@blamejs/exceptd-skills 0.13.2 → 0.13.4

package/data/zeroday-lessons.json

@@ -916,95 +916,6 @@
     "ai_discovery_date": "2024-03-29",
     "ai_assist_factor": "low"
   },
-  "CVE-2026-GTIG-AI-2FA": {
-    "name": "GTIG-tracked AI-built 2FA-bypass zero-day",
-    "lesson_date": "2026-05-15",
-    "attack_vector": {
-      "description": "Authentication state-machine confusion in an unnamed enterprise 2FA service. Exploit payload bypasses the second-factor challenge by manipulating session token at the post-primary-auth / pre-2FA-challenge boundary. Notable as the first documented AI-BUILT (not just AI-discovered) zero-day observed in-the-wild — threat actor used a frontier LLM to construct the exploit payload.",
-      "privileges_required": "remote unauthenticated, requires valid primary-auth credentials (assumed phished or credential-stuffed)",
-      "complexity": "moderate to develop, low to use",
-      "ai_factor": "First documented AI-BUILT ITW zero-day per GTIG 2026-05-11. Threat actor lacked the engineering capacity to construct the payload independently; LLM-generated exploit code shows characteristic structure, comments, and idiomatic patterns. Compresses time-to-weaponize by approximately 20x relative to human-only development for this class."
-    },
-    "defense_chain": {
-      "prevention": {
-        "what_would_have_worked": "Out-of-band MFA (FIDO2 / passkey / push-with-number-match) that does not share a session-token boundary with the bypass surface. Hardware-anchored binding of primary-auth and 2FA challenge into a single signed assertion.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Phishing-resistant MFA (NIST AAL3) would have blocked this class. Most organizations still operate at AAL2 with SMS or TOTP."
-      },
-      "detection": {
-        "what_would_have_worked": "Session-token mutation anomaly detection between auth phases — alert when the session-state machine receives an unexpected transition.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Anomaly detection on auth-state transitions is not a standard control category in any framework. Most identity providers don't expose the necessary telemetry."
-      },
-      "response": {
-        "what_would_have_worked": "Vendor-side rate-limiting on the 2FA challenge endpoint + temporary global rollback of the 2FA flow to require fresh primary-auth.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Embargoed CVE — public response capability constrained by disclosure timing."
-      }
-    },
-    "framework_coverage": {
-      "NIST-AI-RMF-MEASURE-2.7": {
-        "covered": false,
-        "adequate": false,
-        "gap": "AI-discovered + AI-built exploit class not anchored in any framework — neither NIST AI RMF nor ISO 42001 require AI-attack-development monitoring as a control category."
-      },
-      "NIS2-Art21-incident-handling": {
-        "covered": true,
-        "adequate": false,
-        "gap": "EU NIS2 incident-handling SLA does not differentiate AI-built vs human-built exploit class — but the AI-built class compresses time-to-weaponize by ~20x and time-to-mass-deployment by ~50x."
-      },
-      "FedRAMP-IA-2": {
-        "covered": true,
-        "adequate": false,
-        "gap": "MFA requirement satisfied on paper; AI-built bypass operates at a layer below the MFA control surface."
-      },
-      "EU-AI-Act-Art-15": {
-        "covered": false,
-        "adequate": false,
-        "gap": "AI Act robustness requirement applies to AI SYSTEMS not to defending against AI-built attacks on non-AI systems."
-      },
-      "ALL-FRAMEWORKS": {
-        "covered": false,
-        "adequate": false,
-        "gap": "No framework anchors on AI-attack-development as an operational threat that requires distinct controls. ATLAS documents the techniques but compliance frameworks haven't picked them up."
-      }
