@blamejs/exceptd-skills 0.13.0 → 0.13.1

package/data/attack-techniques.json

@@ -139,6 +139,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-46300",
+      "CVE-2026-46333",
       "CVE-2026-6973"
     ]
   },
@@ -154,7 +155,8 @@
       "CVE-2026-39884",
       "CVE-2026-42897",
       "CVE-2026-6973",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ]
   },
   "T1078.001": {
@@ -252,7 +254,8 @@
       "CVE-2024-3094",
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ]
   },
   "T1199": {
@@ -273,7 +276,10 @@
   },
   "T1485": {
     "name": "Data Destruction",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "MAL-2026-SHAI-HULUD-OSS"
+    ]
   },
   "T1486": {
     "name": "Data Encrypted for Impact",
@@ -424,7 +430,10 @@
   },
   "T1567": {
     "name": "Exfiltration Over Web Service",
-    "version": "v19"
+    "version": "v19",
+    "cve_refs": [
+      "MAL-2026-SHAI-HULUD-OSS"
+    ]
   },
   "T1568": {
     "name": "Dynamic Resolution",

package/data/cve-catalog.json

@@ -37,7 +37,13 @@
     "vendor_advisory_field_added": "2026-05-11",
     "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
     "active_exploitation_vocabulary": {
-      "values": ["confirmed", "suspected", "theoretical", "none", "unknown"],
+      "values": [
+        "confirmed",
+        "suspected",
+        "theoretical",
+        "none",
+        "unknown"
+      ],
       "definitions": {
         "confirmed": "Active in-the-wild exploitation observed and attributed",
         "suspected": "Indicators consistent with exploitation; attribution incomplete",
@@ -49,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.162,
+      "current_rate": 0.154,
       "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
         0.15,
@@ -2096,7 +2102,11 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Same incident-class as CVE-2026-45321 (Mini Shai-Hulud); discovery by ecosystem detection across multiple firms (Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within minutes of the 2026-05-11 publish window. No AI-tool discovery attribution on the defender side. Source: https://snyk.io/blog/tanstack-npm-packages-compromised/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "related_threats": [
+      "MAL-2026-SHAI-HULUD-OSS"
+    ],
+    "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
   },
   "MAL-2026-ANTHROPIC-MCP-STDIO": {
     "_draft": true,
@@ -3558,5 +3568,169 @@
     "remediation_status": "removed_from_registry",
     "remediation_note": "npm removed all 3 malicious versions (9.1.6, 9.2.3, 12.0.1) within ~2 hours of publication on 2026-05-14. Publisher account atiertant was deactivated. The expired-domain TTP (atlantis-software.net re-registered via Namecheap on 2026-05-07 after Jan 2025 expiry) remains the novel attack class to defend against — see zeroday-lessons NEW-CTRL-047 (PACKAGE-MAINTAINER-DOMAIN-EXPIRY-MONITORING).",
     "remediation_status_verified_at": "2026-05-16"
+  },
+  "CVE-2026-46333": {
+    "name": "ssh-keysign-pwn",
+    "type": "LPE-via-info-disclosure",
+    "cvss_score": 7,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate pending NVD enrichment. Local + low privilege + no UI + root file read + chained privesc via /etc/shadow → AC:H reflects the ~100-2000-attempt race window which lowers practical exploitation but does not gate it.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_due_date": null,
+    "poc_available": true,
+    "poc_description": "_SiCk published two working exploits within hours of the Qualys disclosure on 2026-05-14: one that reads /etc/ssh/ssh_host_*_key via ssh-keysign exit-race, one that reads /etc/shadow via chage -l exit-race. Both target the same kernel pidfd_getfd race; the setuid binary is the carrier, not the bug. ~100-2000 attempts succeed in practice — deterministic enough for adversary tradecraft.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Qualys Threat Research Unit human research. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "active_exploitation_notes": "No in-the-wild observations as of T+3 days post-disclosure. Two public PoCs (_SiCk). Expectation: KEV listing within weeks once exploitation observed; until then, theoretical-with-deterministic-PoC class.",
+    "affected": "Linux kernel — all distributions shipping a kernel built without the 2020 Jann Horn patch proposal (effectively every distribution for ~6 years until 2026-05-14). Confirmed affected: RHEL 7-10, AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, Rocky Linux 8/9, Ubuntu 20.04-24.04 LTS (pre-USN), Debian 11-12 (pre-DSA), Amazon Linux 2/2023, SUSE 15. The setuid carrier binaries (ssh-keysign + chage) ship on every Linux system with OpenSSH and shadow-utils installed.",
