@blamejs/exceptd-skills 0.15.15 → 0.15.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +14 -3
  4. package/data/cve-catalog.json +218 -77
  5. package/data/zeroday-lessons.json +512 -173
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.15.17 — 2026-05-29
4
+
5
+ Draft-curation pass 15 — Chromium browser zero-days. Five CISA KEV-listed Google Chromium client-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: V8 JavaScript engine flaws (CVE-2025-13223 and CVE-2025-6554 type confusion, CVE-2025-5419 out-of-bounds read/write), a CSS use-after-free (CVE-2026-2441), and an ANGLE/GPU sandbox escape (CVE-2025-6558). All map T1203 (Exploitation for Client Execution); the sandbox-escape entry also maps T1068. The lessons stress same-day Chrome component-updater rollout — not gating browser updates behind a managed change window — as the load-bearing control, since these are weaponized within days in targeted-spyware and watering-hole chains.
6
+
7
+ ## 0.15.16 — 2026-05-29
8
+
9
+ Draft-curation pass 14 — web-application server-side RCE. Eight CISA KEV-listed unauthenticated web-app CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Kentico Xperience CMS (CVE-2025-2749 path-traversal + file upload, CVE-2025-2746 and CVE-2025-2747 alternate-channel authentication bypasses), Craft CMS code injection (CVE-2025-32432 and the related CVE-2024-56145), Roundcube Webmail deserialization (CVE-2025-49113), and SolarWinds Web Help Desk deserialization (CVE-2025-26399, CVE-2025-40551). All map T1190, with per-class T1059 (code injection / deserialization), T1078 (auth bypass), or T1505.003 (upload → web shell). The lessons stress web-shell hunting and application-secret rotation as required cleanup beyond the patch.
10
+
3
11
  ## 0.15.15 — 2026-05-29
4
12
 
5
13
  Draft-curation pass 13 — Windows kernel/driver LPE. Seven CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: a Common Log File System (CLFS) driver use-after-free (CVE-2025-32701 — CLFS is a recurring kernel-LPE target), a race condition (CVE-2025-62215), an untrusted-pointer dereference (CVE-2025-24990), link-following (CVE-2025-60710), a kernel out-of-bounds read primitive (CVE-2023-36424), an information-disclosure primitive (CVE-2026-20805), and improper privilege management (CVE-2021-43226). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the second half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and stress hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
package/data/_indexes/_meta.json CHANGED
@@ -1,13 +1,13 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-29T21:03:43.254Z",
3
+ "generated_at": "2026-05-29T21:56:30.516Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "4583ef83386e42795c8990101aaad4526d7965db5c29cabb4899d8b4d807a3ca",
7
+ "manifest.json": "ba250dd43d47c33983c364d62fb14e3e02b7ab9f693bac3fee7999aa532ff0cb",
8
8
  "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
9
- "data/attack-techniques.json": "8a593b6a67125e0eb4e5d167654b5fc24531ca2f95be4362a1c4d80e3df2d3a3",
10
- "data/cve-catalog.json": "a97c16dbf941e68e2e0fda7a82d821e64952eb224170e48dfbd2c5a2af61999d",
9
