@blamejs/exceptd-skills 0.13.2 → 0.13.3

package/lib/source-advisories.js

@@ -79,6 +79,32 @@ const FEEDS = [
     kind: 'rss',
     description: 'Zero Day Initiative — vendor-acknowledged advisories from ZDI + Pwn2Own pipeline',
   },
+  // v0.13.3 additions — extend coverage to 4 more primary-source venues
+  // identified in the v0.13.1 post-mortem follow-up:
+  {
+    name: 'kernel-org',
+    url: 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/atom?h=master',
+    kind: 'rss',
+    description: 'kernel.org torvalds/linux master commits — first-hop after a kernel CVE fix lands upstream (where ssh-keysign-pwn appeared at T+0 as commit 31e62c2ebbfd before any advisory)',
+  },
+  {
+    name: 'oss-security',
+    url: 'https://www.openwall.com/lists/oss-security/feeds/atom.xml',
+    kind: 'rss',
+    description: 'oss-security mailing list — coordinated disclosure venue; many distros announce CVEs here before NVD',
+  },
+  {
+    name: 'jfrog',
+    url: 'https://jfrog.com/blog/category/security-research/feed/',
+    kind: 'rss',
+    description: 'JFrog SecOps research blog — npm/PyPI/Maven supply-chain disclosures with CVE assignments (TanStack / Mini Shai-Hulud class)',
+  },
+  {
+    name: 'cisa-current',
+    url: 'https://www.cisa.gov/cybersecurity-advisories/all.xml',
+    kind: 'rss',
+    description: 'CISA cybersecurity advisories feed — federal-vendor coordinated disclosures (separate from KEV which captures only exploited-in-the-wild items)',
+  },
 ];
 
 // Permissive CVE-ID matcher. The official format is CVE-YYYY-NNNN+ but

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.2",
+  "version": "0.13.3",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZS8UdA+c6vWovG2EsBP2X2xd43uSC33/LPq6SZtYEEQto4zuzLNH+pcL74oE2V5mie03r+5YdisQYtV5g+ANCQ==",
-      "signed_at": "2026-05-18T02:19:03.449Z",
+      "signed_at": "2026-05-18T03:03:42.897Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "l5PS3EMYS5+e4EBeYOaWTeKLcmeWDuqxRjDQFD4m7n1uRdCPziTEkHkEAVxSuBp1aKhbOvShTFpXXtTgZ0nhBg==",
-      "signed_at": "2026-05-18T02:19:03.451Z",
+      "signed_at": "2026-05-18T03:03:42.899Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "KXUDBx+nPn+85iFh7+zMIllAdkjUWbhgXpaot5/yliZwKzVmFFPjQF/xZm8gdZLFkskyO5M0MS/MqjowPvAHBw==",
-      "signed_at": "2026-05-18T02:19:03.451Z",
+      "signed_at": "2026-05-18T03:03:42.899Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "Jn4HdauaKGzLGB4lmqgS7ntrrkKykfHrths/mlJegHgjoRsauVK/+S3VN82YxRcnTa1gOYd08hMUV7FnKRs6Cg==",
-      "signed_at": "2026-05-18T02:19:03.452Z"
+      "signed_at": "2026-05-18T03:03:42.900Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "byFyQfZFeQ9mhH4+DxNWyM2lBVDcZiEx+vDPSJpjmblb61T3KIK70PWb9KhUKO//9RBwnb7Bz9KbltruhaB3DA==",
-      "signed_at": "2026-05-18T02:19:03.452Z"
+      "signed_at": "2026-05-18T03:03:42.900Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6nar8a3phaFK55Xpgw0XEBz3k4WrtRfW79JfKjgeKRc1FqljMaqmNxb3ftOCFy0CgMEu/lULuubGXFqp0DpcDA==",
-      "signed_at": "2026-05-18T02:19:03.452Z"
+      "signed_at": "2026-05-18T03:03:42.900Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8BOfZgS2fm9KeEYZwwUc4JUSVxnLAgQ3UrViUcGlrA1NMcJz92mw7QGGhTx+PUn4yoPTGelxGz6MF5mEqpfDAQ==",
