@blamejs/exceptd-skills 0.14.26 → 0.14.27

package/data/_indexes/frequency.json

@@ -3290,11 +3290,13 @@
       "NIST-800-53-SC-5",
       "NIST-800-53-SI-10",
       "NIST-800-53-SI-4",
+      "NIST-800-53-SR-11",
       "NIST-800-53-SR-3",
       "NIST-AI-RMF-MAP-3.4",
       "NIST-AI-RMF-MEASURE-2.7",
       "OWASP-API-Security-Top-10-API4:2023",
       "OWASP-API-Security-Top-10-API8:2023",
+      "OWASP-CICD-SEC-3",
       "OWASP-LLM-Top-10-2025-LLM05",
       "OWASP-LLM-Top-10-LLM01",
       "OWASP-LLM-Top-10-LLM02",

package/data/atlas-ttps.json

@@ -94,6 +94,7 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2025-68664",
+      "CVE-2025-68665",
       "CVE-2026-30623",
       "CVE-2026-42945"
     ],
@@ -154,24 +155,24 @@
       "CVE-2024-37032",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2025-10164",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
       "CVE-2026-31229",
       "CVE-2026-39987",
       "CVE-2026-45321",
+      "CVE-2026-5760",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "MAL-2026-TANSTACK-MINI",
-      "CVE-2025-51480",
-      "CVE-2025-10164",
-      "CVE-2026-5760"
+      "MAL-2026-TANSTACK-MINI"
     ],
     "description_full": "Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002) and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001) stack, or the [Model](/techniques/AML.T0010.003) itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.",
     "platforms": [
@@ -564,6 +565,7 @@
       "CVE-2025-53773",
       "CVE-2025-55319",
       "CVE-2025-68664",
+      "CVE-2025-68665",
       "CVE-2026-25592",
       "CVE-2026-30615",
       "CVE-2026-39884",
@@ -1296,15 +1298,15 @@
       "CVE-2024-24590",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2025-10164",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-31229",
-      "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
-      "CVE-2025-51480",
-      "CVE-2025-10164",
-      "CVE-2026-5760"
+      "CVE-2026-5760",
+      "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
     "platforms": [
@@ -1754,6 +1756,7 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2023-6571",
+      "CVE-2024-12450",
       "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -1762,41 +1765,50 @@
       "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-2912",
+      "CVE-2024-31462",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-4889",
+      "CVE-2024-50050",
       "CVE-2024-6587",
       "CVE-2024-9526",
       "CVE-2025-1796",
+      "CVE-2025-23254",
       "CVE-2025-25297",
       "CVE-2025-27520",
+      "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-3248",
       "CVE-2025-3466",
       "CVE-2025-56520",
+      "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-67818",
+      "CVE-2025-68668",
+      "CVE-2025-69286",
       "CVE-2026-0766",
+      "CVE-2026-21858",
+      "CVE-2026-21877",
+      "CVE-2026-22218",
+      "CVE-2026-22219",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26190",
+      "CVE-2026-3059",
+      "CVE-2026-3060",
       "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-41947",
       "CVE-2026-41950",
-      "CVE-2026-45829",
-      "CVE-2026-21858",
-      "CVE-2025-68668",
-      "CVE-2024-31462",
-      "CVE-2026-3059",
-      "CVE-2026-3060",
-      "CVE-2026-21877"
+      "CVE-2026-45829"
     ]
   },
   "AML.T0050": {
@@ -2895,10 +2907,10 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-31229",
-      "CVE-2026-45829",
-      "CVE-2025-51480"
+      "CVE-2026-45829"
     ]
   },
   "AML.T0011.001": {

