@blamejs/exceptd-skills 0.12.40 → 0.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +17 -0
- package/ARCHITECTURE.md +7 -4
- package/CHANGELOG.md +215 -248
- package/CONTEXT.md +2 -2
- package/README.md +2 -8
- package/agents/threat-researcher.md +2 -2
- package/bin/exceptd.js +179 -81
- package/data/_indexes/_meta.json +50 -50
- package/data/_indexes/activity-feed.json +1 -1
- package/data/_indexes/catalog-summaries.json +1 -1
- package/data/_indexes/chains.json +485 -13
- package/data/_indexes/frequency.json +4 -0
- package/data/_indexes/jurisdiction-map.json +15 -4
- package/data/_indexes/section-offsets.json +1224 -1224
- package/data/_indexes/token-budget.json +170 -170
- package/data/atlas-ttps.json +54 -11
- package/data/attack-techniques.json +113 -17
- package/data/cve-catalog.json +38 -52
- package/data/cwe-catalog.json +8 -2
- package/data/exploit-availability.json +1 -0
- package/data/framework-control-gaps.json +149 -6
- package/data/global-frameworks.json +1 -0
- package/data/playbooks/ai-api.json +5 -0
- package/data/playbooks/cicd-pipeline-compromise.json +970 -0
- package/data/playbooks/cloud-iam-incident.json +4 -1
- package/data/playbooks/cred-stores.json +10 -0
- package/data/playbooks/crypto-codebase.json +13 -0
- package/data/playbooks/framework.json +16 -0
- package/data/playbooks/hardening.json +4 -0
- package/data/playbooks/identity-sso-compromise.json +951 -0
- package/data/playbooks/idp-incident.json +3 -0
- package/data/playbooks/kernel.json +6 -0
- package/data/playbooks/llm-tool-use-exfil.json +963 -0
- package/data/playbooks/mcp.json +6 -0
- package/data/playbooks/runtime.json +4 -0
- package/data/playbooks/sbom.json +13 -0
- package/data/playbooks/secrets.json +6 -0
- package/data/playbooks/webhook-callback-abuse.json +916 -0
- package/data/zeroday-lessons.json +1 -0
- package/lib/cross-ref-api.js +33 -13
- package/lib/cve-curation.js +12 -1
- package/lib/exit-codes.js +29 -0
- package/lib/lint-skills.js +25 -3
- package/lib/playbook-runner.js +8 -4
- package/lib/refresh-external.js +10 -1
- package/lib/scoring.js +64 -1
- package/lib/sign.js +40 -7
- package/lib/verify.js +5 -5
- package/manifest.json +83 -83
- package/orchestrator/README.md +7 -7
- package/orchestrator/index.js +46 -25
- package/orchestrator/scheduler.js +2 -2
- package/package.json +1 -1
- package/sbom.cdx.json +135 -91
- package/scripts/check-test-coverage.js +6 -6
- package/scripts/predeploy.js +7 -13
- package/scripts/refresh-reverse-refs.js +107 -20
- package/scripts/refresh-sbom.js +21 -4
- package/skills/age-gates-child-safety/skill.md +1 -5
- package/skills/ai-attack-surface/skill.md +11 -4
- package/skills/ai-c2-detection/skill.md +11 -2
