@blamejs/exceptd-skills 0.14.26 → 0.14.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -0
- package/data/_indexes/_meta.json +10 -10
- package/data/_indexes/activity-feed.json +4 -4
- package/data/_indexes/catalog-summaries.json +9 -9
- package/data/_indexes/chains.json +1639 -0
- package/data/_indexes/frequency.json +3 -0
- package/data/atlas-ttps.json +29 -17
- package/data/attack-techniques.json +54 -37
- package/data/cve-catalog.json +742 -2
- package/data/cwe-catalog.json +53 -19
- package/data/framework-control-gaps.json +225 -116
- package/data/playbooks/framework.json +1 -0
- package/data/playbooks/sbom.json +1 -0
- package/data/zeroday-lessons.json +491 -0
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +28 -28
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,26 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.14.28 — 2026-05-28
|
|
4
|
+
|
|
5
|
+
Catalog expansion — 2025 actively-exploited perimeter and file-transfer RCE cluster. Four CISA KEV-listed, ransomware-associated entries are now fully curated with RWEP scoring, IOCs, zero-day lessons, and reverse-referenced CWE/ATT&CK/framework mappings:
|
|
6
|
+
|
|
7
|
+
- **CVE-2025-0282** — Ivanti Connect Secure stack-overflow preauth RCE, exploited as a zero-day with the SPAWN malware ecosystem (RWEP 85). Patch alone is insufficient on compromised appliances — factory reset is required.
|
|
8
|
+
- **CVE-2025-22457** — Ivanti Connect Secure stack-overflow RCE, initially mis-triaged as a low-risk DoS and patched as such, then weaponized to RCE (RWEP 83). Demonstrates the severity-mis-triage failure mode for perimeter preauth flaws.
|
|
9
|
+
- **CVE-2025-31324** — SAP NetWeaver Visual Composer Metadata Uploader, unauthenticated file upload to RCE via JSP web shell, CVSS 10.0 (RWEP 78). Complements the existing NetWeaver deserialization entry it was chained with.
|
|
10
|
+
- **CVE-2025-31161** — CrushFTP HTTP authorization-header authentication bypass to crushadmin takeover (RWEP 76).
|
|
11
|
+
|
|
12
|
+
Adds CWE-305 (Authentication Bypass by Primary Weakness) to the CWE catalog as the authoritative mapping for the CrushFTP entry.
|
|
13
|
+
|
|
14
|
+
## 0.14.27 — 2026-05-28
|
|
15
|
+
|
|
16
|
+
Catalog expansion — CI/CD and IDE-extension supply-chain compromise cluster. Three CISA KEV-listed, actively-exploited CWE-506 (embedded malicious code) entries are now curated with full RWEP scoring, IOCs, zero-day lessons, and reverse-referenced technique/CWE/framework mappings:
|
|
17
|
+
|
|
18
|
+
- **CVE-2025-30066** — tj-actions/changed-files GitHub Action: mutable release tags repointed to code that dumped CI/CD secrets to public workflow logs (~23,000 dependent repositories).
|
|
19
|
+
- **CVE-2025-30154** — reviewdog/action-setup GitHub Action: trojanized and reached consumers transitively through five dependent reviewdog actions, defeating consumer-side commit-SHA pinning of the outer action.
|
|
20
|
+
- **CVE-2026-48027** — Nx Console IDE extension: a malicious marketplace version (18.95.0) harvested developer credentials on install; clean at 18.100.0.
|
|
21
|
+
|
|
22
|
+
Two framework-control-gap entries the cluster exposes are added with compliance-theater tests: **NIST 800-53 SR-11 (Component Authenticity)** — authenticity by publisher identity does not detect an authentic-publisher malicious artifact — and **OWASP CICD-SEC-3 (Dependency Chain Abuse)** — action pinning must extend to transitively-included actions and to developer-endpoint IDE extensions.
|
|
23
|
+
|
|
3
24
|
## 0.14.26 — 2026-05-28
|
|
4
25
|
|
|
5
26
|
`citation-hygiene` `rfc-number-title-mismatch` now fires only on an explicitly quoted title that conflicts with the registry title (`RFC 9404 "Sieve Email Filtering Language"` when 9404 is the JMAP Blob extension). The previous whole-line token-overlap heuristic flagged the ordinary ways developers cite RFCs — a mechanism description (`CRLF line endings per RFC 5322 §2.3`), a section pointer, a well-known short name (`RFC 9051 (IMAP4rev2)`), and even an RFC-number-shaped token inside code (`envelope.rfc822` → "RFC 822") — because that surrounding prose or code never shares vocabulary with the formal registry title. Those forms state no title and are no longer flagged; a genuinely conflicting quoted title still fires. The deterministic catalog-backed checks (`fabricated-cve-id`, `rejected-or-disputed-cve`, RFC-not-in-index) are unchanged.
