@blamejs/exceptd-skills 0.12.41 → 0.13.0

package/data/atlas-ttps.json

@@ -83,7 +83,10 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-42945"
+    ]
   },
   "AML.T0010": {
     "id": "AML.T0010",
@@ -121,7 +124,15 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-30615",
+      "CVE-2026-39987",
+      "CVE-2026-45321",
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
+    ]
   },
   "AML.T0016": {
     "id": "AML.T0016",
@@ -149,7 +160,10 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "moderate",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-30615"
+    ]
   },
   "AML.T0017": {
     "id": "AML.T0017",
@@ -220,7 +234,11 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "moderate",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-45321",
+      "MAL-2026-3083"
+    ]
   },
   "AML.T0020": {
     "id": "AML.T0020",
@@ -252,7 +270,10 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ]
   },
   "AML.T0024": {
     "id": "AML.T0024",
@@ -379,7 +400,10 @@
     "exceptd_skills": [],
     "secure_ai_v2_layer": true,
     "maturity": "moderate",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-45321"
+    ]
   },
   "AML.T0051": {
     "id": "AML.T0051",
@@ -420,7 +444,13 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2025-53773",
+      "CVE-2026-30615",
+      "CVE-2026-39884",
+      "CVE-2026-39987"
+    ]
   },
   "AML.T0053": {
     "id": "AML.T0053",
@@ -450,7 +480,10 @@
     "exceptd_skills": [],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-39884"
+    ]
   },
   "AML.T0054": {
     "id": "AML.T0054",
@@ -481,7 +514,10 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2025-53773"
+    ]
   },
   "AML.T0055": {
     "id": "AML.T0055",
@@ -511,7 +547,11 @@
     "exceptd_skills": [],
     "secure_ai_v2_layer": true,
     "maturity": "moderate",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-42208",
+      "MAL-2026-3083"
+    ]
   },
   "AML.T0057": {
     "id": "AML.T0057",
@@ -582,7 +622,10 @@
     ],
     "secure_ai_v2_layer": true,
     "maturity": "high",
-    "last_verified": "2026-05-15"
+    "last_verified": "2026-05-15",
+    "cve_refs": [
+      "CVE-2026-30615"
+    ]
   },
   "AML.T0097": {
     "id": "AML.T0097",

package/data/attack-techniques.json

@@ -66,6 +66,9 @@
     "tactic_id": "TA0005",
     "detection_strategies": [
       "DS0009"
+    ],
+    "cve_refs": [
+      "CVE-2026-32202"
     ]
   },
   "T1040": {
@@ -74,7 +77,10 @@
   },
   "T1041": {
     "name": "Exfiltration Over C2 Channel",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-30615"
+    ]
   },
   "T1053.003": {
     "name": "Scheduled Task/Job: Cron",
@@ -91,23 +97,50 @@
     "detection_strategies": [
       "DS0009",
       "DS0017"
+    ],
+    "cve_refs": [
+      "CVE-2025-53773",
+      "CVE-2026-30615",
+      "CVE-2026-32202",
+      "CVE-2026-39884",
+      "CVE-2026-39987",
+      "CVE-2026-6973"
     ]
   },
   "T1059.001": {
     "name": "Command and Scripting Interpreter: PowerShell",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2025-53773"
+    ]
   },
   "T1059.006": {
     "name": "Command and Scripting Interpreter: Python",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "MAL-2026-3083"
+    ]
   },
   "T1059.007": {
     "name": "Command and Scripting Interpreter: JavaScript",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-45321",
+      "MAL-2026-NODE-IPC-STEALER"
+    ]
   },
   "T1068": {
     "name": "Exploitation for Privilege Escalation",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-0300",
+      "CVE-2026-31431",
+      "CVE-2026-33825",
+      "CVE-2026-43284",
+      "CVE-2026-43500",
+      "CVE-2026-46300",
+      "CVE-2026-6973"
+    ]
   },
   "T1071": {
     "name": "Application Layer Protocol",
@@ -115,11 +148,21 @@
   },
   "T1078": {
     "name": "Valid Accounts",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-33825",
+      "CVE-2026-39884",
+      "CVE-2026-42897",
+      "CVE-2026-6973",
+      "MAL-2026-NODE-IPC-STEALER"
+    ]
   },
   "T1078.001": {
     "name": "Valid Accounts: Default Accounts",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-42208"
+    ]
   },
   "T1078.002": {
     "name": "Valid Accounts: Domain Accounts",
@@ -131,7 +174,11 @@
   },
   "T1078.004": {
     "name": "Valid Accounts: Cloud Accounts",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-45321",
+      "MAL-2026-3083"
+    ]
   },
   "T1098": {
     "name": "Account Manipulation",
@@ -160,7 +207,11 @@
   },
   "T1133": {
     "name": "External Remote Services",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-0300",
+      "CVE-2026-39987"
+    ]
   },
   "T1136.001": {
     "name": "Create Account: Local Account",
@@ -168,7 +219,17 @@
   },
   "T1190": {
     "name": "Exploit Public-Facing Application",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2025-53773",
+      "CVE-2026-0300",
+      "CVE-2026-32202",
+      "CVE-2026-39987",
+      "CVE-2026-42208",
+      "CVE-2026-42897",
+      "CVE-2026-42945",
+      "CVE-2026-6973"
+    ]
   },
   "T1195": {
     "name": "Supply Chain Compromise",
@@ -176,11 +237,23 @@
   },
   "T1195.001": {
     "name": "Supply Chain Compromise: Software Dependencies and Development Tools",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-30615",
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
+    ]
   },
   "T1195.002": {
     "name": "Supply Chain Compromise: Software Supply Chain",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2024-3094",
+      "CVE-2026-45321",
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER"
+    ]
   },
   "T1199": {
     "name": "Trusted Relationship",
@@ -245,7 +318,11 @@
   },
   "T1548.001": {
     "name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-31431",
+      "CVE-2026-43284"
+    ]
   },
   "T1548.003": {
     "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
@@ -257,7 +334,13 @@
   },
   "T1552.001": {
     "name": "Unsecured Credentials: Credentials In Files",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-30615",
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
+    ]
   },
   "T1552.004": {
     "name": "Unsecured Credentials: Private Keys",
@@ -273,7 +356,10 @@
   },
   "T1554": {
     "name": "Compromise Host Software Binary",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2024-3094"
+    ]
   },
   "T1555": {
     "name": "Credentials from Password Stores",
@@ -318,7 +404,11 @@
   },
   "T1566": {
     "name": "Phishing",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-32202",
+      "CVE-2026-42897"
+    ]
   },
   "T1566.001": {
     "name": "Phishing: Spearphishing Attachment",
@@ -351,7 +441,10 @@
   },
   "T1574": {
     "name": "Hijack Execution Flow",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "CVE-2026-45321"
+    ]
   },
   "T1574.005": {
     "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
@@ -389,6 +482,9 @@
     "detection_strategies": [
       "DS0009",
       "DS0029"
+    ],
+    "cve_refs": [
+      "CVE-2024-21626"
     ]
   },
   "T1613": {