- package/skills/ai-risk-management/skill.md +4 -2
- package/skills/api-security/skill.md +7 -8
- package/skills/attack-surface-pentest/skill.md +2 -2
- package/skills/cloud-iam-incident/skill.md +1 -5
- package/skills/cloud-security/skill.md +0 -4
- package/skills/compliance-theater/skill.md +10 -2
- package/skills/container-runtime-security/skill.md +1 -3
- package/skills/dlp-gap-analysis/skill.md +3 -4
- package/skills/email-security-anti-phishing/skill.md +1 -8
- package/skills/exploit-scoring/skill.md +7 -2
- package/skills/framework-gap-analysis/skill.md +1 -1
- package/skills/fuzz-testing-strategy/skill.md +1 -2
- package/skills/global-grc/skill.md +3 -2
- package/skills/identity-assurance/skill.md +1 -3
- package/skills/idp-incident-response/skill.md +1 -4
- package/skills/incident-response-playbook/skill.md +1 -5
- package/skills/kernel-lpe-triage/skill.md +2 -2
- package/skills/mcp-agent-trust/skill.md +13 -3
- package/skills/mlops-security/skill.md +3 -4
- package/skills/ot-ics-security/skill.md +0 -3
- package/skills/policy-exception-gen/skill.md +11 -3
- package/skills/pqc-first/skill.md +4 -2
- package/skills/rag-pipeline-security/skill.md +2 -0
- package/skills/ransomware-response/skill.md +1 -5
- package/skills/researcher/skill.md +4 -3
- package/skills/sector-energy/skill.md +0 -4
- package/skills/sector-federal-government/skill.md +2 -3
- package/skills/sector-financial/skill.md +1 -4
- package/skills/sector-healthcare/skill.md +0 -5
- package/skills/sector-telecom/skill.md +0 -4
- package/skills/security-maturity-tiers/skill.md +1 -2
- package/skills/skill-update-loop/skill.md +4 -3
- package/skills/supply-chain-integrity/skill.md +4 -3
- package/skills/threat-model-currency/skill.md +1 -1
- package/skills/threat-modeling-methodology/skill.md +2 -1
- package/skills/webapp-security/skill.md +0 -5
package/data/atlas-ttps.json
CHANGED
|
@@ -83,7 +83,10 @@
|
|
|
83
83
|
],
|
|
84
84
|
"secure_ai_v2_layer": true,
|
|
85
85
|
"maturity": "high",
|
|
86
|
-
"last_verified": "2026-05-15"
|
|
86
|
+
"last_verified": "2026-05-15",
|
|
87
|
+
"cve_refs": [
|
|
88
|
+
"CVE-2026-42945"
|
|
89
|
+
]
|
|
87
90
|
},
|
|
88
91
|
"AML.T0010": {
|
|
89
92
|
"id": "AML.T0010",
|
|
@@ -121,7 +124,15 @@
|
|
|
121
124
|
],
|
|
122
125
|
"secure_ai_v2_layer": true,
|
|
123
126
|
"maturity": "high",
|
|
124
|
-
"last_verified": "2026-05-15"
|
|
127
|
+
"last_verified": "2026-05-15",
|
|
128
|
+
"cve_refs": [
|
|
129
|
+
"CVE-2026-30615",
|
|
130
|
+
"CVE-2026-39987",
|
|
131
|
+
"CVE-2026-45321",
|
|
132
|
+
"MAL-2026-3083",
|
|
133
|
+
"MAL-2026-NODE-IPC-STEALER",
|
|
134
|
+
"MAL-2026-TANSTACK-MINI"
|
|
135
|
+
]
|
|
125