-      "signed_at": "2026-05-18T02:19:03.453Z",
+      "signed_at": "2026-05-18T03:03:42.901Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "o5CamxRHrwbM+R7lQzEoKxHBTFbo76C3Uf8/Qx3cbLlrXczvI6K9a1KfWIoOq/8UoTuQy7dB6lZge0H+94gbBw==",
-      "signed_at": "2026-05-18T02:19:03.454Z",
+      "signed_at": "2026-05-18T03:03:42.901Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "02UBMUa3Wox2vXhKVr+2m0Lq5+sY3azliVeAyNSM2p8tw7Fj/HzKQwsgBVAfTM+5yqDzaIMCmup9UAgn4FYbAw==",
-      "signed_at": "2026-05-18T02:19:03.454Z",
+      "signed_at": "2026-05-18T03:03:42.902Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "IVCHD1LCPV8l+kc7i0EuTFkI91l3X9bQnxb8esfs0oJ+C2tCADickTyzlwhpSDdv3icGya9rOk984vBXxLjtDA==",
-      "signed_at": "2026-05-18T02:19:03.454Z"
+      "signed_at": "2026-05-18T03:03:42.902Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VcWZd1hN1fxw3BmLqcNP1giz9yiAQEDI928Y9ECOV1bPQvt/zZpONoLg4K7f13HyfoO192mssEcAOTQgnGxQDA==",
-      "signed_at": "2026-05-18T02:19:03.455Z"
+      "signed_at": "2026-05-18T03:03:42.902Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "LOg96wT5l+hjplhMcO/pwZKvQCsTXbjjXVSGBnt6I++8yx9Y/yqqewXNoM2SiqBK20WtXlcR/pPheWBCv++fDQ==",
-      "signed_at": "2026-05-18T02:19:03.455Z"
+      "signed_at": "2026-05-18T03:03:42.903Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BoFVxwiopgnmDY8AJ0j5KzRkwQQOzdizisTsZOLHBE2BUixr/B6FV8S3AIN3rvS9YixL48rbt8rdAz0j0HDCAw==",
-      "signed_at": "2026-05-18T02:19:03.455Z",
+      "signed_at": "2026-05-18T03:03:42.903Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "LvwHc4LPAo3u1D94umZ6AFr6IaEkAMqAVJVoq4oiIKwT0qdOSfYRcACp+5AU18S5hIwiM0QgMiSnTwtPOUmyCw==",
-      "signed_at": "2026-05-18T02:19:03.456Z"
+      "signed_at": "2026-05-18T03:03:42.903Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nZNIznYPxcs2mAjruwejfH2HrlW0SVDQ2Q2Ethh35uJBZkK7twgCDSJKVPbvR5ftaVdslDrq5o6Xhcwf7rWJDw==",
-      "signed_at": "2026-05-18T02:19:03.456Z",
+      "signed_at": "2026-05-18T03:03:42.904Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "49BxLraoRRpTRaZV7maw4/e8TOZzRNZgfM1wPuG8elb6dpG98LooRqV1WDLuKAP/7ShqicjNTpr1wyBGTFJ7CQ==",
-      "signed_at": "2026-05-18T02:19:03.456Z"
+      "signed_at": "2026-05-18T03:03:42.904Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "/p8RImZYTSneXWjgwqMbuJN4XKROGWxzVzz3fwldev/qEhUZi3ptW/nZ/OZF0hgrO/04Xbm9p5fHzOshNYCODQ==",
-      "signed_at": "2026-05-18T02:19:03.456Z"
+      "signed_at": "2026-05-18T03:03:42.904Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "mMZmXMzXPTZHmfK/j8jd32U1wio5NoGHosJ8yy2aYY8mHCVOS1zhKYvCXSzfAe9GAjeJf+zNZCe239tWDBnNBQ==",
-      "signed_at": "2026-05-18T02:19:03.457Z"
+      "signed_at": "2026-05-18T03:03:42.904Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "lXBKwsA1ouEI8CLFW9AQMwTaR2HTtz/tZC3qEs13XL8IOBpl6OwZj6GkDCWuT1SK4enOgpmKHypaNGJ/vtGQBg==",
-      "signed_at": "2026-05-18T02:19:03.457Z"
+      "signed_at": "2026-05-18T03:03:42.905Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "6r0zv9/tNfZd/NKSc8z1+4p/6R80EwbelY+mr5zLrwEc/ViD0E8G9SbE2dLuWg4V0EoIMLrWJ/b9RQGSaOYvBQ==",
-      "signed_at": "2026-05-18T02:19:03.457Z"
