistant config paths that have become high-value targets.",
     "last_verified": "2026-05-13"
+  },
+  "D3-EFA": {
+    "id": "D3-EFA",
+    "name": "Executable File Analysis",
+    "tactic": "Detect",
+    "subtactic": "File Analysis",
+    "description": "Analyzing the format, contents, or static characteristics of an executable file to determine whether it warrants further investigation. Covers PE/ELF/Mach-O header inspection, embedded-string + import-table review, entropy + packer detection, and YARA-rule matching against known malicious patterns. Distinct from D3-DA (Dynamic Analysis): no execution occurs.",
+    "counters_attack_techniques": [
+      "T1027",
+      "T1027.002",
+      "T1059",
+      "T1078",
+      "T1195.002",
+      "T1204",
+      "T1505.003",
+      "T1546.014",
+      "AML.T0010",
+      "AML.T0019"
+    ],
+    "digital_artifacts_addressed": [
+      "Executable Binary",
+      "Executable Script",
+      "Firmware",
+      "OS Image"
+    ],
+    "skills_referencing": [],
+    "implementation_examples": [
+      "YARA",
+      "PEStudio / PEiD",
+      "radare2 / Cutter / Ghidra (static-only mode)",
+      "ssdeep + sdhash fuzzy-hash matching",
+      "Mandiant CAPA capability detection",
+      "Sigstore cosign verify on container image manifests",
+      "OEM firmware-image signature verification at provisioning time"
+    ],
+    "framework_controls_partially_mapped": [
+      "NIST-800-53-SI-3",
+      "NIST-800-53-SI-7",
+      "NIST-800-53-SI-7(6)",
+      "ISO-27001-2022-A.8.7",
+      "PCI-DSS-v4-5.2.3",
+      "CIS-Controls-v8-10.5"
+    ],
+    "ai_pipeline_applicability": "Directly applicable to model-artifact ingestion paths (pickle/safetensors/ONNX): static analysis of serialized weights can surface malicious __reduce__ payloads (D3-EFA on the pickle stream) before any deserialization occurs. For MCP-server binaries shipped via npm/PyPI, D3-EFA pairs with D3-EAL — analyze first to gate the allowlist decision rather than allow-by-publisher.",
+    "lag_notes": "NIST SI-3 prescribes \"malicious code protection\" without binding the control to static-file-analysis specifically; auditors routinely accept signature-AV deployment as the entire SI-3 implementation, missing the analyze-before-load posture that catches packed / encoder-obfuscated payloads. Distinct from D3-EAL: allowlisting blocks a binary at execute-time; D3-EFA inspects the bytes at file-write / image-pull / artifact-fetch time and gates the allowlist itself.",
+    "last_verified": "2026-05-15"
   }
 }

package/data/playbooks/cloud-iam-incident.json

@@ -347,7 +347,6 @@
       },
       "skill_preload": [
         "cloud-security",
-        "cred-stores",
         "incident-response-playbook",
         "identity-assurance",
         "framework-gap-analysis",
@@ -368,11 +367,6 @@
           "purpose": "Cloud-provider-specific IAM construct inventory and trust-policy hygiene assessment (AWS IAM + STS, GCP IAM + Workload Identity Federation, Azure AD + managed identities).",
           "required": true
         },
-        {
-          "skill": "cred-stores",
-          "purpose": "Cloud-provider key-store posture (KMS / Cloud KMS / Key Vault) and access-key rotation hygiene; cross-walk with credential-store playbook for any compromised principal whose blast radius >= 4.",
-          "required": true
-        },
         {
           "skill": "identity-assurance",
           "purpose": "AAL/IAL/FAL assessment of human-principal MFA posture, federated-identity assurance levels, and step-up authentication coverage on cloud admin actions.",

package/data/playbooks/idp-incident.json

@@ -314,8 +314,7 @@
       },
       "skill_preload": [
         "idp-incident-response",
-        "identity-assurance",
-        "cred-stores"
+        "identity-assurance"
       ]
     },
     "direct": {
@@ -337,11 +336,6 @@
           "purpose": "AAL / IAL / FAL assurance constructs, FIDO2 / WebAuthn / phishing-resistant factor enrolment validation, federated-trust signing-key posture.",
           "required": true
         },
-        {
-          "skill": "cred-stores",
-          "purpose": "Downstream containment — rotate management-API tokens, downstream service-account credentials, session tokens; audit Vault / Secrets Manager for IdP-derived credentials.",
-          "required": true
-        },
         {
           "skill": "framework-gap-analysis",
           "purpose": "Per-framework reconciliation of IdP-tenant control-plane coverage gaps.",