-    },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-022",
-        "name": "AI-ATTACK-DEVELOPMENT-MONITORING",
-        "description": "Threat intelligence functions must subscribe to AI-attack-development feeds (GTIG, MITRE ATLAS, anthropic-internal threat reports). Treat AI-built exploit class as compressing the standard 30-day CISA KEV response window to 24 hours.",
-        "evidence": "CVE-2026-GTIG-AI-2FA — first documented AI-built ITW zero-day per GTIG 2026-05-11. Time from disclosure to mass-exploitation observed at ~10x faster than comparable non-AI-built cases.",
-        "gap_closes": [
-          "NIST-AI-RMF-MEASURE-2.7",
-          "ISO-27001-2022-A.5.7",
-          "NIS2-Art21-incident-handling"
-        ]
-      },
-      {
-        "id": "NEW-CTRL-023",
-        "name": "PHISHING-RESISTANT-MFA-MANDATE",
-        "description": "AAL3 phishing-resistant MFA (FIDO2 / passkey / hardware-anchored push-with-number-match) required for all administrative and privileged access. SMS, TOTP, and push-to-approve are insufficient against AI-built session-confusion attacks.",
-        "evidence": "CVE-2026-GTIG-AI-2FA — bypass operates at the session-state-machine layer; AAL3 anchors the second factor to the primary-auth assertion cryptographically.",
-        "gap_closes": [
-          "FedRAMP-IA-2",
-          "NIST-800-63-AAL3"
-        ]
-      }
-    ],
-    "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 92,
-      "basis": "Most organizations operate at AAL2 with TOTP or SMS. AI-built attack class compresses development time by 20x — defenders have not yet caught up.",
-      "theater_pattern": "mfa_aal2_satisfies_paper_aal3"
-    },
-    "ai_discovered_zeroday": true,
-    "ai_discovery_source": "threat_actor_ai_built",
-    "ai_discovery_date": "2026-05-11",
-    "ai_assist_factor": "very_high"
-  },
   "CVE-2026-42945": {
     "name": "NGINX Rift",
     "lesson_date": "2026-05-15",
@@ -2937,5 +2848,76 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "human_researcher",
     "ai_assist_factor": "low"
+  },
+  "CVE-2024-21762": {
+    "name": "Fortinet FortiOS / FortiProxy SSL-VPN out-of-bounds write (sslvpnd preauth RCE)",
+    "lesson_date": "2026-05-17",
+    "attack_vector": {
+      "description": "Out-of-bounds write in the sslvpnd daemon's HTTP request handling on FortiOS and FortiProxy. An unauthenticated attacker sends a specially crafted HTTP request to the SSL-VPN web surface and executes code on the appliance. Mass-scanning began within hours of the 2024-02-08 vendor disclosure; CISA KEV-listed the next day with a 7-day federal remediation deadline. Fortinet's 2025-04-11 follow-up advisory documented a post-exploitation technique where attackers who compromised the device before patching leave behind read-only symlinks in the SSL-VPN language-file directory that grant persistent filesystem read access on fully patched firmware — patch alone is insufficient.",
+      "privileges_required": "none (unauth network reach to the SSL-VPN web surface; SSL-VPN must be enabled on the FortiGate)",
+      "complexity": "low — single-request preauth RCE; public PoCs available within days",
+      "ai_factor": "Not AI-discovered — vendor-internal discovery by Fortinet PSIRT. No AI involvement on either the discovery or weaponization side."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Upgrade to FortiOS 7.6.2 / 7.4.7 / 7.2.11 / 7.0.17 / 6.4.16 or FortiProxy 7.4.3 / 7.2.9 / 7.0.15 / 2.0.14. Pre-patch interim mitigation: disable SSL-VPN entirely (Fortinet's stated workaround). Front the SSL-VPN web surface with network ACLs restricting access to known operator IP ranges where the SSL-VPN tenancy model permits it.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation — added 2024-02-09 with 7-day deadline)",
