@blamejs/exceptd-skills 0.12.41 → 0.13.1

package/data/cve-catalog.json

@@ -37,7 +37,13 @@
     "vendor_advisory_field_added": "2026-05-11",
     "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
     "active_exploitation_vocabulary": {
-      "values": ["confirmed", "suspected", "theoretical", "none", "unknown"],
+      "values": [
+        "confirmed",
+        "suspected",
+        "theoretical",
+        "none",
+        "unknown"
+      ],
       "definitions": {
         "confirmed": "Active in-the-wild exploitation observed and attributed",
         "suspected": "Indicators consistent with exploitation; attribution incomplete",
@@ -49,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.162,
+      "current_rate": 0.154,
       "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
         0.15,
@@ -1460,8 +1466,6 @@
     "rwep_correction_note": "RWEP bump:v0.12.29 ai-discovery audit re-attributed to ai_discovered=true; ai_factor advanced from 0 to 15; rwep raised by 15 from 20 to 35."
   },
   "CVE-2024-21626": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "runc /proc/self/fd leak (Leaky Vessels)",
     "type": "container-escape",
@@ -1522,8 +1526,6 @@
     "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
   },
   "CVE-2024-3094": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "xz-utils liblzma backdoor",
     "type": "supply-chain-backdoor",
@@ -1595,7 +1597,7 @@
   },
   "CVE-2024-3154": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Red Hat Bugzilla; CWE-20 and ATT&CK T1611 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "CRI-O arbitrary kernel-module load",
     "type": "container-escape",
@@ -1662,7 +1664,7 @@
   },
   "CVE-2023-43472": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Protect AI Huntr advisory; ATLAS AML.T0016 and CWE-22 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "MLflow path-traversal arbitrary file read",
     "type": "path-traversal",
@@ -1723,7 +1725,7 @@
   },
   "CVE-2020-10148": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + CISA AA20-352A; CWE-287 and ATT&CK T1190/T1078 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "SolarWinds Orion API authentication bypass (SUNBURST chain)",
     "type": "auth-bypass",
@@ -1786,7 +1788,7 @@
   },
   "CVE-2023-3519": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Citrix CTX561482 + CISA AA23-201A; CWE-787 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
     "type": "RCE",
@@ -1851,7 +1853,7 @@
   },
   "CVE-2024-1709": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ConnectWise advisory; ATT&CK T1190/T1078 refs resolve (cwe_refs empty but ATT&CK satisfies the resolve-at-least-one requirement). Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "ConnectWise ScreenConnect auth-bypass",
     "type": "auth-bypass",
@@ -1910,7 +1912,7 @@
   },
   "CVE-2026-20182": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against CISA KEV + Rapid7 disclosure; CWE-287 and ATT&CK T1190/T1078 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Cisco SD-WAN authentication bypass to admin",
     "type": "auth-bypass",
@@ -1974,7 +1976,7 @@
   },
   "CVE-2024-40635": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987; ATT&CK T1525 ref resolves (cwe_refs empty but ATT&CK satisfies). Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "containerd integer overflow IP mask leak",
     "type": "information-disclosure",
@@ -2033,8 +2035,6 @@
     "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
   },
   "MAL-2026-TANSTACK-MINI": {
-    "_draft": true,
-    "_auto_imported": true,
     "ai_assisted_weaponization": false,
     "name": "Mini Shai-Hulud (TanStack worm)",
     "type": "supply-chain-worm",
@@ -2102,11 +2102,16 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Same incident-class as CVE-2026-45321 (Mini Shai-Hulud); discovery by ecosystem detection across multiple firms (Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within minutes of the 2026-05-11 publish window. No AI-tool discovery attribution on the defender side. Source: https://snyk.io/blog/tanstack-npm-packages-compromised/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "related_threats": [