+      "signed_at": "2026-05-18T03:03:42.905Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "dNw1zQ61gvG7y0WlF7n4heuMgDBfe59Yr2Kr/HfOb9jkc5grPipDXEeGko0xcJuZ3WVeu/OjRnPVDJkorBIHAg==",
-      "signed_at": "2026-05-18T02:19:03.458Z"
+      "signed_at": "2026-05-18T03:03:42.905Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "zx3uucOcICwlEUJytEMnHsfqTpOSK+Zsv4/Z3hX6AUtUvh5Bi6pgAQYkX45Y6fk5K+QEGR5Vkiecv/9R+UakCw==",
-      "signed_at": "2026-05-18T02:19:03.458Z"
+      "signed_at": "2026-05-18T03:03:42.906Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Lsn7F3sOedjUvUH7/EmGFVUrhpwW6Bkx/EtTCEU69EPHFV6kMCMlqFyRuHKV8vjZpp1x6o2RZgD0oW54T2ufCw==",
-      "signed_at": "2026-05-18T02:19:03.458Z"
+      "signed_at": "2026-05-18T03:03:42.906Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "f1w8AOT3bw+IeaAkg+vubUf7+Gx+/zTuQyIKOxQTbF9m1HGIE/SJQlWZST9ALtlH1BN4gJK5WPRmloX6LzQYBw==",
-      "signed_at": "2026-05-18T02:19:03.459Z"
+      "signed_at": "2026-05-18T03:03:42.906Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "nA1GtYV23HnOWNtsSp4kLsIMyszAWdLntkgcT7hwVddHybgTKb/Scj+WyVv7vfM6l9n2+2rk3GgptZKaRF/aBg==",
-      "signed_at": "2026-05-18T02:19:03.459Z"
+      "signed_at": "2026-05-18T03:03:42.907Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "oEBU+4xdW24VOlpsD+Gi8hMDDZK/Z4S8dWqnNRioth7rNwll42LWvfUyrgrxi5U0ucZtLHLRZGJHcMPkPC5bDQ==",
-      "signed_at": "2026-05-18T02:19:03.459Z"
+      "signed_at": "2026-05-18T03:03:42.907Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AqZYnDlvr5EUu/WVFa0ffW77/QYSF7JDzi8jV/+7EynQ7vFPnJbaQQ93aVw91mXQHF5DEqRgeLb30yr++KcVBg==",
-      "signed_at": "2026-05-18T02:19:03.459Z"
+      "signed_at": "2026-05-18T03:03:42.907Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "53kKCGnBk6b88Q0Mf34CkowBH1osOYTpUf0wkMK70CAOCna2qYaBTTnYVHamV2+DsE6IC9W+JIzmPWcl3jC5BA==",
-      "signed_at": "2026-05-18T02:19:03.460Z"
+      "signed_at": "2026-05-18T03:03:42.908Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "64PrvGD26sxvxzfmMBsCGpocascDDurGSNMJrdJJ5IS4rj5aXS6oQCBw0pDDasJvwaQdkrOiQ/RoEQoEQnRkDg==",
-      "signed_at": "2026-05-18T02:19:03.460Z"
+      "signed_at": "2026-05-18T03:03:42.908Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "6BEcpzMRaY7yuQvZuz/Y52xq3EO690jZq8q0ABBT8ujCuBBmBGqAz4Ml1F6hlMVCZ3Jjl2AFHP5tnNNRmkD3Dg==",
-      "signed_at": "2026-05-18T02:19:03.461Z"
+      "signed_at": "2026-05-18T03:03:42.909Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "RhKFw5oVfDljrAe7bzY9d/IfmF3oyT85WVaqpHAHbNcrWpxNrX1sIE4+Sf4Uj3njI8/2fMgk4HN3oZv9aA6nCQ==",
-      "signed_at": "2026-05-18T02:19:03.461Z"
+      "signed_at": "2026-05-18T03:03:42.909Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-18T02:19:03.462Z"
+      "signed_at": "2026-05-18T03:03:42.909Z"
     },
     {
       "name": "api-security",
@@ -1791,8 +1791,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "ACPV5cQskL0TR4SK9eKev6jCNEWj+d6zE+BOB7QHXAcungz3K5qugDTkz3NjEHefebiFi8GW8VPuchA8vRYODg==",
-      "signed_at": "2026-05-18T02:19:03.462Z"
+      "signature": "8u34Sx9A6z7jpB4KVwxMPF8u3DV6NNnvcn5iGBREKRxYcOrTFjk1eRYI7wX/UU9XeLSstsmhgFsWKbogC2sLDg==",
+      "signed_at": "2026-05-18T03:03:42.910Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "9eHXut2agJm6+Z7r6zRD8Rbokj1yTeSeFh9BIoZCE9KrntlnAVU0Y0jl+JRBHOptWh4z04bOW1eAhy0vjl+lAQ==",
