@blamejs/exceptd-skills 0.12.9 → 0.12.10

package/data/cwe-catalog.json

@@ -1302,5 +1302,39 @@
     "real_requirement": "Argon2id (memory-hard, RFC 9106) with tuned m/t/p; scrypt as fallback; bcrypt with work factor ≥ 12 acceptable for legacy. PBKDF2 only with iteration count ≥ 600,000 (NIST SP 800-63B 2022 update).",
     "lag_notes": "SP 800-63B updated iteration guidance in 2022; many compliance attestations still cite the 2017 numbers. Argon2id is RFC-9106 (2021) but absent from FIPS-approved lists, creating policy friction in federal contexts.",
     "last_verified": "2026-05-13"
+  },
+  "CWE-506": {
+    "id": "CWE-506",
+    "name": "Embedded Malicious Code",
+    "abstraction": "Class",
+    "category": "Supply Chain",
+    "description": "The application contains code that appears to perform a legitimate function but actually contains a payload that performs an additional, attacker-controlled action — typically credential theft, persistence, or remote loader logic. The class covers package-registry malware (PyPI / npm / RubyGems / Cargo / Maven typosquats, compromised maintainer accounts, forged-release-via-CI vectors).",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-442", "CAPEC-446", "CAPEC-538"],
+    "skills_referencing": ["library-author", "supply-chain-integrity"],
+    "evidence_cves": ["CVE-2026-45321", "MAL-2026-3083"],
+    "framework_controls_partially_addressing": ["NIST-800-53-SA-12", "NIST-800-218-PS.1", "ISO-27001-2022-A.8.30", "SLSA-Level-3"],
+    "real_requirement": "Provenance attestation at install time (Sigstore, in-toto, SLSA L3+); registry-side malware scanning on every uploaded artifact; install-time .pth / postinstall / preinstall hook auditing; differential analysis between consecutive releases of the same package (added files, new network egress, new file reads); cooldown periods on new releases of high-download packages so registry scanners and community detection have time to fire before mass install.",
+    "lag_notes": "SA-12 contemplates the traditional supply chain but does not require differential-analysis between adjacent releases. The elementary-data 0.23.3 attack (April 2026) added exactly one file (a `.pth` install-time payload) versus 0.23.2 — a difference any naive diff would catch but no registry-side scanner currently runs at upload time by default.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-88": {
+    "id": "CWE-88",
+    "name": "Improper Neutralization of Argument Delimiters in a Command",
+    "abstraction": "Base",
+    "category": "Injection",
+    "description": "The product constructs a string for a downstream command (typically by concatenating user input into a shell command line, then splitting on whitespace to argv) without escaping argument-delimiter characters. Distinguished from CWE-77 (Command Injection) by the narrower attack surface: the attacker cannot run arbitrary commands but CAN inject additional flags / arguments to a command the application already invokes, which is often sufficient to break the security model (redirect kubectl to attacker-control, change kubectl namespace, etc.).",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-1003"],
+    "related_attack_patterns_capec": ["CAPEC-460"],
+    "skills_referencing": ["mcp-agent-trust", "container-runtime-security"],
+    "evidence_cves": ["CVE-2026-39884"],
+    "framework_controls_partially_addressing": ["NIST-800-53-SI-10"],
+    "real_requirement": "Pass arguments to spawned processes as an array, not a string. When a string-form command is unavoidable, use the runtime's argument-list API (Node `child_process.spawn(cmd, argsArray)`, Python `subprocess.run([cmd, ...args])`) or a vetted escape function. Linter rule that flags any `.split(' ')` followed by `spawn`/`exec` on user-tainted input.",
+    "lag_notes": "SI-10 addresses input validation categorically but does not specify the argv-vs-string boundary that argument injection exploits. Many MCP servers and CI runners string-concatenate user input into shell commands without registering this as a code-review failure mode.",
+    "last_verified": "2026-05-13"
   }
 }

package/data/playbooks/library-author.json

@@ -757,6 +757,20 @@
           "deterministic": true,
           "attack_ref": "T1195.002"
         },
+        {
+          "id": "gha-workflow-script-injection-sink",
+          "type": "file_path",