+        "adequacy": "Patch is definitive for the OOB-write itself but does not remediate post-exploitation persistence (symlink-based filesystem read access seeded before the patch). Operators who patched after compromise must additionally apply the FortiGuard 2025-04 cleanup steps to remove attacker-installed symlinks."
+      },
+      "detection": {
+        "what_would_have_worked": "Alerting on sslvpnd process crashes (OOB-write often triggers segfaults during exploit development); webserver log alerts on unusual HTTP request patterns to /remote/* SSL-VPN endpoints; outbound connection alerts from FortiGate appliances to non-management destinations; filesystem-state baselining on the SSL-VPN language-file directory to detect symlink-persistence artifacts.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection without prevention; in the case of a confirmed-in-wild preauth RCE with a 7-day KEV deadline, patching is the operative control. Filesystem-state detection is necessary to catch the post-exploitation symlink persistence on devices patched after compromise."
+      },
+      "response": {
+        "what_would_have_worked": "Treat any internet-facing FortiGate with SSL-VPN enabled before 2024-02-08 as potentially compromised; capture device configuration and audit logs for forensic review; rotate every credential reachable from the device (admin credentials, VPN-user credentials, RADIUS shared secrets, LDAP bind credentials); reimage or factory-reset rather than upgrade-in-place where the compromise window is uncertain; apply the FortiGuard 2025-04 cleanup steps to remove attacker-installed symlinks even on devices that appear to be on current firmware.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Operationally expensive but necessary for any device with uncertain compromise status; many operators upgraded in place and missed the post-exploitation persistence."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day patch SLA is multiple orders of magnitude longer than the observed exploitation window (hours from disclosure to mass-scanning). Reboot-required nature breaks the standard maintenance-window assumption; many operators delayed patching until the next scheduled window, extending exposure."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; standard 30-day interpretation is unsafe for an unauthenticated preauth RCE on an internet-facing security appliance with public PoCs and confirmed in-wild exploitation."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "EU NIS2 treats VPN concentrators as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA. Operators in NIS2 sectors typically discovered the vulnerability via vendor advisory, not via the regulatory channel."
+      },
+      "DORA-Art-9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; the appliance-reboot requirement breaks the standard SLA assumption for financial-entity SSL-VPN concentrators."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "System security principle is silent on the operational reality that fully patched FortiGates can carry attacker persistence (symlink-based filesystem read access) seeded before the patch was applied. Patch alone is insufficient; cleanup verification is required."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": "closest",
+        "gap": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window."
+      }
+    },
+    "new_control_requirements": [],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Internet-facing SSL-VPN concentrators are routinely deployed by SOC 2 / ISO 27001 / PCI-audited organisations without a documented compressed-SLA patching procedure for the appliance class; the standard 30-day patch SLA was active exposure for this CVE. Post-exploitation symlink cleanup is essentially never tested in compliance audits — operators who patched in place after compromise frequently retained attacker persistence.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "low"
   }
 }