136
|
},
|
|
126
137
|
"AML.T0016": {
|
|
127
138
|
"id": "AML.T0016",
|
|
@@ -149,7 +160,10 @@
|
|
|
149
160
|
],
|
|
150
161
|
"secure_ai_v2_layer": true,
|
|
151
162
|
"maturity": "moderate",
|
|
152
|
-
"last_verified": "2026-05-15"
|
|
163
|
+
"last_verified": "2026-05-15",
|
|
164
|
+
"cve_refs": [
|
|
165
|
+
"CVE-2026-30615"
|
|
166
|
+
]
|
|
153
167
|
},
|
|
154
168
|
"AML.T0017": {
|
|
155
169
|
"id": "AML.T0017",
|
|
@@ -220,7 +234,11 @@
|
|
|
220
234
|
],
|
|
221
235
|
"secure_ai_v2_layer": true,
|
|
222
236
|
"maturity": "moderate",
|
|
223
|
-
"last_verified": "2026-05-15"
|
|
237
|
+
"last_verified": "2026-05-15",
|
|
238
|
+
"cve_refs": [
|
|
239
|
+
"CVE-2026-45321",
|
|
240
|
+
"MAL-2026-3083"
|
|
241
|
+
]
|
|
224
242
|
},
|
|
225
243
|
"AML.T0020": {
|
|
226
244
|
"id": "AML.T0020",
|
|
@@ -252,7 +270,10 @@
|
|
|
252
270
|
],
|
|
253
271
|
"secure_ai_v2_layer": true,
|
|
254
272
|
"maturity": "high",
|
|
255
|
-
"last_verified": "2026-05-15"
|
|
273
|
+
"last_verified": "2026-05-15",
|
|
274
|
+
"cve_refs": [
|
|
275
|
+
"MAL-2026-NODE-IPC-STEALER"
|
|
276
|
+
]
|
|
256
277
|
},
|
|
257
278
|
"AML.T0024": {
|
|
258
279
|
"id": "AML.T0024",
|
|
@@ -379,7 +400,10 @@
|
|
|
379
400
|
"exceptd_skills": [],
|
|
380
401
|
"secure_ai_v2_layer": true,
|
|
381
402
|
"maturity": "moderate",
|
|
382
|
-
"last_verified": "2026-05-15"
|
|
403
|
+
"last_verified": "2026-05-15",
|
|
404
|
+
"cve_refs": [
|
|
405
|
+
"CVE-2026-45321"
|
|
406
|
+
]
|
|
383
407
|
},
|
|
384
408
|
"AML.T0051": {
|
|
385
409
|
"id": "AML.T0051",
|
|
@@ -420,7 +444,13 @@
|
|
|
420
444
|
],
|
|
421
445
|
"secure_ai_v2_layer": true,
|
|
422
446
|
"maturity": "high",
|
|
423
|
-
"last_verified": "2026-05-15"
|
|
447
|
+
"last_verified": "2026-05-15",
|
|
448
|
+
"cve_refs": [
|
|
449
|
+
"CVE-2025-53773",
|
|
450
|
+
"CVE-2026-30615",
|
|
451
|
+
"CVE-2026-39884",
|
|
452
|
+
"CVE-2026-39987"
|
|
453
|
+
]
|
|
424
454
|
},
|
|
425
455
|
"AML.T0053": {
|
|
426
456
|
"id": "AML.T0053",
|
|
@@ -450,7 +480,10 @@
|
|
|
450
480
|
"exceptd_skills": [],
|
|
451
481
|
"secure_ai_v2_layer": true,
|
|
452
482
|
"maturity": "high",
|
|
453
|
-
"last_verified": "2026-05-15"
|
|
483
|
+
"last_verified": "2026-05-15",
|
|
484
|
+
"cve_refs": [
|
|
485
|
+
"CVE-2026-39884"
|
|
486
|
+
]
|
|
454
487
|
},
|
|
455
488
|
"AML.T0054": {
|
|
456
489
|
"id": "AML.T0054",
|
|
@@ -481,7 +514,10 @@
|
|
|
481
514
|
],
|
|
482
515
|
"secure_ai_v2_layer": true,
|
|
483
516
|
"maturity": "high",
|
|
484
|
-
"last_verified": "2026-05-15"
|
|
517
|
+
"last_verified": "2026-05-15",
|
|
518
|
+
"cve_refs": [
|
|
519
|
+
"CVE-2025-53773"
|
|
520
|
+
]
|
|
485
521
|
},
|
|
486
522
|
"AML.T0055": {