+          "value": "Within the release-workflows artifact (any file under .github/workflows/*.yml): a `run:` shell script body directly interpolates an attacker-controllable github.event field — ${{ github.event.comment.body }}, ${{ github.event.issue.body }}, ${{ github.event.issue.title }}, ${{ github.event.pull_request.body }}, ${{ github.event.pull_request.title }}, ${{ github.event.review.body }}, ${{ github.event.head_commit.message }}, ${{ github.head_ref }}, ${{ github.event.discussion.body }}, ${{ github.event.discussion.title }} — without first capturing the value into an env: variable. Grep regex (multi-line YAML aware): `run:\\s*\\|[\\s\\S]*?\\$\\{\\{\\s*github\\.(event\\.(comment|issue|pull_request|review|head_commit|discussion)\\.|head_ref)`. Corroborate via the branch-tag-protection artifact: if any workflow with this sink also triggers on `pull_request_target` / `issue_comment` / `pull_request_review_comment` AND its job has `permissions: contents: write` (or unrestricted GITHUB_TOKEN), the sink is exploitable by any GitHub user who can comment on the repo.",
+          "description": "GitHub Actions script-injection sink. Elementary-data 0.23.3 (April 2026) was forged via this exact pattern — `${{ github.event.comment.body }}` interpolated into a `run:` block in update_pylon_issue.yml, escalated via the workflow's GITHUB_TOKEN to publish a malicious release. Without this indicator, a publisher account compromise via attacker-controlled comments looks identical to a clean release at the consumer side.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the run: block reads the github.event field via an `env:` variable first (env: COMMENT_BODY: ${{ github.event.comment.body }}) and then references $COMMENT_BODY in the shell — that is the documented-safe pattern; demote to miss.",
+            "If the workflow only runs in a sandboxed `pull_request` event (not `pull_request_target`) AND has default `permissions: contents: read` AND does not use secrets.* — the sink is not exploitable; demote to miss."
+          ],
+          "attack_ref": "T1195.001",
+          "cve_ref": "MAL-2026-3083"
+        },
         {
           "id": "publish-workflow-no-id-token-write",
           "type": "file_path",

package/data/zeroday-lessons.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-01",
+    "last_updated": "2026-05-13",
     "purpose": "Zero-day learning loop output. Each entry maps a CVE to: attack vector, defense chain analysis, framework coverage, new control requirements generated, and exposure scoring.",
     "note": "Never delete entries. Closed gaps are marked status: closed. History is data.",
     "tlp": "CLEAR",
@@ -466,5 +466,227 @@
       "basis": "SLSA L3 + provenance + signing all pass on the malicious package. Standard supply-chain audits (SBOM check, provenance verify, signature verify) all give green. The architectural pre-condition (pull_request_target + id-token:write + shared actions/cache) is not in any compliance framework's control catalog. Combined ~150M+ weekly downloads across 42 packages = extremely broad exposure.",
       "theater_pattern": "provenance_signed_therefore_safe"
     }
+  },
+  "MAL-2026-3083": {
+    "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
+    "lesson_date": "2026-05-13",
+    "attack_vector": {
+      "description": "GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml`. The workflow interpolated `${{ github.event.comment.body }}` directly into a `run:` block — any commenter could execute attacker-controlled shell with the workflow's elevated GITHUB_TOKEN. The attacker forged an orphan commit (b1e4b1f3...) and tagged v0.23.3, causing the project's legitimate publishing pipeline to emit a properly-signed PyPI release of code the maintainers never saw. The wheel differed from 0.23.2 by exactly one file: an `elementary.pth` Python startup hook that auto-executed on every interpreter invocation and harvested cloud + dbt + git credentials, exfiltrating to a single subdomain on skyhanni.cloud during an 8-hour in-the-wild window (2026-04-24 22:20Z → 2026-04-25 ~06:30Z).",
+      "privileges_required": "Any GitHub account that can comment on a public PR or issue in the target repo.",
+      "complexity": "low — comment-driven; no maintainer access required",
+      "ai_factor": "None observed. Conventional GitHub Actions script-injection tradecraft. The compounding factor is workflow-shaped: `${{ github.event.* }}` interpolated directly into `run:` is a documented anti-pattern, but it remains widespread."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Treat `${{ github.event.* }}` as untrusted; pass it via env: into the script body rather than interpolating directly. Forbid workflows triggered by issue_comment / pull_request_target from holding `contents: write` permissions. Block release tags whose target is not an ancestor of the default branch (orphan-commit-driven release detection).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Architectural — eliminates the primitive entirely. Auditing every workflow file for the anti-pattern is the hard part; this is what the library-author playbook's `gha-workflow-script-injection-sink` indicator looks for."