+    "affected_versions": [
+      "linux-kernel < 7.0.8",
+      "linux-kernel < 6.18.31 (6.18.x branch)",
+      "linux-kernel < 6.12.89 (6.12.x branch)",
+      "linux-kernel < 6.6.139 (6.6.x branch)",
+      "linux-kernel < 6.1.173 (6.1.x branch)",
+      "linux-kernel < 5.15.207 (5.15.x branch)",
+      "linux-kernel < 5.10.256 (5.10.x branch)"
+    ],
+    "vector": "ptrace exit-race. exit_mm() runs before exit_files() during privileged-process shutdown. In the microsecond window between the two, task->mm == NULL while the fd table still holds the privileged file handles. The pre-fix __ptrace_may_access() skipped its get_dumpable() check when mm == NULL and silently authorized UID-matched access. An unprivileged attacker races ssh-keysign or chage exit, calls pidfd_getfd(2) to duplicate the still-open file descriptors, and reads /etc/ssh/ssh_host_*_key or /etc/shadow as if it were root. Yama ptrace_scope does NOT mitigate because the bypass is at the kernel access-check layer, not the LSM layer.",
+    "complexity": "race-condition",
+    "complexity_notes": "Race window is microseconds wide but the exploit loops automatically; 100-2000 attempts typically succeed. Once the fd is captured, the read is deterministic. Class similar to Dirty COW but file-read rather than file-write primitive.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [
+      "KernelCare (in active build as of 2026-05-15; release ETA pending)"
+    ],
+    "live_patch_notes": "Upstream commit 31e62c2ebbfd (ptrace: slightly saner get_dumpable() logic) merged 2026-05-14. Kernel point releases 7.0.8 / 6.18.31 / 6.12.89 / 6.6.139 / 6.1.173 / 5.15.207 / 5.10.256 published 2026-05-15. Distribution backports: AlmaLinux 8/9/10 ALSA-2026:A008/A009/A010 (2026-05-16 production), CloudLinux 7h/8/9/10 (2026-05-15 beta / 2026-05-17 production). KernelCare livepatch in build; Canonical Livepatch / kpatch status not yet documented at T+3 days. RHEL backport not yet observed in primary sources; check access.redhat.com/security/cve.",
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day critical patch SLA is an exploitation window for a Linux kernel LPE with two public PoCs. Reboot-required mitigation breaks the maintenance-window assumption built into SI-2 implementations.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; standard 30-day interpretation is unsafe for a kernel info-disclosure with public PoC. No requirement to track sysctl-based mitigation (kernel.user_ptrace=0) as a compensating control.",
+      "NIS2-Art21-patch-management": "Art. 21(2)(c) patch-management measures undefined for fast-cycle kernel LPEs with public PoC. No guidance on sysctl or SUID-removal as interim measures.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; reboot-required class breaks the standard SLA.",
+      "UK-CAF-B4": "System security principle silent on sysctl-based mitigation OR SUID-removal as compensating controls.",
+      "AU-ISM-1546": "Essential 8 patch-applications maturity ML3 = 48h is still long for a deterministic-with-loop kernel LPE; reboot-required nature compounds the maintenance-window cost.",
+      "ISO-27001-2022-A.5.7": "Threat-intelligence control collects feeds but does not require the operational pivot (sysctl kernel.user_ptrace=0) when intel shows a same-family CVE with public PoC."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "rwep_score": 30,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 30 today (T+3). Score will jump to 50 (+25 KEV) on CISA KEV listing — expected within weeks once exploitation observed. Reboot-required nature adds operator friction not captured in RWEP — practical exposure window is longer than the math suggests because reboot scheduling lags kernel-package availability. blast_radius 25 reflects every Linux host running setuid ssh-keysign or chage (every default OpenSSH + shadow-utils install). Live-patch credit deferred until KernelCare ships.",
+    "cwe_refs": [
+      "CWE-672",
+      "CWE-362"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://cybersecuritynews.com/linux-kernel-vulnerability-ssh-keysign-pwn/",
+      "https://www.gotekky.com/guides/security/cve-2026-46333-ssh-keysign-pwn-linux-kernel/",