|
|
487
523
|
"id": "AML.T0055",
|
|
@@ -511,7 +547,11 @@
|
|
|
511
547
|
"exceptd_skills": [],
|
|
512
548
|
"secure_ai_v2_layer": true,
|
|
513
549
|
"maturity": "moderate",
|
|
514
|
-
"last_verified": "2026-05-15"
|
|
550
|
+
"last_verified": "2026-05-15",
|
|
551
|
+
"cve_refs": [
|
|
552
|
+
"CVE-2026-42208",
|
|
553
|
+
"MAL-2026-3083"
|
|
554
|
+
]
|
|
515
555
|
},
|
|
516
556
|
"AML.T0057": {
|
|
517
557
|
"id": "AML.T0057",
|
|
@@ -582,7 +622,10 @@
|
|
|
582
622
|
],
|
|
583
623
|
"secure_ai_v2_layer": true,
|
|
584
624
|
"maturity": "high",
|
|
585
|
-
"last_verified": "2026-05-15"
|
|
625
|
+
"last_verified": "2026-05-15",
|
|
626
|
+
"cve_refs": [
|
|
627
|
+
"CVE-2026-30615"
|
|
628
|
+
]
|
|
586
629
|
},
|
|
587
630
|
"AML.T0097": {
|
|
588
631
|
"id": "AML.T0097",
|
|
@@ -66,6 +66,9 @@
|
|
|
66
66
|
"tactic_id": "TA0005",
|
|
67
67
|
"detection_strategies": [
|
|
68
68
|
"DS0009"
|
|
69
|
+
],
|
|
70
|
+
"cve_refs": [
|
|
71
|
+
"CVE-2026-32202"
|
|
69
72
|
]
|
|
70
73
|
},
|
|
71
74
|
"T1040": {
|
|
@@ -74,7 +77,10 @@
|
|
|
74
77
|
},
|
|
75
78
|
"T1041": {
|
|
76
79
|
"name": "Exfiltration Over C2 Channel",
|
|
77
|
-
"version": "v19"
|
|
80
|
+
"version": "v19",
|
|
81
|
+
"cve_refs": [
|
|
82
|
+
"CVE-2026-30615"
|
|
83
|
+
]
|
|
78
84
|
},
|
|
79
85
|
"T1053.003": {
|
|
80
86
|
"name": "Scheduled Task/Job: Cron",
|
|
@@ -91,23 +97,50 @@
|
|
|
91
97
|
"detection_strategies": [
|
|
92
98
|
"DS0009",
|
|
93
99
|
"DS0017"
|
|
100
|
+
],
|
|
101
|
+
"cve_refs": [
|
|
102
|
+
"CVE-2025-53773",
|
|
103
|
+
"CVE-2026-30615",
|
|
104
|
+
"CVE-2026-32202",
|
|
105
|
+
"CVE-2026-39884",
|
|
106
|
+
"CVE-2026-39987",
|
|
107
|
+
"CVE-2026-6973"
|
|
94
108
|
]
|
|
95
109
|
},
|
|
96
110
|
"T1059.001": {
|
|
97
111
|
"name": "Command and Scripting Interpreter: PowerShell",
|
|
98
|
-
"version": "v19"
|
|
112
|
+
"version": "v19",
|
|
113
|
+
"cve_refs": [
|
|
114
|
+
"CVE-2025-53773"
|
|
115
|
+
]
|
|
99
116
|
},
|
|
100
117
|
"T1059.006": {
|
|
101
118
|
"name": "Command and Scripting Interpreter: Python",
|
|
102
|
-
"version": "v19"
|
|
119
|
+
"version": "v19",
|
|
120
|
+
"cve_refs": [
|
|
121
|
+
"MAL-2026-3083"
|
|
122
|
+
]
|
|
103
123
|
},
|
|
104
124
|
"T1059.007": {
|
|
105
125
|
"name": "Command and Scripting Interpreter: JavaScript",
|
|
106
|
-
"version": "v19"
|
|
126
|
+
"version": "v19",
|
|
127
|
+
"cve_refs": [
|
|
128
|
+
"CVE-2026-45321",
|
|
129
|
+
"MAL-2026-NODE-IPC-STEALER"
|
|
130
|
+
]
|
|
107
131
|
},
|
|
108
132
|
"T1068": {
|
|
109
133
|
"name": "Exploitation for Privilege Escalation",
|
|
110
|
-
"version": "v19"
|
|
134
|
+
"version": "v19",
|
|
135
|
+
"cve_refs": [
|
|
136
|
+
"CVE-2026-0300",