+      },
+      "detection": {
+        "what_would_have_worked": "Consumer-side fresh-publish cooldown (PyPI's pip --require-hashes against a known-good lockfile, or registry-mirror cooldown windows). Comparison-by-content: any pip install of a major-version-pinned package returning a wheel whose extracted contents differ from the previous patch version by an added .pth file should fail loud.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Defense in depth — the malicious 0.23.3 was caught within hours. A 24-72h cooldown would have shielded most consumers."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate every credential under the credential_paths_scanned list for any host that pip-installed elementary-data during the 8h window — dbt warehouse creds especially. The package was yanked, but extracted .pth files persist on disk until the affected venv is wiped.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Reduces blast radius post-exploitation. Upgrading to 0.23.4 does NOT remove the planted elementary.pth from the existing site-packages — a venv recreate is required."
+      }
+    },
+    "framework_coverage": {
+      "SLSA-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Provenance valid, payload malicious — same shape as CVE-2026-45321. SLSA-L3 attests WHICH pipeline built the artifact, not that the pipeline was driven by trusted inputs."
+      },
+      "NIST-800-53-SA-12": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain protection treats signed release as the trust anchor. The signature was valid; the input to the signing pipeline was attacker-controlled."
+      },
+      "NIST-800-218-PO.4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Define and use secure development security checks. Direct interpolation of github.event.* into run: scripts is a documented anti-pattern but is not framework-enforced."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability handling provisions don't address the case where the maintainer was an unwitting publisher."
+      },
+      "NIS2-Art21-2d": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain risk management presumes detectable signal at consumption. Valid signature neutralizes consumer-side checks."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-011",
+        "name": "GHA-WORKFLOW-SCRIPT-INJECTION-SINK-BAN",
+        "description": "Forbid direct interpolation of `${{ github.event.* }}` (comment.body, issue.body, review.body, pull_request.title, head_ref, etc.) into any `run:` block. Pass via `env:` so the shell sees a quoted variable, not an interpolated string. Enforced via repository linter / required CI check.",
+        "evidence": "MAL-2026-3083 — the entire compromise hinges on this single primitive; no other infrastructure was breached.",
+        "gap_closes": [
+          "NIST-800-218-PO.4",
+          "SLSA-L3"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-012",
+        "name": "ORPHAN-COMMIT-RELEASE-DETECTION",
+        "description": "Reject release tags whose target commit is not reachable from the default branch (`git merge-base --is-ancestor`). Forged orphan-commit releases are a signature of the maintainer-impersonation supply chain pattern.",
+        "evidence": "MAL-2026-3083 — the malicious release pointed at orphan commit b1e4b1f3aad0d489ab0e9208031c67402bbb8480, never on main.",
+        "gap_closes": [
+          "NIST-800-53-SA-12",
+          "EU-CRA-Art13"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 92,
+      "basis": "PyPI signature + maintainer trust + provenance all pass on the malicious package. Audit programs measure SBOM presence, package-signing posture, and dependency-pin discipline — none of which catch a maintainer's own pipeline being weaponized via a comment. ~1.1M monthly downloads broaden the consumer footprint.",
+      "theater_pattern": "signed_release_therefore_safe"
+    }
+  },
+  "CVE-2026-42208": {
+    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
+    "lesson_date": "2026-05-13",
+    "attack_vector": {
+      "description": "Authorization header value passed directly into a SQL query in the LiteLLM proxy's auth path. Crafted bearer-token-shape strings reach an error-logging pathway that executes SQL with the attacker-controlled value as a string-concatenated parameter — full pre-auth read/modify of the managed-credentials database. CISA KEV-listed 2026-05-08; in-wild exploitation evidence is the listing criterion.",
+      "privileges_required": "Network reachability to the LiteLLM proxy endpoint. No prior authentication.",
+      "complexity": "low — curl-able. POST /chat/completions with a SQLi payload in Authorization.",
+      "ai_factor": "Conventional human-security-research SQLi tradecraft. AI-stack relevance is downstream: LiteLLM IS the gateway in front of the model-provider keys that operators DO NOT want exfiltrated. The vulnerability is conventional; the impact class is AI-infrastructure."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Parameterised queries throughout the auth path — no caller-supplied string ever string-concatenated into SQL. The 1.83.7 patch is exactly this: caller-supplied value becomes a SQL parameter, not part of the statement.",
+        "was_this_required": false,
+        "framework_requiring_it": "NIST-800-53-SI-10",
+        "adequacy": "Eliminates the class. SI-10's text requirement is satisfied by 'we validate inputs' regardless of whether the validation runs before the parameter binding — the framework gap is operational, not conceptual."