+      "https://blog.cloudlinux.com/ptrace-exit-race-cve-2026-46333-mitigation-and-kernel-update",
+      "https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/",
+      "https://9to5linux.com/six-year-old-linux-kernel-flaw-lets-unprivileged-users-read-root-owned-files",
+      "https://www.phoronix.com/news/Linux-ssh-keysign-pwn",
+      "https://needhelp.icu/blogs/ssh-keysign-pwn",
+      "https://hackingpassion.com/ssh-keysign-pwn-cve-2026-46333/"
+    ],
+    "_draft": false,
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "Qualys Threat Research Unit human research, publicly disclosed 2026-05-14. The underlying logic flaw was originally surfaced in a 2020 patch proposal by Jann Horn that was never merged; Qualys identified the exploitable consequence six years later. No AI involvement on either the discovery or weaponization side."
+  },
+  "MAL-2026-SHAI-HULUD-OSS": {
+    "name": "Shai-Hulud worm framework (TeamPCP open-source release)",
+    "type": "malicious-framework-release",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "CVSS scored as a malicious package family: AV:N (npm registry), PR:N (no auth required to install), UI:R (user runs npm install), S:C (developer workstation → cloud/registry/AI-assistant credential blast radius). Same severity profile as MAL-2026-TANSTACK-MINI and MAL-2026-NODE-IPC-STEALER. RWEP scoring captures the operational risk more accurately than CVSS for the framework class.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "cisa_kev_due_date": null,
+    "poc_available": true,
+    "poc_description": "The framework IS the PoC — TeamPCP open-sourced the complete Shai-Hulud worm to GitHub on 2026-05-12 under MIT license, with deployment instructions. Repository naming pattern: \"A Gift From TeamPCP\". Associated accounts observed: agwagwagwa, headdirt, tmechen. Commit timestamps falsified to 2099-01-01 as an obfuscation marker. Modular TypeScript / Bun toolkit for credential harvesting + supply-chain poisoning + encrypted exfil; targets CI/CD pipelines and developer workstations. Within hours of release, Ox Security observed third-party copycat modifications already in deployment.",
+    "ai_discovered": false,
+    "ai_discovery_notes": "Threat-actor framework, not a discovery. TeamPCP describes the framework as \"vibe coded\" — operator-generated rather than AI-generated. Adoption-side: AI-coding-assistant config files (Claude Code, Cursor, Codeium, Anthropic CLI) are explicit exfil targets — the framework reads ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.claude/settings.json, and adds Claude Code startup hooks to execute the malware when Claude starts. AI-assistant-installed-but-not-AI-discovered.",
+    "ai_assisted_weaponization": true,
+    "ai_assist_weaponization_notes": "TeamPCP self-describes the codebase as \"vibe coded\" — AI-coding-assistant-mediated authoring. BreachForums + TeamPCP launched a $1,000 USD (Monero) bounty contest concurrent with the release, judged on downstream supply-chain impact, accelerating copycat weaponization.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Copycat modifications observed by Ox Security within hours of the 2026-05-12 release. Mini Shai-Hulud wave (Microsoft Security Research, 2026-05-11) compromised 170+ npm packages + 2 PyPI packages across 404 malicious versions. MAL-2026-TANSTACK-MINI in this catalog is an in-the-wild Shai-Hulud-class incident. Continuous active exploitation expected through 2026.",
+    "affected": "npm registry (170+ confirmed packages in May 2026 wave), PyPI (2 confirmed), GitHub Actions runners, developer workstations with credentials staged in ~/.aws, ~/.config/gcloud, ~/.kube, ~/.ssh, ~/.cursor, ~/.codeium, ~/.claude, ~/.npmrc. Any package-registry account whose maintainer workstation runs the framework. Any AI-assistant config file with API tokens or MCP server credentials.",
+    "affected_versions": [
+      "shai-hulud-framework all forks post-2026-05-12"
+    ],
+    "vector": "Self-replicating npm worm with maintainer-account-pivot. Phase 1: credential harvest via package post-install OR require-time activation (variant-dependent) reads cloud + AI-assistant + version-control configs from operator HOME. Phase 2: stolen npm token authenticates to registry as compromised maintainer; enumerates other packages owned by same maintainer; injects malware; publishes new compromised versions. Phase 3: encrypted exfil to attacker-controlled GitHub repos matching the \"A Gift From TeamPCP\" naming pattern + secondary C2 channels. Phase 4 (variant-dependent): local-environment wipe — destructive opt-in by attacker.",