+      "MAL-2026-SHAI-HULUD-OSS"
+    ],
+    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
   },
   "MAL-2026-ANTHROPIC-MCP-STDIO": {
     "_draft": true,
-    "_auto_imported": true,
+    "_quarantine": true,
+    "_quarantine_reason": "Duplicate of CVE-2026-30623 (Anthropic MCP SDK stdio command-injection). This entry was the pre-CVE-assignment embargoed placeholder for the OX Security MCP stdio command-injection disclosure (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); the embargo lifted with the April 2026 vendor advisory and the issue received CVE-2026-30623. Canonical id: CVE-2026-30623. Retained as _draft: true so the validator treats it as a non-failing draft warning; downstream tooling should filter on _quarantine: true and skip these entries.",
     "ai_assisted_weaponization": false,
     "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
     "type": "command-injection",
@@ -2175,7 +2180,7 @@
   },
   "CVE-2026-GTIG-AI-2FA": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Placeholder entry — affected product is unnamed under GTIG embargo and affected_versions is set to \"pending-disclosure\". The key itself is not a real CVE identifier (GTIG-tracked, no MITRE assignment yet). Hard Rule #1 fields cannot be verified against a vendor advisory until the embargo lifts and a real CVE id is assigned. Re-triage once GTIG/MITRE publishes the canonical id and affected-product list.",
     "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
     "type": "auth-bypass",
     "cvss_score": 8.1,
@@ -2248,7 +2253,7 @@
   },
   "CVE-2026-30623": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + OX Security advisory (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); CWE-78/88, ATLAS AML.T0040 and ATT&CK T1059 refs resolve. This entry is the published successor of the quarantined MAL-2026-ANTHROPIC-MCP-STDIO placeholder. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Anthropic MCP SDK stdio command-injection",
     "type": "command-injection",
@@ -2315,7 +2320,7 @@
   },
   "CVE-2025-12686": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + Synacktiv Pwn2Own writeup; CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
     "type": "RCE",
@@ -2375,7 +2380,7 @@
   },
   "CVE-2025-62847": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
     "type": "RCE",
@@ -2437,7 +2442,7 @@
   },
   "CVE-2025-62848": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-94 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
     "type": "RCE",
@@ -2499,7 +2504,7 @@
   },
   "CVE-2025-62849": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + ZDI Pwn2Own Ireland 2025 day-one results + DEVCORE Research Team attribution; CWE-269 and ATT&CK T1068 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
     "type": "RCE",
@@ -2561,7 +2566,7 @@
   },
   "CVE-2025-59389": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + QNAP QSA-25-48 + ZDI Pwn2Own attribution (Sina Kheirkhah, Summoning Team); CWE-78 and ATT&CK T1190 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP Hyper Data Protector critical RCE (Pwn2Own Ireland 2025)",
     "type": "RCE",
@@ -2622,7 +2627,7 @@
   },
   "CVE-2025-11837": {
     "_draft": true,
-    "_auto_imported": true,
+    "_draft_reason": "Hard Rule #1 fields all present and verified against NVD + QNAP QSA-25-47 + Pwn2Own attribution (Chumy Tsai, CyCraft Technology); CWE-94 and ATT&CK T1059/T1554 refs resolve. Blocked from verification by missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live). Add the lesson entry, then flip _draft to false.",
     "ai_assisted_weaponization": false,
     "name": "QNAP Malware Remover code-injection",
     "type": "code-injection",
@@ -2683,8 +2688,6 @@
     "discovery_attribution_note": "Pwn2Own Ireland 2025 — Chumy Tsai of CyCraft Technology demonstrated the code-injection on QNAP TS-453E ($20,000 award). Named-human researcher via ZDI credit; no AI-tool attribution. Source: https://www.qnap.com/en/security-advisory/qsa-25-47 and https://cybersecuritynews.com/qnap-zero-day-vulnerabilities-exploited/."