-      "signed_at": "2026-05-18T02:19:03.462Z"
+      "signed_at": "2026-05-18T03:03:42.910Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "gTi2joMM9bqqXQ+R7oqL0MUtz1sOettl0mOXrQS5jTnZ9TDwrg3E/PbuanQjPDC8aLRFRgPdi/EN2Rtp5Zj+Dg==",
-      "signed_at": "2026-05-18T02:19:03.462Z"
+      "signed_at": "2026-05-18T03:03:42.910Z"
     },
     {
       "name": "mlops-security",
@@ -2006,7 +2006,7 @@
         "MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "ZNk3SKNnmFy8DHYJd0PMGWg9Aj8yOyh96p6rNdYllojEIO5G+Lj6fdCPOOopAEu4ta3pO9+EAfYuw3QUbpfVAg==",
-      "signed_at": "2026-05-18T02:19:03.463Z"
+      "signed_at": "2026-05-18T03:03:42.911Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "6/9Ehyx49Rr/o5Tp9oQ3cfHa2WhKYtLXJp0akoDbRC1RSCxZVbkKaW7/5/IkdgCQMiJivI/Q0g0Bq/5q/UUZAA==",
-      "signed_at": "2026-05-18T02:19:03.463Z"
+      "signed_at": "2026-05-18T03:03:42.911Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "+5FiwJFRq08x2oXejTO1Nw6Cd+EzOcrwAG2xNrngJ8vHPDXqFgGAjTAJuXrNl7QblTfSLQ+xvoAziBly56/eDg==",
-      "signed_at": "2026-05-18T02:19:03.463Z"
+      "signed_at": "2026-05-18T03:03:42.911Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2200,8 +2200,8 @@
       "cwe_refs": [],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "x0FNJsYCoKz73KUaCUxl1jdps0W1x3pfb/oFrljgUxdr48d0HuHLWmsZz7ZtiK4AC8Kc9CB+TB16IRjlCzsxAA==",
-      "signed_at": "2026-05-18T02:19:03.464Z"
+      "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
+      "signed_at": "2026-05-18T03:03:42.912Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "OaxxkpowZXLeaBKUr3iNbGSEE2zyCYZ32cHLOumEOmBwLYN8LMsqqPUmM32XxVBOeopCbMM7ayZRF7geRQHhAg==",
-      "signed_at": "2026-05-18T02:19:03.464Z"
+      "signed_at": "2026-05-18T03:03:42.912Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2348,8 +2348,8 @@
         "D3-CAA"
       ],
       "last_threat_review": "2026-05-15",
-      "signature": "6O5peFBKz4XFasajnzMIF8Zjdb84bd361WHRGx6WiddKNfu687Q9qAanvzujxPmzYA1qiGGJJkujT+6y8T/WCQ==",
-      "signed_at": "2026-05-18T02:19:03.464Z"
+      "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
+      "signed_at": "2026-05-18T03:03:42.912Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-18T02:19:03.465Z"
+      "signed_at": "2026-05-18T03:03:42.913Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "N5sCZtaEC7UPJ07A2594/LJlkpKporgiAFW95RrGZRwXTo3AWexPbxf1XQILLGHu634DML0ke+WAeUyrgYIkCQ=="
+    "signature_base64": "m/guw9FcxUf1OgSdM00b9uuZLyGlUUYfiNUzoVwh8JQz+a7VMnLUntdDP4bt2nxV8kyvfJEO6pny1er5B9JHBw=="
   }
 }

package/orchestrator/index.js

@@ -1093,6 +1093,7 @@ function runWatchlist(rawArgs = []) {
 
   const byskill = rawArgs.includes('--by-skill');
   const alertsMode = rawArgs.includes('--alerts');
+  const orgScanMode = rawArgs.includes('--org-scan');
   const manifestPath = path.join(__dirname, '..', 'manifest.json');
   const repoRoot = path.join(__dirname, '..');
 
@@ -1100,12 +1101,22 @@ function runWatchlist(rawArgs = []) {
   // "CVE-class alert patterns" — surfaces catalog entries matching
   // high-priority shape rules (kernel-LPE-with-PoC, supply-chain-family,
   // AI-discovered-KEV, recently-disclosed-with-active-exploitation).