+    "complexity": "turnkey post-source-release",
+    "complexity_notes": "Pre-2026-05-12 the framework required reverse-engineering effort by would-be operators. Post-release ships with deployment instructions; the BreachForums contest provides operational support. Barrier-to-entry collapsed from high (custom-tradecraft research) to low (clone + deploy).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Patching does not apply — this is a malicious framework, not a vulnerability. Defensive posture is detection + ingestion-side blocking + maintainer credential rotation. npm tool-trust controls (--ignore-scripts, Verdaccio proxy, install-time hash pinning) reduce blast radius for consumers; do NOT protect maintainer-side compromise.",
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PW.4": "PW.4 secure-development tooling assumes the maintainer workstation is trusted; Shai-Hulud invalidates by exfiltrating maintainer credentials BEFORE the malicious publish. SSDF has no compensating control for compromised-maintainer-republish.",
+      "NIST-800-53-SR-3": "SR-3 supply-chain risk management treats package-registry compromise as upstream risk; Shai-Hulud is maintainer-side compromise that LOOKS LIKE legitimate publish. SR-3 controls catch tampered upstream but not legitimately-authenticated malicious upstream.",
+      "EU-CRA-Art13": "CRA Article 13 vulnerability-handling treats malicious upgrades as outside scope; the framework explicitly targets the legitimate update channel.",
+      "NIS2-Art21-supply-chain": "Art. 21(2)(d) supply-chain risk measures undefined for self-replicating worm distribution. No guidance on maintainer-credential isolation or registry-side authentication monitoring.",
+      "DORA-Art28": "ICT third-party risk management presumes vendor due-diligence; OSS maintainer compromise is outside the vendor-contract framing.",
+      "UK-CAF-B4": "System security principle silent on registry-side authentication monitoring for downstream consumers.",
+      "AU-ISM-1808": "Software-supply-chain controls assume vendor-side SBOM truth; Shai-Hulud invalidates by publishing under legitimate maintainer identity.",
+      "SLSA-v1.0-Build-L3": "SLSA L3 build provenance is technically valid for Shai-Hulud-poisoned packages — the malicious build IS provenance-attested under the compromised maintainer's legitimate identity. L3 catches tampered upstream; it does NOT catch legitimately-authenticated malicious upstream."
+    },
+    "atlas_refs": [
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1078",
+      "T1567",
+      "T1485"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 70 — high. cisa_kev not applicable (KEV is CVE-only). poc_available: the framework IS the PoC. ai_factor: AI-coding-assistant-mediated authoring + AI-assistant config files as exfil target. active_exploitation: confirmed via Mini Shai-Hulud wave + TanStack-class incidents. blast_radius: every npm-using engineering org + every AI-assistant-using developer workstation. No patch direction — defensive posture is detection + maintainer credential rotation + ingest-side controls.",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-829"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319",
+      "https://www.ox.security/blog/shai-hulud-open-source-malware-github/",
+      "https://www.securityweek.com/teampcp-ups-the-game-releases-shai-hulud-worms-source-code/",
+      "https://www.reversinglabs.com/blog/the-shai-hulud-code-drop",
+      "https://socket.dev/blog/teampcp-supply-chain-attack-contest",
+      "https://industrialcyber.co/ransomware/vect-formalizes-breachforums-and-teampcp-alliance-to-push-model-for-industrialized-ransomware-scale-raas-operations/",
+      "https://www.scworld.com/news/teampcp-releases-vibe-coded-shai-hulud-source-code-issues-challenge",
+      "https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/",
+      "https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/",
+      "https://unit42.paloaltonetworks.com/npm-supply-chain-attack/",
+      "https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/",
+      "https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem",
+      "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+      "https://snyk.io/blog/tanstack-npm-packages-compromised/"
+    ],
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
   }
 }