package/data/attack-techniques.json

@@ -296,6 +296,7 @@
       "CVE-2024-4889",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2025-10164",
       "CVE-2025-1094",
       "CVE-2025-11837",
       "CVE-2025-1550",
@@ -310,14 +311,19 @@
       "CVE-2025-34291",
       "CVE-2025-3466",
       "CVE-2025-49596",
+      "CVE-2025-51480",
       "CVE-2025-53773",
       "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2025-68665",
+      "CVE-2025-68668",
       "CVE-2025-8747",
       "CVE-2026-0766",
+      "CVE-2026-21858",
+      "CVE-2026-21877",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-22778",
@@ -326,6 +332,8 @@
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-26190",
+      "CVE-2026-3059",
+      "CVE-2026-3060",
       "CVE-2026-30615",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -341,16 +349,8 @@
       "CVE-2026-39987",
       "CVE-2026-40933",
       "CVE-2026-45829",
-      "CVE-2026-6973",
-      "CVE-2025-68665",
-      "CVE-2025-51480",
-      "CVE-2025-10164",
       "CVE-2026-5760",
-      "CVE-2025-68668",
-      "CVE-2026-21858",
-      "CVE-2026-3059",
-      "CVE-2026-3060",
-      "CVE-2026-21877"
+      "CVE-2026-6973"
     ],
     "description_full": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
     "platforms": [
@@ -551,9 +551,11 @@
       "CVE-2025-49706",
       "CVE-2025-61757",
       "CVE-2025-64513",
+      "CVE-2025-69286",
       "CVE-2026-1603",
       "CVE-2026-20127",
       "CVE-2026-20182",
+      "CVE-2026-21858",
       "CVE-2026-24061",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -565,9 +567,7 @@
       "CVE-2026-42897",
       "CVE-2026-6973",
       "MAL-2026-NODE-IPC-STEALER",
-      "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-69286",
-      "CVE-2026-21858"
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "description_full": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)",
     "platforms": [
@@ -911,6 +911,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-12450",
       "CVE-2024-12776",
       "CVE-2024-12987",
       "CVE-2024-13059",
@@ -920,6 +921,7 @@
       "CVE-2024-21576",
       "CVE-2024-21762",
       "CVE-2024-2912",
+      "CVE-2024-31462",
       "CVE-2024-37032",
       "CVE-2024-37079",
       "CVE-2024-39722",
@@ -1041,6 +1043,8 @@
       "CVE-2025-67818",
       "CVE-2025-68613",
       "CVE-2025-68645",
+      "CVE-2025-68668",
+      "CVE-2025-69286",
       "CVE-2025-6965",
       "CVE-2025-7775",
       "CVE-2025-8875",
@@ -1068,6 +1072,10 @@
       "CVE-2026-21525",
       "CVE-2026-21533",
       "CVE-2026-21643",
+      "CVE-2026-21858",
+      "CVE-2026-21877",
+      "CVE-2026-22218",
+      "CVE-2026-22219",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-22719",
@@ -1082,6 +1090,8 @@
       "CVE-2026-25108",
       "CVE-2026-26015",
       "CVE-2026-26190",
+      "CVE-2026-3059",
+      "CVE-2026-3060",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1105,21 +1115,11 @@
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-45829",
+      "CVE-2026-5760",
       "CVE-2026-6973",
       "CVE-2026-7482",
       "CVE-2026-9082",
-      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
-      "CVE-2024-12450",
-      "CVE-2025-69286",
-      "CVE-2026-22218",
-      "CVE-2026-22219",
-      "CVE-2026-5760",
-      "CVE-2026-21858",
-      "CVE-2025-68668",
-      "CVE-2024-31462",
-      "CVE-2026-3059",
-      "CVE-2026-3060",
-      "CVE-2026-21877"
+      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
     ],
     "description_full": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
     "platforms": [
@@ -1166,7 +1166,10 @@
     "name": "Supply Chain Compromise: Software Dependencies and Development Tools",
     "version": "v19",
     "cve_refs": [
+      "CVE-2025-30066",
+      "CVE-2025-30154",
       "CVE-2026-30615",
+      "CVE-2026-48027",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-TANSTACK-MINI"
@@ -1198,21 +1201,21 @@
       "CVE-2024-3094",
       "CVE-2024-37052",
       "CVE-2024-37060",
+      "CVE-2025-10164",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-31229",
       "CVE-2026-45321",
+      "CVE-2026-5760",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
-      "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-51480",
-      "CVE-2025-10164",
-      "CVE-2026-5760"
+      "MAL-2026-SHAI-HULUD-OSS"
     ],
     "description_full": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)",
     "platforms": [
@@ -1344,10 +1347,10 @@
       "Collection"
     ],
     "cve_refs": [
-      "CVE-2026-41950",
       "CVE-2024-12450",
+      "CVE-2026-21858",
       "CVE-2026-22218",
-      "CVE-2026-21858"
+      "CVE-2026-41950"
     ]
   },
   "T1485": {
@@ -1603,12 +1606,15 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-47117",
-      "CVE-2025-68664",
-      "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
-      "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "CVE-2024-12450",
+      "CVE-2025-30066",
+      "CVE-2025-30154",
+      "CVE-2025-68664",
+      "CVE-2025-68665",
       "CVE-2026-22219",
-      "CVE-2025-68665"
+      "CVE-2026-48027",
+      "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
+      "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER"
     ],
     "description_full": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)",
     "platforms": [
@@ -1954,6 +1960,7 @@
     "name": "Exfiltration Over Web Service",
     "version": "v19",
     "cve_refs": [
+      "CVE-2026-48027",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "description_full": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
@@ -4427,9 +4434,9 @@
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-51480",
       "CVE-2025-8747",
-      "CVE-2026-31229",
-      "CVE-2025-51480"
+      "CVE-2026-31229"
     ]
   },
   "T1205": {