+      },
+      "detection": {
+        "what_would_have_worked": "WAF rule on Authorization headers containing SQL metacharacters or exceeding 100 bytes of non-base64-shape characters. LiteLLM error logs surface the injection string verbatim pre-1.83.7 — a log-pattern alert would have fired on the first probe.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection layer. Operators running LiteLLM behind a default-deny WAF would not have been compromised."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate every virtual key minted on the proxy since the patch ship date. Rotate every model-provider key the proxy held (openai, anthropic, etc.). Rotate LITELLM_MASTER_KEY and DATABASE_URL credentials. Audit LiteLLM_VerificationToken / LiteLLM_UserTable for admin-event-less inserts.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Reduces blast radius post-exploitation. The DB primitive is read+write — assume tampering, not just disclosure."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries."
+      },
+      "OWASP-LLM01": {
+        "covered": false,
+        "adequate": false,
+        "gap": "Prompt-injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself."
+      },
+      "EU-AI-Act-Art-15": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-013",
+        "name": "AI-GATEWAY-CREDENTIAL-STORE-ISOLATION",
+        "description": "AI-API gateway substrates (LiteLLM, Portkey, Helicone, similar) must isolate the managed-credentials DB on a network segment unreachable from the API plane. The auth path may read but the API plane MUST NOT have raw-SQL connectivity to the credential store.",
+        "evidence": "CVE-2026-42208 — a single SQLi reaches the entire model-provider credential vault because the API plane and credential store share a process.",
+        "gap_closes": [
+          "OWASP-LLM01",
+          "EU-AI-Act-Art-15"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "SI-10 audits accept 'we validate inputs' as compliance. Most operators run LiteLLM internet-reachable behind a thin proxy without a SQL-injection-aware WAF. KEV listing imposes a 21-day patch SLA on federal orgs; private-sector adoption lags.",
+      "theater_pattern": "input_validation_checkbox_without_parameterised_queries"
+    }
+  },
+  "CVE-2026-39884": {
+    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
+    "lesson_date": "2026-05-13",
+    "attack_vector": {
+      "description": "AI assistant invokes the mcp-server-kubernetes `port_forward` MCP tool with a tainted resourceName (e.g. 'pod-name --address=0.0.0.0'). The server builds a string-form kubectl command and uses `.split(' ')` instead of an argv array, so the attacker-controlled flag lands as a distinct argv entry to kubectl. `--address=0.0.0.0` binds the port-forward to all interfaces; `-n kube-system` redirects to attacker-chosen namespaces. Exploitation is mediated by the AI assistant — adversarial input via prompt injection in retrieved docs / commit messages / upstream MCP tool responses is the upstream gate.",
+      "privileges_required": "AI assistant with mcp-server-kubernetes installed and port_forward enabled. Attacker needs only to influence the AI's input (PR comment, doc, retrieved RAG chunk).",
+      "complexity": "low — once the tainted string is in the AI's context, the tool call propagates it unchanged.",
+      "ai_factor": "AI-assistant-mediated argument injection. The vuln is conventional argv-injection; the AI is the channel that converts adversarial document content into infrastructure-tool flags."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "argv-array spawn — `execFile('kubectl', ['port-forward', resourceName, ...])` with no `.split(' ')` and no shell interpretation. The 3.5.0 patch does exactly this.",
+        "was_this_required": false,
+        "framework_requiring_it": "NIST-800-53-SI-10",
+        "adequacy": "Architectural fix — the class disappears."