package/lib/lint-skills.js

@@ -573,18 +573,22 @@ function lintSkill(entry, ctx) {
     }
   }
 
-  // v0.13.2 — Hard Rule #1 enforcement at the skill-body layer. Every
-  // CVE-* / MAL-* mentioned in skill prose SHOULD resolve to an entry
-  // in data/cve-catalog.json. Hard Rule #1 ("no stale threat intel")
-  // is enforced for catalog ENTRIES by lib/validate-cve-catalog.js —
-  // but a skill body that cites a CVE not in the catalog is the
-  // stale-intel surface Hard Rule #1 calls out at the prose layer.
+  // Hard Rule #1 enforcement at the skill-body layer. Every CVE-* /
+  // MAL-* mentioned in skill prose MUST resolve to an entry in
+  // data/cve-catalog.json. Hard Rule #1 ("no stale threat intel") is
+  // enforced for catalog ENTRIES by lib/validate-cve-catalog.js — and
+  // this body-scan extends it to the skill prose layer.
   //
-  // v0.13.2 ships these as WARNINGS so the forcing function lands
-  // without breaking existing skill content (2 pre-existing violations:
-  // ransomware-response cites CVE-2024-21762, cloud-iam-incident cites
-  // CVE-2026-21370). v0.14.0 will flip body-cites-unknown-CVE to a
-  // hard error once those two have been triaged.
+  // v0.13.2 introduced this as a warning while the 2 pre-existing
+  // violations (ransomware-response cited CVE-2024-21762,
+  // cloud-iam-incident cited CVE-2026-21370) were triaged. v0.13.3
+  // flips to hard error now that both have been resolved (the
+  // Fortinet CVE landed in the catalog; the placeholder CVE was
+  // removed from the cloud-iam-incident body).
+  //
+  // Draft references stay as warnings — operators promote drafts
+  // on their own cadence and the catalog frequently carries
+  // auto-imported drafts that skills can legitimately cite.
   if (ctx.cveCatalog && body && typeof body === 'string') {
     const cveRefRe = /\b(CVE-(?:19|20)\d{2}-\d{4,7}|MAL-\d{4}-[A-Z0-9-]+)\b/g;
     const seen = new Set();
@@ -595,8 +599,8 @@ function lintSkill(entry, ctx) {
       seen.add(id);
       const entry = ctx.cveCatalog[id];
       if (!entry) {
-        skillWarnings.push(
-          `body cites "${id}" but no such entry in data/cve-catalog.json (Hard Rule #1 — no stale threat intel; will hard-fail in v0.14.0)`,
+        skillErrors.push(
+          `body cites "${id}" but no such entry in data/cve-catalog.json (Hard Rule #1 — no stale threat intel)`,
         );
       } else if (entry._draft === true) {
         skillWarnings.push(

package/lib/schemas/playbook.schema.json

@@ -119,6 +119,11 @@
               "condition": { "type": "string", "examples": ["finding.severity == 'critical'", "theater_score < 60", "always"] }
             }
           }
+        },
+        "fed_by": {
+          "type": "array",
+          "description": "v0.13.0: reverse direction of feeds_into. Auto-populated by scripts/refresh-reverse-refs.js — operators reading this playbook see what chains INTO it without grepping every other playbook. Plain array of playbook ids; condition is recorded on the SOURCE playbook's feeds_into entry, not duplicated here.",
+          "items": { "type": "string" }
         }
       }
     },

package/lib/source-advisories.js

@@ -79,6 +79,32 @@ const FEEDS = [
     kind: 'rss',
     description: 'Zero Day Initiative — vendor-acknowledged advisories from ZDI + Pwn2Own pipeline',
   },
+  // v0.13.3 additions — extend coverage to 4 more primary-source venues
+  // identified in the v0.13.1 post-mortem follow-up:
+  {
+    name: 'kernel-org',
+    url: 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/atom?h=master',
+    kind: 'rss',
+    description: 'kernel.org torvalds/linux master commits — first-hop after a kernel CVE fix lands upstream (where ssh-keysign-pwn appeared at T+0 as commit 31e62c2ebbfd before any advisory)',
+  },
+  {
+    name: 'oss-security',
+    url: 'https://www.openwall.com/lists/oss-security/feeds/atom.xml',
+    kind: 'rss',
+    description: 'oss-security mailing list — coordinated disclosure venue; many distros announce CVEs here before NVD',
+  },
+  {
+    name: 'jfrog',
+    url: 'https://jfrog.com/blog/category/security-research/feed/',
+    kind: 'rss',
+    description: 'JFrog SecOps research blog — npm/PyPI/Maven supply-chain disclosures with CVE assignments (TanStack / Mini Shai-Hulud class)',
+  },
+  {
+    name: 'cisa-current',
+    url: 'https://www.cisa.gov/cybersecurity-advisories/all.xml',
+    kind: 'rss',
+    description: 'CISA cybersecurity advisories feed — federal-vendor coordinated disclosures (separate from KEV which captures only exploited-in-the-wild items)',
+  },
 ];
 
 // Permissive CVE-ID matcher. The official format is CVE-YYYY-NNNN+ but