package/data/cwe-catalog.json

@@ -949,7 +949,8 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
-      "CVE-2026-33825"
+      "CVE-2026-33825",
+      "CVE-2026-46333"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-16",
@@ -1130,6 +1131,7 @@
       "CVE-2024-3094",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
       "MAL-2026-TANSTACK-MINI"
     ],
     "framework_controls_partially_addressing": [
@@ -1224,7 +1226,8 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-16",
@@ -1418,7 +1421,8 @@
       "supply-chain-integrity"
     ],
     "evidence_cves": [
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",

package/data/framework-control-gaps.json

@@ -388,7 +388,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
-      "CVE-2026-45321"
+      "CVE-2026-45321",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -730,6 +731,7 @@
       "CVE-2026-45321",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
       "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [
@@ -1140,7 +1142,8 @@
       "CVE-2026-0300",
       "CVE-2026-31431",
       "CVE-2026-42945",
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1319,6 +1322,7 @@
       "CVE-2026-39884",
       "CVE-2026-45321",
       "CVE-2026-46300",
+      "CVE-2026-46333",
       "MAL-2026-3083"
     ],
     "atlas_refs": [],
@@ -1708,6 +1712,7 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2026-46300",
+      "CVE-2026-46333",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -2325,7 +2330,8 @@
       "CVE-2024-3094",
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -3698,7 +3704,8 @@
       "CVE-2026-0300",
       "CVE-2026-42897",
       "CVE-2026-42945",
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3972,7 +3979,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333",
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4003,7 +4012,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -4034,7 +4044,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
-      "CVE-2026-46300"
+      "CVE-2026-46300",
+      "CVE-2026-46333"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -4068,6 +4079,7 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-SHAI-HULUD-OSS",
       "MAL-2026-TANSTACK-MINI"
     ],
     "atlas_refs": [