+      },
+      "detection": {
+        "what_would_have_worked": "MCP audit log alerting on port_forward tool calls where resourceName contains whitespace or kubectl flag prefixes (`--`, `-n`). Process-level alerting on kubectl port-forward processes with --address=0.0.0.0 on hosts that should only port-forward to localhost.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection layer — catches the exploit attempt before the listener binds externally."
+      },
+      "response": {
+        "what_would_have_worked": "Disable the port_forward tool in the MCP allowlist until upgraded to 3.5.0+. Most operator deployments don't rely on port_forward for routine work.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Effective tool-disable mitigation; low operator cost."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits."
+      },
+      "OWASP-LLM01": {
+        "covered": false,
+        "adequate": false,
+        "gap": "Prompt-injection control set doesn't model the AI-assistant-as-channel pattern — the attacker doesn't compromise the MCP server, they feed adversarial input that the AI dutifully passes through."
+      },
+      "NIS2-Art21-2g": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-014",
+        "name": "MCP-SERVER-ARGV-NOT-SHELLSTRING",
+        "description": "MCP servers spawning subprocesses MUST use argv-array spawn primitives (execFile / spawn with array args / posix_spawn) — never .split(' ') or shell concatenation of caller-supplied input. Treats every MCP tool argument as untrusted by default.",
+        "evidence": "CVE-2026-39884 — the entire vulnerability is .split(' ') on a caller-supplied string. The 3.5.0 patch is the argv-array refactor.",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "OWASP-LLM01"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-015",
+        "name": "MCP-TOOL-ALLOWLIST-ENFORCEMENT",
+        "description": "AI agent stacks must enforce an explicit allowlist of MCP tools — tools default to denied. High-risk tools (port_forward, exec, write_file, shell, kubectl) require operator consent per session.",
+        "evidence": "CVE-2026-39884 — temporary mitigation is exactly 'disable port_forward in the allowlist'. The control closes the class across future MCP plugins.",
+        "gap_closes": [
+          "OWASP-LLM01",
+          "NIS2-Art21-2g"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 88,
+      "basis": "MCP ecosystem patch hygiene lags traditional CVE timelines. Most AI-agent operators do not maintain an explicit MCP tool allowlist; SI-10 audits accept the MCP plugin as a vendored dependency without auditing its argv handling.",
+      "theater_pattern": "vendored_mcp_plugin_inherits_vendor_trust"
+    }
   }
 }

package/lib/refresh-external.js

@@ -118,21 +118,25 @@ Modes:
   --from-cache [<p>] read from prefetch cache (default .cache/upstream).
                      Combine with --apply to upsert against cached data
                      entirely offline. Cache must be pre-populated via --prefetch.
-  --source kev,epss  scope to a comma-separated list (kev|epss|nvd|rfc|pins)
+  --source kev,epss  scope to a comma-separated list (kev|epss|nvd|rfc|pins|ghsa|osv)
   --from-fixture <p> use frozen fixture payloads (tests use this path)
   --indexes-only     rebuild data/_indexes/ only; no network. Equivalent to
                      \`exceptd refresh --indexes-only\`.
   --swarm            fan out sources across worker threads. Best with --from-cache.
-  --advisory <id>    (v0.12.0) seed a single catalog entry from a CVE or GHSA ID.
-                     Fetches from GitHub Advisory Database (covers npm + PyPI +
-                     Maven + Go + ...) and writes a DRAFT to data/cve-catalog.json
-                     marked with _auto_imported: true. Editorial fields
-                     (framework_control_gaps, iocs, atlas_refs, attack_refs)
-                     remain null pending review via:
+  --advisory <id>    (v0.12.0) seed a single catalog entry from an advisory ID.