-  // The two modes are mutually exclusive; --alerts short-circuits the
-  // forward-watch aggregation.
+  // The modes are mutually exclusive; the first matching flag wins.
   if (alertsMode) {
     return runWatchlistAlerts(rawArgs);
   }
 
+  // v0.13.3: --org-scan probes GitHub for repository naming patterns
+  // associated with known threat actors (per NEW-CTRL-052 from the
+  // MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry). The Shai-Hulud
+  // worm uses GitHub itself as the exfil channel — repos named
+  // "A Gift From TeamPCP", "Shai-Hulud-*", or with future variants
+  // hold the stolen credentials. Operators can run this against
+  // their own GitHub org to surface exfil staging in their tenant.
+  if (orgScanMode) {
+    return runWatchlistOrgScan(rawArgs);
+  }
+
   let manifest;
   try {
     manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
@@ -1589,6 +1600,140 @@ Examples:
 `);
 }
 
+/**
+ * v0.13.3 — runWatchlistOrgScan: GitHub repo-pattern monitoring per
+ * NEW-CTRL-052 (MAL-2026-SHAI-HULUD-OSS zeroday-lessons). The Shai-Hulud
+ * worm uses GitHub itself as the exfil channel; the canonical naming
+ * pattern is "A Gift From TeamPCP", commit-timestamps falsified to
+ * 2099-01-01, and contributor accounts agwagwagwa / headdirt / tmechen.
+ *
+ * Operators run this against their GitHub org (--org <login> or
+ * GITHUB_ORG env var) to surface exfil staging within their tenant.
+ * Uses the GitHub Search API (unauthenticated for public-repo search;
+ * GITHUB_TOKEN env var lifts the rate limit + enables private-repo
+ * coverage). Report-only — never modifies repos.
+ *
+ * Flags / env:
+ *   --org <login>              GitHub org / user to scope the search to (required)
+ *   --pattern <s> (repeatable) additional naming-pattern strings (defaults below)
+ *   --json                     structured JSON output
+ *   GITHUB_TOKEN env var       lifts rate limit + private-repo search coverage
+ */
+async function runWatchlistOrgScan(rawArgs = []) {
+  const jsonOut = rawArgs.includes('--json');
+  // Extract --org <login>. Accept --org=foo too.
+  let org = null;
+  for (let i = 0; i < rawArgs.length; i++) {
+    if (rawArgs[i] === '--org' && rawArgs[i + 1]) { org = rawArgs[i + 1]; break; }
+    if (rawArgs[i].startsWith('--org=')) { org = rawArgs[i].slice('--org='.length); break; }
+  }
+  if (!org) org = process.env.GITHUB_ORG || null;
+  if (!org) {
+    process.stdout.write(JSON.stringify({
+      ok: false,
+      verb: 'watchlist',
+      mode: 'org-scan',
+      error: 'watchlist --org-scan requires --org <login> (or GITHUB_ORG env var). Example: exceptd watchlist --org-scan --org blamejs',
+    }) + '\n');
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
+  }
+  // Custom patterns via --pattern <s> (repeatable). Default set from
+  // the MAL-2026-SHAI-HULUD-OSS catalog entry + NEW-CTRL-052 evidence.