   },
   "CVE-2026-42945": {
-    "_draft": true,
-    "_auto_imported": true,
     "name": "NGINX Rift",
     "type": "RCE",
     "cvss_score": 9.2,
@@ -3565,5 +3568,169 @@
     "remediation_status": "removed_from_registry",
     "remediation_note": "npm removed all 3 malicious versions (9.1.6, 9.2.3, 12.0.1) within ~2 hours of publication on 2026-05-14. Publisher account atiertant was deactivated. The expired-domain TTP (atlantis-software.net re-registered via Namecheap on 2026-05-07 after Jan 2025 expiry) remains the novel attack class to defend against — see zeroday-lessons NEW-CTRL-047 (PACKAGE-MAINTAINER-DOMAIN-EXPIRY-MONITORING).",
     "remediation_status_verified_at": "2026-05-16"
+  },
+  "CVE-2026-46333": {
+    "name": "ssh-keysign-pwn",
+    "type": "LPE-via-info-disclosure",
+    "cvss_score": 7,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate pending NVD enrichment. Local + low privilege + no UI + root file read + chained privesc via /etc/shadow → AC:H reflects the ~100-2000-attempt race window which lowers practical exploitation but does not gate it.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_due_date": null,
+    "poc_available": true,
+    "poc_description": "_SiCk published two working exploits within hours of the Qualys disclosure on 2026-05-14: one that reads /etc/ssh/ssh_host_*_key via ssh-keysign exit-race, one that reads /etc/shadow via chage -l exit-race. Both target the same kernel pidfd_getfd race; the setuid binary is the carrier, not the bug. ~100-2000 attempts succeed in practice — deterministic enough for adversary tradecraft.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Qualys Threat Research Unit human research. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "active_exploitation_notes": "No in-the-wild observations as of T+3 days post-disclosure. Two public PoCs (_SiCk). Expectation: KEV listing within weeks once exploitation observed; until then, theoretical-with-deterministic-PoC class.",
+    "affected": "Linux kernel — all distributions shipping a kernel built without the 2020 Jann Horn patch proposal (effectively every distribution for ~6 years until 2026-05-14). Confirmed affected: RHEL 7-10, AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, Rocky Linux 8/9, Ubuntu 20.04-24.04 LTS (pre-USN), Debian 11-12 (pre-DSA), Amazon Linux 2/2023, SUSE 15. The setuid carrier binaries (ssh-keysign + chage) ship on every Linux system with OpenSSH and shadow-utils installed.",
+    "affected_versions": [
+      "linux-kernel < 7.0.8",
+      "linux-kernel < 6.18.31 (6.18.x branch)",
+      "linux-kernel < 6.12.89 (6.12.x branch)",
+      "linux-kernel < 6.6.139 (6.6.x branch)",
+      "linux-kernel < 6.1.173 (6.1.x branch)",
+      "linux-kernel < 5.15.207 (5.15.x branch)",
+      "linux-kernel < 5.10.256 (5.10.x branch)"
+    ],
+    "vector": "ptrace exit-race. exit_mm() runs before exit_files() during privileged-process shutdown. In the microsecond window between the two, task->mm == NULL while the fd table still holds the privileged file handles. The pre-fix __ptrace_may_access() skipped its get_dumpable() check when mm == NULL and silently authorized UID-matched access. An unprivileged attacker races ssh-keysign or chage exit, calls pidfd_getfd(2) to duplicate the still-open file descriptors, and reads /etc/ssh/ssh_host_*_key or /etc/shadow as if it were root. Yama ptrace_scope does NOT mitigate because the bypass is at the kernel access-check layer, not the LSM layer.",
+    "complexity": "race-condition",
+    "complexity_notes": "Race window is microseconds wide but the exploit loops automatically; 100-2000 attempts typically succeed. Once the fd is captured, the read is deterministic. Class similar to Dirty COW but file-read rather than file-write primitive.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [
+      "KernelCare (in active build as of 2026-05-15; release ETA pending)"
+    ],
+    "live_patch_notes": "Upstream commit 31e62c2ebbfd (ptrace: slightly saner get_dumpable() logic) merged 2026-05-14. Kernel point releases 7.0.8 / 6.18.31 / 6.12.89 / 6.6.139 / 6.1.173 / 5.15.207 / 5.10.256 published 2026-05-15. Distribution backports: AlmaLinux 8/9/10 ALSA-2026:A008/A009/A010 (2026-05-16 production), CloudLinux 7h/8/9/10 (2026-05-15 beta / 2026-05-17 production). KernelCare livepatch in build; Canonical Livepatch / kpatch status not yet documented at T+3 days. RHEL backport not yet observed in primary sources; check access.redhat.com/security/cve.",