+                     CVE-* and GHSA-* route through the GitHub Advisory
+                     Database. MAL-*, SNYK-*, RUSTSEC-*, USN-*, UVI-*, GO-*,
+                     MGASA-*, PYSEC-*, and other OSV-native namespaces route
+                     through OSV.dev (v0.12.10). Writes a DRAFT to
+                     data/cve-catalog.json marked with _auto_imported: true.
+                     Editorial fields (framework_control_gaps, iocs,
+                     atlas_refs, attack_refs) remain null pending review via:
                        exceptd run cve-curation --advisory <id>
                      Examples:
                        exceptd refresh --advisory CVE-2026-45321
                        exceptd refresh --advisory GHSA-xxxx-xxxx-xxxx --apply
+                       exceptd refresh --advisory MAL-2026-3083
+                       exceptd refresh --advisory RUSTSEC-2025-0001
 
 Sources (default = all):
   kev   CISA Known Exploited Vulnerabilities
@@ -143,6 +147,10 @@ Sources (default = all):
   ghsa  (v0.12.0) GitHub Advisory Database — npm/PyPI/Maven/etc. Lands new CVE
         IDs as DRAFTS (_auto_imported: true); catalog validator treats drafts
         as warnings, not errors. Editorial review still required.
+  osv   (v0.12.10) OSV.dev aggregator — OSSF Malicious Packages (MAL-*) + Snyk
+        + GHSA + RustSec + Mageia + Go Vuln DB + Ubuntu USN. Unauthenticated.
+        Use --advisory MAL-* / RUSTSEC-* / SNYK-* / USN-* to seed a single
+        draft. Bulk import via package watchlist is a v0.13 follow-up.
 
 Air-gap workflow:
   1. On a connected host:   \`exceptd refresh --prefetch\`
@@ -526,6 +534,48 @@ const GHSA_SOURCE = {
   },
 };
 
+/**
+ * v0.12.10: OSV.dev source. Aggregates OSSF Malicious Packages (MAL-*) +
+ * Snyk (SNYK-*) + GitHub Advisory Database + RustSec (RUSTSEC-*) + Mageia
+ * + Go Vuln DB + Ubuntu USN into one unauthenticated API. Slot in for the
+ * package-compromise class that doesn't have a CVE yet — the MAL-*
+ * namespace is the canonical key for those (e.g. MAL-2026-3083, the
+ * elementary-data PyPI worm).
+ *
+ * Apply path mirrors GHSA: new entries land in data/cve-catalog.json as
+ * drafts (`_auto_imported: true` + `_draft: true`). Catalog key is either
+ * the CVE alias (when present) or the OSV id verbatim — preserving the
+ * existing CVE-keyed convention while accepting OSV's broader identifier
+ * shapes.
+ */
+const OSV_SOURCE = {
+  name: "osv",
+  description: "OSV.dev — OSSF Malicious Packages (MAL-*) + Snyk + GHSA + RustSec + Mageia + Go Vuln DB + Ubuntu USN. Unauthenticated. Slot in for the broader supply-chain-class disclosure space — covers package compromises that don't have CVEs yet.",
+  applies_to: "data/cve-catalog.json",
+  async fetchDiff(ctx) {
+    if (ctx.fixtures?.osv) return synthesizeFromFixture(ctx, "osv");
+    const osv = require("./source-osv");
+    return osv.buildDiff(ctx);
+  },
+  async applyDiff(ctx, diffs) {
+    // Same shape as GHSA applyDiff — skip overwrites, surface conflicts.