package/data/zeroday-lessons.json

@@ -1941,5 +1941,183 @@
     "ai_discovery_source": "vendor_research",
     "ai_discovery_date": "2026-05-14",
     "ai_assist_factor": "low"
+  },
+  "CVE-2026-46333": {
+    "name": "ssh-keysign-pwn (Linux kernel ptrace exit-race)",
+    "lesson_date": "2026-05-17",
+    "attack_vector": {
+      "description": "Linux kernel ptrace exit-race: exit_mm() runs before exit_files() during privileged-process shutdown, leaving a microsecond window where task->mm == NULL but the fd table still holds privileged file handles. Pre-fix __ptrace_may_access() skipped its get_dumpable() check when mm == NULL, silently authorizing UID-matched access. Unprivileged attacker races ssh-keysign or chage exit, calls pidfd_getfd(2) to duplicate still-open fds, reads /etc/ssh/ssh_host_*_key or /etc/shadow as root.",
+      "privileges_required": "unprivileged local user with shell access",
+      "complexity": "race-condition with deterministic-on-loop primitive — 100-2000 attempts typically succeed",
+      "ai_factor": "Not AI-discovered. Qualys TRU human research. The underlying flaw was originally proposed in a 2020 Jann Horn patch that was never merged; 6-year dormant logic bug."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Merging the 2020 Jann Horn patch proposal. seccomp profiles blocking pidfd_getfd for unprivileged users. SUID removal from ssh-keysign + chage on hosts where host-based SSH auth + age-warn UX are not required. sysctl kernel.user_ptrace=0 to block unprivileged ptrace system-wide.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Yama ptrace_scope is NOT a compensating control — the bypass is at the kernel access-check layer, not the LSM layer. The 2020 Horn patch would have closed the class entirely."
+      },
+      "detection": {
+        "what_would_have_worked": "auditd rule on pidfd_getfd with auid>=1000 fires on unprivileged invocation. eBPF on tracepoint:syscalls:sys_enter_pidfd_getfd correlated with ssh-keysign / chage execution bursts surfaces the 100-2000-attempt race loop loudly.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection only; race is running by the time auditd fires. Mitigates post-exploitation cleanup, not exfil itself."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate SSH host keys + /etc/shadow on hosts with observed pidfd_getfd anomalies in disclosure window. Patch + reboot (kernel point releases 7.0.8 / 6.18.31 / 6.12.89 / 6.6.139 / 6.1.173 / 5.15.207 / 5.10.256). KernelCare livepatch when released.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Host-key rotation is non-trivial in fleet ops — SSH known_hosts trust graph fragments. Most operators patch + accept residual window between disclosure and reboot scheduling."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day critical patch SLA is an exploitation window for a kernel LPE with two public PoCs. Reboot-required nature breaks standard SI-2 maintenance assumptions."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement compliance assumes file-permission integrity. ssh-keysign-pwn defeats file permissions via kernel-level access-check skip — AC-3 mode-bit checks are not compensating controls."
+      },
+      "NIST-800-53-AU-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Audit event selection should include pidfd_getfd post-disclosure; pre-disclosure the syscall was rarely on default audit rule sets."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; same problem as CVE-2026-43284 / CVE-2026-46300 / CVE-2026-31431."
+      },
+      "NIS2-Art21-patch-management": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Art. 21(2)(c) measures undefined for fast-cycle kernel LPEs. No guidance on sysctl or SUID-removal as interim measures."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-048",
+        "name": "KERNEL-EXIT-RACE-CVE-CLASS-MONITORING",
+        "description": "When a CVE is disclosed in the kernel ptrace / pidfd / fd-table lifecycle class, audit rules SHOULD enable pidfd_getfd / pidfd_open / pidfd_send_signal tracking for auid>=1000 within 24h. The syscall is rare in normal operation; spike volume after a same-class disclosure is high-confidence exploitation signal.",
+        "evidence": "CVE-2026-46333: the 100-2000-attempt exploit loop is loud in audit but most default rule sets do not monitor pidfd_getfd.",
+        "gap_closes": [
+          "NIST-800-53-AU-2",
+          "NIST-800-53-SI-4"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-049",
+        "name": "SUID-MINIMIZATION-FOR-KERNEL-LPE-CARRIER-BINARIES",
+        "description": "Hosts that do not use SSH host-based authentication SHOULD have ssh-keysign de-suid-ed. Hosts that do not use age-warn login UX SHOULD have chage de-suid-ed. Removes the privileged-process carrier even before the kernel patch lands.",
+        "evidence": "CVE-2026-46333: ssh-keysign + chage are the canonical carriers; SUID-removal blocks the exploit at the carrier layer regardless of kernel patch state.",
+        "gap_closes": [
+          "NIST-800-53-CM-6",
+          "NIST-800-53-AC-3"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "Every Linux fleet running OpenSSH + shadow-utils — every default install for the last 6 years. Audit-passing orgs are exposed because the bug is in default-shipped kernels.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "low"
+  },
+  "MAL-2026-SHAI-HULUD-OSS": {
+    "name": "Shai-Hulud worm framework open-source release (TeamPCP)",
+    "lesson_date": "2026-05-17",
+    "attack_vector": {
+      "description": "Threat-actor open-source release of an operational supply-chain worm under MIT license, paired with a BreachForums-hosted cash-bounty contest for downstream impact. Lowers barrier-to-entry from custom-tradecraft to clone-and-deploy. Framework targets AI-coding-assistant config files (~/.cursor, ~/.codeium, ~/.claude) alongside cloud + registry credentials; adds Claude Code startup hooks for persistence. Self-replicates via maintainer-token-pivot — stolen npm token authenticates as compromised maintainer, publishes malicious versions of other packages owned by the same maintainer.",
+      "privileges_required": "opportunistic — any developer workstation where the package is installed and post-install or require-time activation fires",