package/data/cve-catalog.json

@@ -1460,8 +1460,6 @@
     "rwep_correction_note": "RWEP bump:v0.12.29 ai-discovery audit re-attributed to ai_discovered=true; ai_factor advanced from 0 to 15; rwep raised by 15 from 20 to 35."
   },
   "CVE-2024-21626": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "runc /proc/self/fd leak (Leaky Vessels)",
     "type": "container-escape",
@@ -1522,8 +1520,6 @@
     "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
   },
   "CVE-2024-3094": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "xz-utils liblzma backdoor",
     "type": "supply-chain-backdoor",
@@ -1595,7 +1591,7 @@
   },
   "CVE-2024-3154": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Red Hat Bugzilla; CWE-20 and ATT&CK T1611 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "CRI-O arbitrary kernel-module load",
     "type": "container-escape",
@@ -1662,7 +1658,7 @@
   },
   "CVE-2023-43472": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Protect AI Huntr advisory; ATLAS AML.T0016 and CWE-22 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "MLflow path-traversal arbitrary file read",
     "type": "path-traversal",
@@ -1723,7 +1719,7 @@
   },
   "CVE-2020-10148": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + CISA AA20-352A; CWE-287 and ATT&CK T1190/T1078 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "SolarWinds Orion API authentication bypass (SUNBURST chain)",
     "type": "auth-bypass",
@@ -1786,7 +1782,7 @@
   },
   "CVE-2023-3519": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Citrix CTX561482 + CISA AA23-201A; CWE-787 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
     "type": "RCE",
@@ -1851,7 +1847,7 @@
   },
   "CVE-2024-1709": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ConnectWise advisory; ATT&CK T1190/T1078 refs resolve (cwe_refs empty but ATT&CK satisfies the resolve-at-least-one requirement). Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "ConnectWise ScreenConnect auth-bypass",
     "type": "auth-bypass",
@@ -1910,7 +1906,7 @@
   },
   "CVE-2026-20182": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against CISA KEV + Rapid7 disclosure; CWE-287 and ATT&CK T1190/T1078 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Cisco SD-WAN authentication bypass to admin",
     "type": "auth-bypass",
@@ -1974,7 +1970,7 @@
   },
   "CVE-2024-40635": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987; ATT&CK T1525 ref resolves (cwe_refs empty but ATT&CK satisfies). Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "containerd integer overflow IP mask leak",
     "type": "information-disclosure",
@@ -2033,8 +2029,6 @@
     "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
   },
   "MAL-2026-TANSTACK-MINI": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "Mini Shai-Hulud (TanStack worm)",
     "type": "supply-chain-worm",
@@ -2106,7 +2100,8 @@
   },
   "MAL-2026-ANTHROPIC-MCP-STDIO": {
     "_draft": true,
-    "_auto_imported": true,
+    "_quarantine": true,
+    "_quarantine_reason": "Duplicate of CVE-2026-30623 (Anthropic MCP SDK stdio command-injection). This entry was the pre-CVE-assignment embargoed placeholder for the OX Security MCP stdio command-injection disclosure (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); the embargo lifted with the April 2026 vendor advisory and the issue received CVE-2026-30623. Canonical id: CVE-2026-30623. Retained as _draft: true so the validator treats it as a non-failing draft warning; downstream tooling should filter on _quarantine: true and skip these entries.",
     "ai_assisted_weaponization": false,
     "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
     "type": "command-injection",
@@ -2175,7 +2170,7 @@
   },
   "CVE-2026-GTIG-AI-2FA": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Placeholder entry — affected product is unnamed under GTIG embargo and affected_versions is set to \"pending-disclosure\". The key itself is not a real CVE identifier (GTIG-tracked, no MITRE assignment yet). Hard Rule #1 fields cannot be verified against a vendor advisory until the embargo lifts and a real CVE id is assigned. Re-triage once GTIG/MITRE publishes the canonical id and affected-product list.",
     "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
     "type": "auth-bypass",
     "cvss_score": 8.1,
@@ -2248,7 +2243,7 @@
   },
   "CVE-2026-30623": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + OX Security advisory (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); CWE-78/88, ATLAS AML.T0040 and ATT&CK T1059 refs resolve. This entry is the published successor of the quarantined MAL-2026-ANTHROPIC-MCP-STDIO placeholder. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Anthropic MCP SDK stdio command-injection",
     "type": "command-injection",
@@ -2315,7 +2310,7 @@
   },
   "CVE-2025-12686": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Synacktiv Pwn2Own writeup; CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
     "type": "RCE",
@@ -2375,7 +2370,7 @@
   },
   "CVE-2025-62847": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
     "type": "RCE",
@@ -2437,7 +2432,7 @@
   },
   "CVE-2025-62848": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-94 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
     "type": "RCE",
@@ -2499,7 +2494,7 @@
   },
   "CVE-2025-62849": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-269 and ATT&CK T1068 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
     "type": "RCE",
@@ -2561,7 +2556,7 @@
   },
   "CVE-2025-59389": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + QNAP QSA-25-48 + ZDI Pwn2Own attribution (Sina Kheirkhah, Summoning Team); CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP Hyper Data Protector critical RCE (Pwn2Own Ireland 2025)",
     "type": "RCE",
@@ -2622,7 +2617,7 @@
   },
   "CVE-2025-11837": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + QNAP QSA-25-47 + Pwn2Own attribution (Chumy Tsai, CyCraft Technology); CWE-94 and ATT&CK T1059/T1554 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP Malware Remover code-injection",
     "type": "code-injection",
@@ -2683,8 +2678,6 @@
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/."
   },
   "CVE-2026-42945": {
-    "_draft": true,
-    "_auto_imported": true,
     "name": "NGINX Rift",
     "type": "RCE",
     "cvss_score": 9.2,