+    let updated = 0;
+    const errors = [];
+    for (const d of diffs) {
+      if (d.field !== "_new_entry") continue;
+      if (!d.after || !d.id) continue;
+      if (ctx.cveCatalog[d.id]) continue; // never overwrite existing entries
+      try {
+        ctx.cveCatalog[d.id] = d.after;
+        updated++;
+      } catch (e) {
+        errors.push(`${d.id}: ${e.message}`);
+      }
+    }
+    return { updated, errors };
+  },
+};
+
 const ALL_SOURCES = {
   kev: KEV_SOURCE,
   epss: EPSS_SOURCE,
@@ -533,6 +583,7 @@ const ALL_SOURCES = {
   rfc: RFC_SOURCE,
   pins: PINS_SOURCE,
   ghsa: GHSA_SOURCE,
+  osv: OSV_SOURCE,
 };
 
 // --- Cache-mode helpers ------------------------------------------------
@@ -746,7 +797,7 @@ function loadCtx(opts) {
     cacheDir: null,
   };
   if (opts.fromFixture) {
-    ctx.fixtures = { dir: path.resolve(opts.fromFixture), kev: true, epss: true, nvd: true, rfc: true, pins: true, ghsa: true };
+    ctx.fixtures = { dir: path.resolve(opts.fromFixture), kev: true, epss: true, nvd: true, rfc: true, pins: true, ghsa: true, osv: true };
   } else if (opts.fromCache) {
     const abs = path.resolve(opts.fromCache);
     ctx.cacheDir = abs;
@@ -799,11 +850,20 @@ function chosenSources(opts) {
  * when a draft is produced, signaling that editorial review is needed.
  */
 async function seedSingleAdvisory(opts) {
-  const ghsa = require("./source-ghsa");
   const id = opts.advisory;
-  const result = await ghsa.fetchAdvisoryById(id, {});
+  // v0.12.10: route OSV-native ids (MAL-*, SNYK-*, RUSTSEC-*, USN-*, etc.)
+  // through source-osv. CVE-* and GHSA-* keep routing through GHSA because
+  // GHSA carries richer field coverage for those identifier shapes.
+  const osvMod = require("./source-osv");
+  const useOsv = osvMod.isOsvId(id) && !/^GHSA-/i.test(id);
+  const ghsa = require("./source-ghsa");
+  const sourceMod = useOsv ? osvMod : ghsa;
+  const sourceName = useOsv ? "osv" : "ghsa";
+  const fixtureEnv = useOsv ? "EXCEPTD_OSV_FIXTURE" : "EXCEPTD_GHSA_FIXTURE";
+
+  const result = await sourceMod.fetchAdvisoryById(id, {});
   if (!result.ok) {
-    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: ${result.error}`, source: result.source, hint: "Verify the ID format (CVE-YYYY-NNNN or GHSA-*) and network reachability. Set EXCEPTD_GHSA_FIXTURE for offline testing." };
+    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: ${result.error}`, source: result.source, routed_to: sourceName, hint: `Verify the ID format (CVE-YYYY-NNNN, GHSA-*, MAL-*, SNYK-*, RUSTSEC-*, USN-*, etc.) and network reachability. Set ${fixtureEnv} for offline testing.` };
     if (opts.json) process.stdout.write(JSON.stringify(err) + "\n");
     else process.stderr.write(`[refresh --advisory] ${err.error}\n  hint: ${err.hint}\n`);
     process.exitCode = 2;
@@ -811,15 +871,15 @@ async function seedSingleAdvisory(opts) {
   }
   const advisory = result.advisories[0];
   if (!advisory) {
-    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: no matching advisory found`, source: result.source };
+    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: no matching advisory found`, source: result.source, routed_to: sourceName };
     if (opts.json) process.stdout.write(JSON.stringify(err) + "\n");
     else process.stderr.write(`[refresh --advisory] ${err.error}\n`);
     process.exitCode = 2;
     return;
   }
-  const normalized = ghsa.normalizeAdvisory(advisory);
+  const normalized = sourceMod.normalizeAdvisory(advisory);
   if (!normalized) {
-    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: advisory has no CVE ID (GHSA-only entries are not imported into the CVE catalog in v0.12)`, ghsa_id: advisory.ghsa_id || null };
+    const err = { ok: false, verb: "refresh", error: `--advisory ${id}: advisory could not be normalized (missing required fields)`, routed_to: sourceName, source_id: advisory.ghsa_id || advisory.id || null };
     if (opts.json) process.stdout.write(JSON.stringify(err) + "\n");
     else process.stderr.write(`[refresh --advisory] ${err.error}\n`);
     process.exitCode = 2;