+  const customPatterns = [];
+  for (let i = 0; i < rawArgs.length; i++) {
+    if (rawArgs[i] === '--pattern' && rawArgs[i + 1]) customPatterns.push(rawArgs[i + 1]);
+    if (rawArgs[i].startsWith('--pattern=')) customPatterns.push(rawArgs[i].slice('--pattern='.length));
+  }
+  const DEFAULT_PATTERNS = [
+    { id: 'shai-hulud-classic', q: 'Shai-Hulud', severity: 'critical', source: 'MAL-2026-SHAI-HULUD-OSS (pre-source-release naming)' },
+    { id: 'teampcp-gift', q: 'A Gift From TeamPCP', severity: 'critical', source: 'MAL-2026-SHAI-HULUD-OSS (post-2026-05-12 release naming)' },
+    { id: 'teampcp-bare', q: 'TeamPCP', severity: 'high', source: 'MAL-2026-SHAI-HULUD-OSS threat actor reference' },
+  ];
+  const patterns = [
+    ...DEFAULT_PATTERNS,
+    ...customPatterns.map((q, i) => ({ id: `custom-${i + 1}`, q, severity: 'medium', source: 'operator --pattern' })),
+  ];
+
+  // GitHub Search API: GET /search/code?q=<query>+org:<login>
+  // and GET /search/repositories?q=<query>+org:<login>. Both return
+  // the same shape (items[] with name, html_url, owner, created_at).
+  const token = process.env.GITHUB_TOKEN || '';
+  const matches = [];
+  let rateLimited = false;
+  let unauth = !token;
+  if (typeof fetch !== 'function') {
+    process.stdout.write(JSON.stringify({
+      ok: false,
+      verb: 'watchlist',
+      mode: 'org-scan',
+      error: 'fetch() not available — Node 18+ required.',
+    }) + '\n');
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
+  }
+  for (const p of patterns) {
+    const url = `https://api.github.com/search/repositories?q=${encodeURIComponent(p.q + ' org:' + org)}&per_page=100`;
+    const headers = { 'User-Agent': 'exceptd-watchlist-org-scan/0.13.3 (+https://exceptd.com)', 'Accept': 'application/vnd.github+json' };
+    if (token) headers.Authorization = `Bearer ${token}`;
+    try {
+      const ac = new AbortController();
+      const timer = setTimeout(() => ac.abort(), 10000);
+      const r = await fetch(url, { headers, signal: ac.signal });
+      clearTimeout(timer);
+      if (r.status === 403 || r.status === 429) {
+        rateLimited = true;
+        continue;
+      }
+      if (!r.ok) continue;
+      const body = await r.json();
+      for (const item of body.items || []) {
+        matches.push({
+          pattern_id: p.id,
+          severity: p.severity,
+          source: p.source,
+          repo: item.full_name,
+          url: item.html_url,
+          private: item.private,
+          created_at: item.created_at,
+          updated_at: item.updated_at,
+          stars: item.stargazers_count || 0,
+        });
+      }
+    } catch { /* network failure — best effort */ }
+  }
+  const generated_at = new Date().toISOString();
+  if (jsonOut) {
+    process.stdout.write(JSON.stringify({
+      ok: !rateLimited,
+      verb: 'watchlist',
+      mode: 'org-scan',
+      generated_at,
+      org,
+      patterns_evaluated: patterns.length,
+      match_count: matches.length,
+      matches,
+      rate_limited: rateLimited,
+      unauthenticated: unauth,
+      control_reference: 'NEW-CTRL-052 (MAL-2026-SHAI-HULUD-OSS lesson)',
+    }) + '\n');
+    return;
+  }
+  console.log(`\nGitHub Org-Scan — ${generated_at}`);
+  console.log(`Org: ${org}  patterns: ${patterns.length}  matches: ${matches.length}`);
+  if (unauth) console.log('(unauthenticated — set GITHUB_TOKEN for private-repo coverage + higher rate limit)');
+  if (rateLimited) console.log('WARNING: GitHub rate limit hit on at least one query. Re-run with GITHUB_TOKEN set.');
+  if (matches.length === 0) {
+    console.log('No threat-actor-pattern repos found.');
+    return;
+  }
+  for (const m of matches) {
+    console.log(`[${m.severity}] ${m.repo}  ${m.private ? '(private)' : ''} created ${m.created_at}`);
+    console.log(`    pattern: ${m.pattern_id} (${m.source})`);
+    console.log(`    ${m.url}`);
+  }
+}
+
 // Only run the CLI when this file is executed directly. Earlier versions
 // invoked main() at import time too, which meant `require('./orchestrator')`
 // would trigger a full CLI dispatch (and printHelp) inside the importing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.2",
+  "version": "0.13.3",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",