+      "complexity": "post-release: low. Pre-release: high (custom tradecraft).",
+      "ai_factor": "TeamPCP self-describes as \"vibe coded\" — AI-coding-assistant-mediated authoring. Defenders should expect rapid variant proliferation accelerated by AI coding assistants."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Maintainer-side: hardware-key-bound npm publish + MFA-required republish + npm-token isolation (publish tokens NOT on developer workstations). Consumer-side: package-pin hash verification, --ignore-scripts for postinstall, internal Verdaccio proxy with manual gating on version-bump risk-scoring. AI-assistant-side: file-permission restriction on ~/.claude/settings.json, ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json (0600 on POSIX, ACL-restricted on Windows) so unprivileged processes cannot read.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No single control prevents the attack class. Defense-in-depth across maintainer + registry + consumer + AI-config layers reduces blast radius but does not eliminate."
+      },
+      "detection": {
+        "what_would_have_worked": "Anomaly detection on npm publish events from new IPs, unusual cadence, or unusual package selection per maintainer. Monitor GitHub for repos matching \"A Gift From TeamPCP\" naming pattern OR with commit timestamps in year 2099 OR with agwagwagwa / headdirt / tmechen account contributors. eBPF on file-read events for ~/.aws, ~/.ssh, ~/.cursor, ~/.codeium, ~/.claude from processes spawned by node / npm / yarn / pnpm.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection-side is operator-feasible but reactive. By the time anomaly fires, credentials may already be in the attacker-controlled GitHub repo."
+      },
+      "response": {
+        "what_would_have_worked": "Immediate npm token rotation across all developer workstations + maintainer accounts. Audit all published package versions in the disclosure window for any unauthorized publish under compromised credentials. Roll back malicious versions via npm registry security-team channel. Rotate all secrets referenced by AI-assistant config files (MCP server tokens, Anthropic API keys, OpenAI keys).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Response is unbounded — once credentials leak, blast radius is the union of every API the credential can reach."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-218-SSDF-PW.4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Tooling-trust assumption invalid when maintainer workstation is compromised."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain-tampering controls do not address legitimately-authenticated malicious upstream."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability-handling treats malicious upgrades as outside scope."
+      },
+      "SLSA-v1.0-Build-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "L3 provenance is valid for Shai-Hulud-poisoned packages — the build IS provenance-attested under the compromised maintainer identity."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-050",
+        "name": "AI-ASSISTANT-CONFIG-FILE-PERMISSION-LOCKDOWN",
+        "description": "AI-assistant configuration files (~/.claude/, ~/.cursor/, ~/.codeium/, ~/.aider/, ~/.continue/) that carry MCP server tokens or LLM API keys MUST be mode 0600 on POSIX and ACL-restricted to the workstation user on Windows. Default mode on these files is typically 0644; Shai-Hulud reads them at unprivileged process scope. exceptd v0.12.41 hardened attestation sidecars to 0o600 for the same reason; the workstation-config category needs the same defensive posture.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS framework explicitly reads ~/.cursor/mcp.json + ~/.codeium/windsurf/mcp_config.json + ~/.claude/settings.json as exfil targets.",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-CM-6"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-051",
+        "name": "NPM-PUBLISH-TOKEN-WORKSTATION-ISOLATION",
+        "description": "npm publish tokens MUST NOT reside on developer workstations. Publish should require a hardware-key-bound CI/CD pipeline gate (GitHub Actions with OIDC + npm provisioning, or equivalent). Workstation tokens scope to read-only registry pulls.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS pivot mechanism requires a write-scope npm token on the maintainer workstation.",
+        "gap_closes": [
+          "NIST-800-53-IA-5",
+          "NIST-800-218-SSDF-PW.4"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-052",
+        "name": "GITHUB-REPO-PATTERN-MONITORING-FOR-EXFIL-CHANNELS",
+        "description": "Organizations SHOULD monitor GitHub for repository creation matching known threat-actor naming patterns (\"A Gift From TeamPCP\", \"Shai-Hulud\", future variants). The attacker uses GitHub itself as the exfil channel; the GitHub Search API + Code Search API are sufficient.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS pattern; pre-2026-05-12 Shai-Hulud waves used \"Shai-Hulud-*\" repo naming.",
+        "gap_closes": [
+          "NIST-800-53-SI-4"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Every npm-consuming engineering org. SLSA + SSDF + SR-3 compliance does not protect against legitimately-authenticated malicious-maintainer publishes.",
+      "theater_pattern": "sbom_and_provenance"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "threat_actor_release",
+    "ai_assist_factor": "high"
   }
 }

package/lib/refresh-external.js

@@ -637,6 +637,12 @@ const OSV_SOURCE = {
   },
 };
 
+// v0.13.1: ADVISORIES_SOURCE polls Qualys TRU + RHSA + USN + ZDI primary
+// feeds and surfaces CVE IDs not yet in the catalog. Report-only — no
+// auto-catalog mutation. Closes the post-mortem gap on CVE-2026-46333
+// (ssh-keysign-pwn) where the existing NVD-based pollers lagged by 3+ days.
+const { ADVISORIES_SOURCE } = require('./source-advisories');
+
 const ALL_SOURCES = {
   kev: KEV_SOURCE,
   epss: EPSS_SOURCE,
@@ -645,6 +651,7 @@ const ALL_SOURCES = {
   pins: PINS_SOURCE,
   ghsa: GHSA_SOURCE,
   osv: OSV_SOURCE,
+  advisories: ADVISORIES_SOURCE,
 };
 
 // --- Cache-mode helpers ------------------------------------------------