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,21 +1,21 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-28T22:39:58.047Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
8
|
-
"data/atlas-ttps.json": "
|
|
9
|
-
"data/attack-techniques.json": "
|
|
10
|
-
"data/cve-catalog.json": "
|
|
11
|
-
"data/cwe-catalog.json": "
|
|
7
|
+
"manifest.json": "1497a0bf6249faeabaa1e797ff2e7cec028351ddd4c27bda6721c95ff1e57d9c",
|
|
8
|
+
"data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
|
|
9
|
+
"data/attack-techniques.json": "57b8a1b4e1c3f524a76b4bded09b3082b36b783db3df116f863892072e0f65e9",
|
|
10
|
+
"data/cve-catalog.json": "5849b48dd5489ba6d10cbd3b0b25c9d8412e3932e0ae2304364ec95cf254ec97",
|
|
11
|
+
"data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
|
|
12
12
|
"data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
14
14
|
"data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
|
|
15
|
-
"data/framework-control-gaps.json": "
|
|
15
|
+
"data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
|
|
16
16
|
"data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
|
|
17
17
|
"data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
|
|
18
|
-
"data/zeroday-lessons.json": "
|
|
18
|
+
"data/zeroday-lessons.json": "f12a823e8546785833a06ae69089d87640480f6d28dcff1265ed43d38ebec0ed",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
|
|
20
20
|
"skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
|
|
21
21
|
"skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
|
|
@@ -72,8 +72,8 @@
|
|
|
72
72
|
"dlp_refs": 0
|
|
73
73
|
},
|
|
74
74
|
"trigger_table_entries": 538,
|
|
75
|
-
"chains_cve_entries":
|
|
76
|
-
"chains_cwe_entries":
|
|
75
|
+
"chains_cve_entries": 416,
|
|
76
|
+
"chains_cwe_entries": 173,
|
|
77
77
|
"jurisdictions_indexed": 29,
|
|
78
78
|
"handoff_dag_nodes": 42,
|
|
79
79
|
"summary_cards": 42,
|
|
@@ -98,7 +98,7 @@
|
|
|
98
98
|
"artifact": "data/cwe-catalog.json",
|
|
99
99
|
"path": "data/cwe-catalog.json",
|
|
100
100
|
"schema_version": "1.0.0",
|
|
101
|
-
"entry_count":
|
|
101
|
+
"entry_count": 173
|
|
102
102
|
},
|
|
103
103
|
{
|
|
104
104
|
"date": "2026-05-19",
|
|
@@ -149,7 +149,7 @@
|
|
|
149
149
|
"artifact": "data/cve-catalog.json",
|
|
150
150
|
"path": "data/cve-catalog.json",
|
|
151
151
|
"schema_version": "1.0.0",
|
|
152
|
-
"entry_count":
|
|
152
|
+
"entry_count": 427
|
|
153
153
|
},
|
|
154
154
|
{
|
|
155
155
|
"date": "2026-05-18",
|
|
@@ -157,7 +157,7 @@
|
|
|
157
157
|
"artifact": "data/framework-control-gaps.json",
|
|
158
158
|
"path": "data/framework-control-gaps.json",
|
|
159
159
|
"schema_version": "1.0.0",
|
|
160
|
-
"entry_count":
|
|
160
|
+
"entry_count": 194
|
|
161
161
|
},
|
|
162
162
|
{
|
|
163
163
|
"date": "2026-05-18",
|
|
@@ -165,7 +165,7 @@
|
|
|
165
165
|
"artifact": "data/zeroday-lessons.json",
|
|
166
166
|
"path": "data/zeroday-lessons.json",
|
|
167
167
|
"schema_version": "1.1.0",
|
|
168
|
-
"entry_count":
|
|
168
|
+
"entry_count": 422
|
|
169
169
|
},
|
|
170
170
|
{
|
|
171
171
|
"date": "2026-05-17",
|
|
@@ -62,13 +62,13 @@
|
|
|
62
62
|
"rebuild_after_days": 365,
|
|
63
63
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
64
64
|
},
|
|
65
|
-
"entry_count":
|
|
65
|
+
"entry_count": 427,
|
|
66
66
|
"sample_keys": [
|
|
67
|
-
"CVE-2025-
|
|
68
|
-
"CVE-
|
|
69
|
-
"CVE-
|
|
70
|
-
"CVE-
|
|
71
|
-
"CVE-
|
|
67
|
+
"CVE-2025-0282",
|
|
68
|
+
"CVE-2025-22457",
|
|
69
|
+
"CVE-2025-31324",
|
|
70
|
+
"CVE-2025-31161",
|
|
71
|
+
"CVE-2025-30066"
|
|
72
72
|
]
|
|
73
73
|
},
|
|
74
74
|
"cwe-catalog.json": {
|
|
@@ -84,7 +84,7 @@
|
|
|
84
84
|
"rebuild_after_days": 365,
|
|
85
85
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
86
86
|
},
|
|
87
|
-
"entry_count":
|
|
87
|
+
"entry_count": 173,
|
|
88
88
|
"sample_keys": [
|
|
89
89
|
"CWE-20",
|
|
90
90
|
"CWE-22",
|
|
@@ -172,7 +172,7 @@
|
|
|
172
172
|
"rebuild_after_days": 365,
|
|
173
173
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
174
174
|
},
|
|
175
|
-
"entry_count":
|
|
175
|
+
"entry_count": 194,
|
|
176
176
|
"sample_keys": [
|
|
177
177
|
"ALL-AI-PIPELINE-INTEGRITY",
|
|
178
178
|
"ALL-MCP-TOOL-TRUST",
|
|
@@ -238,7 +238,7 @@
|
|
|
238
238
|
"rebuild_after_days": 365,
|
|
239
239
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
240
240
|
},
|
|
241
|
-
"entry_count":
|
|
241
|
+
"entry_count": 422,
|
|
242
242
|
"sample_keys": [
|
|
243
243
|
"CVE-2026-31431",
|
|
244
244
|
"CVE-2025-53773",
|