|
|
137
|
+
"CVE-2026-31431",
|
|
138
|
+
"CVE-2026-33825",
|
|
139
|
+
"CVE-2026-43284",
|
|
140
|
+
"CVE-2026-43500",
|
|
141
|
+
"CVE-2026-46300",
|
|
142
|
+
"CVE-2026-6973"
|
|
143
|
+
]
|
|
111
144
|
},
|
|
112
145
|
"T1071": {
|
|
113
146
|
"name": "Application Layer Protocol",
|
|
@@ -115,11 +148,21 @@
|
|
|
115
148
|
},
|
|
116
149
|
"T1078": {
|
|
117
150
|
"name": "Valid Accounts",
|
|
118
|
-
"version": "v19"
|
|
151
|
+
"version": "v19",
|
|
152
|
+
"cve_refs": [
|
|
153
|
+
"CVE-2026-33825",
|
|
154
|
+
"CVE-2026-39884",
|
|
155
|
+
"CVE-2026-42897",
|
|
156
|
+
"CVE-2026-6973",
|
|
157
|
+
"MAL-2026-NODE-IPC-STEALER"
|
|
158
|
+
]
|
|
119
159
|
},
|
|
120
160
|
"T1078.001": {
|
|
121
161
|
"name": "Valid Accounts: Default Accounts",
|
|
122
|
-
"version": "v19"
|
|
162
|
+
"version": "v19",
|
|
163
|
+
"cve_refs": [
|
|
164
|
+
"CVE-2026-42208"
|
|
165
|
+
]
|
|
123
166
|
},
|
|
124
167
|
"T1078.002": {
|
|
125
168
|
"name": "Valid Accounts: Domain Accounts",
|
|
@@ -131,7 +174,11 @@
|
|
|
131
174
|
},
|
|
132
175
|
"T1078.004": {
|
|
133
176
|
"name": "Valid Accounts: Cloud Accounts",
|
|
134
|
-
"version": "v19"
|
|
177
|
+
"version": "v19",
|
|
178
|
+
"cve_refs": [
|
|
179
|
+
"CVE-2026-45321",
|
|
180
|
+
"MAL-2026-3083"
|
|
181
|
+
]
|
|
135
182
|
},
|
|
136
183
|
"T1098": {
|
|
137
184
|
"name": "Account Manipulation",
|
|
@@ -160,7 +207,11 @@
|
|
|
160
207
|
},
|
|
161
208
|
"T1133": {
|
|
162
209
|
"name": "External Remote Services",
|
|
163
|
-
"version": "v19"
|
|
210
|
+
"version": "v19",
|
|
211
|
+
"cve_refs": [
|
|
212
|
+
"CVE-2026-0300",
|
|
213
|
+
"CVE-2026-39987"
|
|
214
|
+
]
|
|
164
215
|
},
|
|
165
216
|
"T1136.001": {
|
|
166
217
|
"name": "Create Account: Local Account",
|
|
@@ -168,7 +219,17 @@
|
|
|
168
219
|
},
|
|
169
220
|
"T1190": {
|
|
170
221
|
"name": "Exploit Public-Facing Application",
|
|
171
|
-
"version": "v19"
|
|
222
|
+
"version": "v19",
|
|
223
|
+
"cve_refs": [
|
|
224
|
+
"CVE-2025-53773",
|
|
225
|
+
"CVE-2026-0300",
|
|
226
|
+
"CVE-2026-32202",
|
|
227
|
+
"CVE-2026-39987",
|
|
228
|
+
"CVE-2026-42208",
|
|
229
|
+
"CVE-2026-42897",
|
|
230
|
+
"CVE-2026-42945",
|
|
231
|
+
"CVE-2026-6973"
|
|
232
|
+
]
|
|
172
233
|
},
|
|
173
234
|
"T1195": {
|
|
174
235
|
"name": "Supply Chain Compromise",
|
|
@@ -176,11 +237,23 @@
|
|
|
176
237
|
},
|
|
177
238
|
"T1195.001": {
|
|
178
239
|
"name": "Supply Chain Compromise: Software Dependencies and Development Tools",
|
|
179
|
-
"version": "v19"
|
|
240
|
+
"version": "v19",
|
|
241
|
+
"cve_refs": [
|
|
242
|
+
"CVE-2026-30615",
|
|
243
|
+
"MAL-2026-3083",
|
|
244
|
+
"MAL-2026-NODE-IPC-STEALER",
|
|
245
|
+
"MAL-2026-TANSTACK-MINI"