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day critical patch SLA is an exploitation window for a Linux kernel LPE with two public PoCs. Reboot-required mitigation breaks the maintenance-window assumption built into SI-2 implementations.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; standard 30-day interpretation is unsafe for a kernel info-disclosure with public PoC. No requirement to track sysctl-based mitigation (kernel.user_ptrace=0) as a compensating control.",
+      "NIS2-Art21-patch-management": "Art. 21(2)(c) patch-management measures undefined for fast-cycle kernel LPEs with public PoC. No guidance on sysctl or SUID-removal as interim measures.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; reboot-required class breaks the standard SLA.",
+      "UK-CAF-B4": "System security principle silent on sysctl-based mitigation OR SUID-removal as compensating controls.",
+      "AU-ISM-1546": "Essential 8 patch-applications maturity ML3 = 48h is still long for a deterministic-with-loop kernel LPE; reboot-required nature compounds the maintenance-window cost.",
+      "ISO-27001-2022-A.5.7": "Threat-intelligence control collects feeds but does not require the operational pivot (sysctl kernel.user_ptrace=0) when intel shows a same-family CVE with public PoC."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 30 today (T+3). Score will jump to 50 (+25 KEV) on CISA KEV listing — expected within weeks once exploitation observed. Reboot-required nature adds operator friction not captured in RWEP — practical exposure window is longer than the math suggests because reboot scheduling lags kernel-package availability. blast_radius 25 reflects every Linux host running setuid ssh-keysign or chage (every default OpenSSH + shadow-utils install). Live-patch credit deferred until KernelCare ships.",
+    "cwe_refs": [
+      "CWE-672",
+      "CWE-362"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://cybersecuritynews.com/linux-kernel-vulnerability-ssh-keysign-pwn/",
+      "https://www.gotekky.com/guides/security/cve-2026-46333-ssh-keysign-pwn-linux-kernel/",
+      "https://blog.cloudlinux.com/ptrace-exit-race-cve-2026-46333-mitigation-and-kernel-update",
+      "https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/",
+      "https://9to5linux.com/six-year-old-linux-kernel-flaw-lets-unprivileged-users-read-root-owned-files",
+      "https://www.phoronix.com/news/Linux-ssh-keysign-pwn",
+      "https://needhelp.icu/blogs/ssh-keysign-pwn",
+      "https://hackingpassion.com/ssh-keysign-pwn-cve-2026-46333/"
+    ],
+    "_draft": false,
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side."
+  },
+  "MAL-2026-SHAI-HULUD-OSS": {
+    "name": "Shai-Hulud worm framework (TeamPCP open-source release)",
+    "type": "malicious-framework-release",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "CVSS scored as a malicious package family: AV:N (npm registry), PR:N (no auth required to install), UI:R (user runs npm install), S:C (developer workstation → cloud/registry/AI-assistant credential blast radius). Same severity profile as MAL-2026-TANSTACK-MINI and MAL-2026-NODE-IPC-STEALER. RWEP scoring captures the operational risk more accurately than CVSS for the framework class.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_due_date": null,
+    "poc_available": true,
+    "poc_description": "The framework IS the PoC — TeamPCP open-sourced the complete Shai-Hulud worm to GitHub on 2026-05-12 under MIT license, with deployment instructions. Repository naming pattern: \"A Gift From TeamPCP\". Associated accounts observed: agwagwagwa, headdirt, tmechen. Commit timestamps falsified to 2099-01-01 as an obfuscation marker. Modular TypeScript / Bun toolkit for credential harvesting + supply-chain poisoning + encrypted exfil; targets CI/CD pipelines and developer workstations. Within hours of release, Ox Security observed third-party copycat modifications already in deployment.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Threat-actor framework, not a discovery. TeamPCP describes the framework as \"vibe coded\" — operator-generated rather than AI-generated. Adoption-side: AI-coding-assistant config files (Claude Code, Cursor, Codeium, Anthropic CLI) are explicit exfil targets — the framework reads ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.claude/settings.json, and adds Claude Code startup hooks to execute the malware when Claude starts. AI-assistant-installed-but-not-AI-discovered.",