package/data/cwe-catalog.json

@@ -1127,8 +1127,10 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
+      "CVE-2024-3094",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1349,6 +1351,7 @@
     ],
     "evidence_cves": [
       "CVE-2026-0300",
+      "CVE-2026-42945",
       "CVE-2026-43500",
       "CVE-2026-46300"
     ],
@@ -1656,6 +1659,7 @@
       "supply-chain-integrity"
     ],
     "evidence_cves": [
+      "CVE-2024-3094",
       "MAL-2026-NODE-IPC-STEALER"
     ],
     "framework_controls_partially_addressing": [
@@ -1688,7 +1692,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-TANSTACK-MINI"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "NIST-800-53-SI-2",

package/data/framework-control-gaps.json

@@ -724,10 +724,13 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-42897",
+      "CVE-2026-42945",
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -1099,6 +1102,7 @@
     "status": "open",
     "opened_date": "2026-04-01",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-30615"
     ],
     "atlas_refs": [
@@ -1135,6 +1139,7 @@
     "evidence_cves": [
       "CVE-2026-0300",
       "CVE-2026-31431",
+      "CVE-2026-42945",
       "CVE-2026-46300"
     ],
     "atlas_refs": [],
@@ -1699,6 +1704,7 @@
       "CVE-2026-32202",
       "CVE-2026-33825",
       "CVE-2026-42897",
+      "CVE-2026-42945",
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-46300",
@@ -2316,6 +2322,7 @@
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-45321",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER"
@@ -3653,7 +3660,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
-      "CVE-2026-0300"
+      "CVE-2026-0300",
+      "CVE-2026-42945"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3689,6 +3697,7 @@
     "evidence_cves": [
       "CVE-2026-0300",
       "CVE-2026-42897",
+      "CVE-2026-42945",
       "CVE-2026-46300"
     ],
     "atlas_refs": [],
@@ -4058,7 +4067,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [
       "AML.T0010",

package/data/playbooks/ai-api.json

@@ -51,6 +51,11 @@
         "playbook_id": "mcp",
         "condition": "finding.includes_mcp_server_credential_exposure == true"
       }
+    ],
+    "fed_by": [
+      "llm-tool-use-exfil",
+      "mcp",
+      "sbom"
     ]
   },
   "domain": {