|
|
246
|
+
]
|
|
180
247
|
},
|
|
181
248
|
"T1195.002": {
|
|
182
249
|
"name": "Supply Chain Compromise: Software Supply Chain",
|
|
183
|
-
"version": "v19"
|
|
250
|
+
"version": "v19",
|
|
251
|
+
"cve_refs": [
|
|
252
|
+
"CVE-2024-3094",
|
|
253
|
+
"CVE-2026-45321",
|
|
254
|
+
"MAL-2026-3083",
|
|
255
|
+
"MAL-2026-NODE-IPC-STEALER"
|
|
256
|
+
]
|
|
184
257
|
},
|
|
185
258
|
"T1199": {
|
|
186
259
|
"name": "Trusted Relationship",
|
|
@@ -245,7 +318,11 @@
|
|
|
245
318
|
},
|
|
246
319
|
"T1548.001": {
|
|
247
320
|
"name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
|
|
248
|
-
"version": "v19"
|
|
321
|
+
"version": "v19",
|
|
322
|
+
"cve_refs": [
|
|
323
|
+
"CVE-2026-31431",
|
|
324
|
+
"CVE-2026-43284"
|
|
325
|
+
]
|
|
249
326
|
},
|
|
250
327
|
"T1548.003": {
|
|
251
328
|
"name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
|
|
@@ -257,7 +334,13 @@
|
|
|
257
334
|
},
|
|
258
335
|
"T1552.001": {
|
|
259
336
|
"name": "Unsecured Credentials: Credentials In Files",
|
|
260
|
-
"version": "v19"
|
|
337
|
+
"version": "v19",
|
|
338
|
+
"cve_refs": [
|
|
339
|
+
"CVE-2026-30615",
|
|
340
|
+
"MAL-2026-3083",
|
|
341
|
+
"MAL-2026-NODE-IPC-STEALER",
|
|
342
|
+
"MAL-2026-TANSTACK-MINI"
|
|
343
|
+
]
|
|
261
344
|
},
|
|
262
345
|
"T1552.004": {
|
|
263
346
|
"name": "Unsecured Credentials: Private Keys",
|
|
@@ -273,7 +356,10 @@
|
|
|
273
356
|
},
|
|
274
357
|
"T1554": {
|
|
275
358
|
"name": "Compromise Host Software Binary",
|
|
276
|
-
"version": "v19"
|
|
359
|
+
"version": "v19",
|
|
360
|
+
"cve_refs": [
|
|
361
|
+
"CVE-2024-3094"
|
|
362
|
+
]
|
|
277
363
|
},
|
|
278
364
|
"T1555": {
|
|
279
365
|
"name": "Credentials from Password Stores",
|
|
@@ -318,7 +404,11 @@
|
|
|
318
404
|
},
|
|
319
405
|
"T1566": {
|
|
320
406
|
"name": "Phishing",
|
|
321
|
-
"version": "v19"
|
|
407
|
+
"version": "v19",
|
|
408
|
+
"cve_refs": [
|
|
409
|
+
"CVE-2026-32202",
|
|
410
|
+
"CVE-2026-42897"
|
|
411
|
+
]
|
|
322
412
|
},
|
|
323
413
|
"T1566.001": {
|
|
324
414
|
"name": "Phishing: Spearphishing Attachment",
|
|
@@ -351,7 +441,10 @@
|
|
|
351
441
|
},
|
|
352
442
|
"T1574": {
|
|
353
443
|
"name": "Hijack Execution Flow",
|
|
354
|
-
"version": "v19"
|
|
444
|
+
"version": "v19",
|
|
445
|
+
"cve_refs": [
|
|
446
|
+
"CVE-2026-45321"
|
|
447
|
+
]
|
|
355
448
|
},
|
|
356
449
|
"T1574.005": {
|
|
357
450
|
"name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
|
|
@@ -389,6 +482,9 @@
|
|
|
389
482
|
"detection_strategies": [
|
|
390
483
|
"DS0009",
|
|
391
484
|
"DS0029"
|
|
485
|
+
],
|
|
486
|
+
"cve_refs": [
|
|
487
|
+
"CVE-2024-21626"
|
|
392
488
|
]
|
|
393
489
|
},
|
|
394
490
|
"T1613": {
|