+    "ai_assisted_weaponization": true,
+    "ai_assist_weaponization_notes": "TeamPCP self-describes the codebase as \"vibe coded\" — AI-coding-assistant-mediated authoring. BreachForums + TeamPCP launched a $1,000 USD (Monero) bounty contest concurrent with the release, judged on downstream supply-chain impact, accelerating copycat weaponization.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Copycat modifications observed by Ox Security within hours of the 2026-05-12 release. Mini Shai-Hulud wave (Microsoft Security Research, 2026-05-11) compromised 170+ npm packages + 2 PyPI packages across 404 malicious versions. MAL-2026-TANSTACK-MINI in this catalog is an in-the-wild Shai-Hulud-class incident. Continuous active exploitation expected through 2026.",
+    "affected": "npm registry (170+ confirmed packages in May 2026 wave), PyPI (2 confirmed), GitHub Actions runners, developer workstations with credentials staged in ~/.aws, ~/.config/gcloud, ~/.kube, ~/.ssh, ~/.cursor, ~/.codeium, ~/.claude, ~/.npmrc. Any package-registry account whose maintainer workstation runs the framework. Any AI-assistant config file with API tokens or MCP server credentials.",
+    "affected_versions": [
+      "shai-hulud-framework all forks post-2026-05-12"
+    ],
+    "vector": "Self-replicating npm worm with maintainer-account-pivot. Phase 1: credential harvest via package post-install OR require-time activation (variant-dependent) reads cloud + AI-assistant + version-control configs from operator HOME. Phase 2: stolen npm token authenticates to registry as compromised maintainer; enumerates other packages owned by same maintainer; injects malware; publishes new compromised versions. Phase 3: encrypted exfil to attacker-controlled GitHub repos matching the \"A Gift From TeamPCP\" naming pattern + secondary C2 channels. Phase 4 (variant-dependent): local-environment wipe — destructive opt-in by attacker.",
+    "complexity": "turnkey post-source-release",
+    "complexity_notes": "Pre-2026-05-12 the framework required reverse-engineering effort by would-be operators. Post-release ships with deployment instructions; the BreachForums contest provides operational support. Barrier-to-entry collapsed from high (custom-tradecraft research) to low (clone + deploy).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Patching does not apply — this is a malicious framework, not a vulnerability. Defensive posture is detection + ingestion-side blocking + maintainer credential rotation. npm tool-trust controls (--ignore-scripts, Verdaccio proxy, install-time hash pinning) reduce blast radius for consumers; do NOT protect maintainer-side compromise.",
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PW.4": "PW.4 secure-development tooling assumes the maintainer workstation is trusted; Shai-Hulud invalidates by exfiltrating maintainer credentials BEFORE the malicious publish. SSDF has no compensating control for compromised-maintainer-republish.",
+      "NIST-800-53-SR-3": "SR-3 supply-chain risk management treats package-registry compromise as upstream risk; Shai-Hulud is maintainer-side compromise that LOOKS LIKE legitimate publish. SR-3 controls catch tampered upstream but not legitimately-authenticated malicious upstream.",
+      "EU-CRA-Art13": "CRA Article 13 vulnerability-handling treats malicious upgrades as outside scope; the framework explicitly targets the legitimate update channel.",
+      "NIS2-Art21-supply-chain": "Art. 21(2)(d) supply-chain risk measures undefined for self-replicating worm distribution. No guidance on maintainer-credential isolation or registry-side authentication monitoring.",
+      "DORA-Art28": "ICT third-party risk management presumes vendor due-diligence; OSS maintainer compromise is outside the vendor-contract framing.",
+      "UK-CAF-B4": "System security principle silent on registry-side authentication monitoring for downstream consumers.",
+      "AU-ISM-1808": "Software-supply-chain controls assume vendor-side SBOM truth; Shai-Hulud invalidates by publishing under legitimate maintainer identity.",
+      "SLSA-v1.0-Build-L3": "SLSA L3 build provenance is technically valid for Shai-Hulud-poisoned packages — the malicious build IS provenance-attested under the compromised maintainer's legitimate identity. L3 catches tampered upstream; it does NOT catch legitimately-authenticated malicious upstream."