+ "data/attack-techniques.json": "f3827a7bef7ec2241a50822490c1cfc68228be63e526389219d14416a6be3c0c",
10
+ "data/cve-catalog.json": "093c774e39e93dc597350df97c556a9204dec1cedce0c22f28fd1bf4506b6fc2",
11
11
  "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
15
15
  "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
18
- "data/zeroday-lessons.json": "23155c21ee4dd4e7a6402cd4215f266dae559892b3f317e43fac9f64f4a10ef2",
18
+ "data/zeroday-lessons.json": "da860282700942b7766778ec499a56011c822206758bc42cd4c20ae12e285d74",
19
19
  "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
20
20
  "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
21
21
  "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
package/data/attack-techniques.json CHANGED
@@ -298,6 +298,7 @@
298
298
  "CVE-2024-4889",
299
299
  "CVE-2024-50050",
300
300
  "CVE-2024-5565",
301
+ "CVE-2024-56145",
301
302
  "CVE-2024-8069",
302
303
  "CVE-2025-10164",
303
304
  "CVE-2025-1094",
@@ -307,16 +308,20 @@
307
308
  "CVE-2025-20281",
308
309
  "CVE-2025-20337",
309
310
  "CVE-2025-23254",
311
+ "CVE-2025-26399",
310
312
  "CVE-2025-27520",
311
313
  "CVE-2025-29635",
312
314
  "CVE-2025-30165",
315
+ "CVE-2025-32432",
313
316
  "CVE-2025-32434",
314
317
  "CVE-2025-32444",
315
318
  "CVE-2025-3248",
316
319
  "CVE-2025-33236",
317
320
  "CVE-2025-34291",
318
321
  "CVE-2025-3466",
322
+ "CVE-2025-40551",
319
323
  "CVE-2025-4428",
324
+ "CVE-2025-49113",
320
325
  "CVE-2025-49596",
321
326
  "CVE-2025-49704",
322
327
  "CVE-2025-51480",
@@ -500,6 +505,7 @@
500
505
  "CVE-2025-60710",
501
506
  "CVE-2025-62215",
502
507
  "CVE-2025-62849",
508
+ "CVE-2025-6558",
503
509
  "CVE-2026-0300",
504
510
  "CVE-2026-20122",
505
511
  "CVE-2026-20805",
@@ -971,7 +977,6 @@
971
977
  "CVE-2025-11953",
972
978
  "CVE-2025-12480",
973
979
  "CVE-2025-12686",
974
- "CVE-2025-13223",
975
980
  "CVE-2025-14611",
976
981
  "CVE-2025-14733",
977
982
  "CVE-2025-14847",
@@ -991,6 +996,9 @@
991
996
  "CVE-2025-25257",
992
997
  "CVE-2025-25297",
993
998
  "CVE-2025-26399",
999
+ "CVE-2025-2746",
1000
+ "CVE-2025-2747",
1001
+ "CVE-2025-2749",
994
1002
  "CVE-2025-27520",
995
1003
  "CVE-2025-2775",
996
1004
  "CVE-2025-2776",
@@ -1073,8 +1081,6 @@
1073
1081
  "CVE-2025-64496",
1074
1082
  "CVE-2025-64513",
1075
1083
  "CVE-2025-6543",
1076
- "CVE-2025-6554",
1077
- "CVE-2025-6558",
1078
1084
  "CVE-2025-66376",
1079
1085
  "CVE-2025-66644",
1080
1086
  "CVE-2025-67818",
@@ -1316,6 +1322,7 @@
1316
1322
  "CVE-2023-41974",
1317
1323
  "CVE-2023-43000",
1318
1324
  "CVE-2025-10585",
1325
+ "CVE-2025-13223",
1319
1326
  "CVE-2025-14174",
1320
1327
  "CVE-2025-21479",
1321
1328
  "CVE-2025-21480",
@@ -1329,6 +1336,9 @@
1329
1336
  "CVE-2025-43520",
1330
1337
  "CVE-2025-43529",
1331
1338
  "CVE-2025-4919",
1339
+ "CVE-2025-5419",
1340
+ "CVE-2025-6554",
1341
+ "CVE-2025-6558",
1332
1342
  "CVE-2026-20700",
1333
1343
  "CVE-2026-21385",
1334
1344
  "CVE-2026-2441",
@@ -12071,6 +12081,7 @@
12071
12081
  "_auto_imported": true,
12072
12082
  "_intake_method": "mitre-attack-stix",
12073
12083
  "cve_refs": [
12084
+ "CVE-2025-2749",
12074
12085
  "CVE-2025-31324",
12075
12086
  "CVE-2025-49704",
12076
12087
  "CVE-2025-53770"