+    },
+    "atlas_refs": [
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1078",
+      "T1567",
+      "T1485"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 70 — high. cisa_kev not applicable (KEV is CVE-only). poc_available: the framework IS the PoC. ai_factor: AI-coding-assistant-mediated authoring + AI-assistant config files as exfil target. active_exploitation: confirmed via Mini Shai-Hulud wave + TanStack-class incidents. blast_radius: every npm-using engineering org + every AI-assistant-using developer workstation. No patch direction — defensive posture is detection + maintainer credential rotation + ingest-side controls.",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-829"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319",
+      "https://www.ox.security/blog/shai-hulud-open-source-malware-github/",
+      "https://www.securityweek.com/teampcp-ups-the-game-releases-shai-hulud-worms-source-code/",
+      "https://www.reversinglabs.com/blog/the-shai-hulud-code-drop",
+      "https://socket.dev/blog/teampcp-supply-chain-attack-contest",
+      "https://industrialcyber.co/ransomware/vect-formalizes-breachforums-and-teampcp-alliance-to-push-model-for-industrialized-ransomware-scale-raas-operations/",
+      "https://www.scworld.com/news/teampcp-releases-vibe-coded-shai-hulud-source-code-issues-challenge",
+      "https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/",
+      "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/",
+      "https://unit42.paloaltonetworks.com/npm-supply-chain-attack/",
+      "https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/",
+      "https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem",
+      "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+      "https://snyk.io/blog/tanstack-npm-packages-compromised/"
+    ],
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
   }
 }

package/data/cwe-catalog.json

@@ -949,7 +949,8 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
-      "CVE-2026-33825"
+      "CVE-2026-33825",
+      "CVE-2026-46333"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-16",
@@ -1127,8 +1128,11 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
+      "CVE-2024-3094",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1222,7 +1226,8 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-16",
@@ -1349,6 +1354,7 @@
     ],
     "evidence_cves": [
       "CVE-2026-0300",
+      "CVE-2026-42945",
       "CVE-2026-43500",
       "CVE-2026-46300"
     ],
@@ -1415,7 +1421,8 @@
       "supply-chain-integrity"
     ],
     "evidence_cves": [
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1656,6 +1663,7 @@
       "supply-chain-integrity"
     ],
     "evidence_cves": [
+      "CVE-2024-3094",
       "MAL-2026-NODE-IPC-STEALER"
     ],
     "framework_controls_partially_addressing": [
@@ -1688,7 +1696,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-TANSTACK-MINI"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "NIST-800-53-SI-2",

package/data/framework-control-gaps.json

@@ -388,7 +388,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
-      "CVE-2026-45321"
+      "CVE-2026-45321",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -724,10 +725,14 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-42897",
+      "CVE-2026-42945",
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -1099,6 +1104,7 @@
     "status": "open",
     "opened_date": "2026-04-01",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-30615"
     ],
     "atlas_refs": [
@@ -1135,7 +1141,9 @@
     "evidence_cves": [
       "CVE-2026-0300",
       "CVE-2026-31431",
-      "CVE-2026-46300"
+      "CVE-2026-42945",
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1314,6 +1322,7 @@
       "CVE-2026-39884",
       "CVE-2026-45321",
       "CVE-2026-46300",
+      "CVE-2026-46333",
       "MAL-2026-3083"
     ],
     "atlas_refs": [],
@@ -1699,9 +1708,11 @@
       "CVE-2026-32202",
       "CVE-2026-33825",
       "CVE-2026-42897",
+      "CVE-2026-42945",
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-46300",
+      "CVE-2026-46333",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -2316,9 +2327,11 @@
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [
+      "CVE-2024-3094",
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -3653,7 +3666,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
-      "CVE-2026-0300"
+      "CVE-2026-0300",
+      "CVE-2026-42945"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3689,7 +3703,9 @@
     "evidence_cves": [
       "CVE-2026-0300",
       "CVE-2026-42897",
-      "CVE-2026-46300"
+      "CVE-2026-42945",
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3963,7 +3979,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3994,7 +4012,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4025,7 +4044,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -4058,7 +4078,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [
       "AML.T0010",

package/data/playbooks/ai-api.json

@@ -51,6 +51,11 @@
         "playbook_id": "mcp",
         "condition": "finding.includes_mcp_server_credential_exposure == true"
       }
+    ],
+    "fed_by": [
+      "llm-tool-use-exfil",
+      "mcp",
+      "sbom"
     ]
   },
   "domain": {