npm - @blamejs/exceptd-skills - Versions diffs - 0.15.21 → 0.15.23 - Mend

@blamejs/exceptd-skills 0.15.21 → 0.15.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/attack-techniques.json +23 -15
package/data/cve-catalog.json +209 -77
package/data/zeroday-lessons.json +503 -172
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.23 — 2026-05-29
+Draft-curation pass 21 — Microsoft client-side document/web exploitation and protection bypass. Eight CISA KEV-listed CVEs that all begin with a victim opening attacker-controlled content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They are mapped by technique class: memory-corruption code execution (CVE-2025-30397 Scripting Engine type confusion, CVE-2026-21519 type confusion, CVE-2009-1537 DirectShow media parsing) maps T1203; Mark-of-the-Web / SmartScreen protection bypass (CVE-2026-21513 MSHTML, CVE-2026-21510 Windows Shell) maps T1211 with T1553.005; Office security-feature bypass (CVE-2026-21514 Word Protected View, CVE-2026-21509 Office) maps T1211; and VBA insecure library loading (CVE-2012-1854) maps T1574.001. The lessons stress that the protection-bypass flaws prove a single control (SmartScreen, Protected View, Mark-of-the-Web) cannot be the only barrier — layered defenses (ASR rules, application control, content filtering) are required.
+## 0.15.22 — 2026-05-29
+Draft-curation pass 20 — Windows kernel/driver LPE. Five CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: an Ancillary Function Driver for WinSock use-after-free (CVE-2025-32709), a Common Log File System driver heap overflow (CVE-2025-32706), a kernel use-after-free (CVE-2025-62221), an improper-privilege-management flaw (CVE-2026-21533), and an improper-access-control elevation in a privileged service (CVE-2025-59230). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the escalation half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and name hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
 ## 0.15.21 — 2026-05-29
 Draft-curation pass 19 — legacy browser/reader client-side RCEs. Six CISA KEV-listed client-side memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Adobe Acrobat/Reader (CVE-2020-9715 use-after-free, CVE-2009-3459 heap overflow), Internet Explorer (CVE-2010-0249 the Operation Aurora zero-day, CVE-2010-0806 iepeers, CVE-2013-3893 the SetMouseCapture watering-hole flaw), and Mozilla Firefox (CVE-2010-3765). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the fixes shipped years ago, but unpatched and end-of-life estates (notably the unsupported Internet Explorer) remain exposed; retiring end-of-life browsers and application hardening (Protected Mode/View, ASR rules) are the load-bearing controls.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T23:31:13.024Z",
+  "generated_at": "2026-05-29T23:58:57.226Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "5bb0e383ababb4b8232b7bc77737fb09f11f0aebf8fd3f6b06949aa13603fcbc",
+    "manifest.json": "a95058451e83c41c22dc01658efc17d675dc82d520408702a13b39e606c3208b",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "10d21befa5e9e9f56594d93227d4c8621dcbf6deebe2a10018b8d054aaf51fa3",
-    "data/cve-catalog.json": "c336e8c05685ae3a32c6760d559bc03949c0d1a0a2d8465c0a4cfe5b0dabee5b",
+    "data/attack-techniques.json": "1736dc39e90b994ef3f89ab4ef48f5bdce14fd2d7c068f3d915abf3cbf810687",
+    "data/cve-catalog.json": "f92a1da261e5eeb69148b71c0e572ca52f81c7f65db9fb257db8b427c191e25b",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "d76a7223bc4d9d613a397120ae1f3edb7c6640adfdac69100d34c2d5fa18a4fe",
+    "data/zeroday-lessons.json": "24da511043e4cd3fd9a36f32b45d55abd97e2994608ed700533980338b3f8ce4",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json CHANGED Viewed

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 425
+      "entry_count": 426
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json CHANGED Viewed

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 425,
+      "entry_count": 426,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json CHANGED Viewed

@@ -509,19 +509,24 @@
       "CVE-2025-27038",
       "CVE-2025-31277",
       "CVE-2025-32701",
+      "CVE-2025-32706",
+      "CVE-2025-32709",
       "CVE-2025-38352",
       "CVE-2025-40602",
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
+      "CVE-2025-59230",
       "CVE-2025-60710",
       "CVE-2025-62215",
+      "CVE-2025-62221",
       "CVE-2025-62849",
       "CVE-2025-6558",
       "CVE-2026-0300",
       "CVE-2026-20122",
       "CVE-2026-20805",
       "CVE-2026-21385",
+      "CVE-2026-21533",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
@@ -924,7 +929,6 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2012-1854",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -1022,7 +1026,6 @@
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
-      "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31161",
       "CVE-2025-31324",
@@ -1031,7 +1034,6 @@
       "CVE-2025-32444",
       "CVE-2025-32463",
       "CVE-2025-3248",
-      "CVE-2025-32706",
       "CVE-2025-32756",
       "CVE-2025-33053",
       "CVE-2025-33073",
@@ -1079,7 +1081,6 @@
       "CVE-2025-57819",
       "CVE-2025-58034",
       "CVE-2025-58360",
-      "CVE-2025-59230",
       "CVE-2025-59287",
       "CVE-2025-59374",
       "CVE-2025-59389",
@@ -1089,7 +1090,6 @@
       "CVE-2025-61932",
       "CVE-2025-6204",
       "CVE-2025-6205",
-      "CVE-2025-62221",
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
@@ -1124,13 +1124,7 @@
       "CVE-2026-20133",
       "CVE-2026-20182",
       "CVE-2026-20963",
-      "CVE-2026-21509",
-      "CVE-2026-21510",
-      "CVE-2026-21513",
-      "CVE-2026-21514",
-      "CVE-2026-21519",
       "CVE-2026-21525",
-      "CVE-2026-21533",
       "CVE-2026-21643",
       "CVE-2026-21858",
       "CVE-2026-21877",
@@ -1341,8 +1335,8 @@
       "CVE-2025-13223",
       "CVE-2025-14174",
       "CVE-2025-24201",
+      "CVE-2025-30397",
       "CVE-2025-31277",
-      "CVE-2025-32709",
       "CVE-2025-43200",
       "CVE-2025-43300",
       "CVE-2025-43510",
@@ -1353,6 +1347,7 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2026-20700",
+      "CVE-2026-21519",
       "CVE-2026-2441",
       "CVE-2026-25592",
       "CVE-2026-34621",
@@ -4610,7 +4605,13 @@
       "IaaS"
     ],
     "stix_id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-21509",
+      "CVE-2026-21510",
+      "CVE-2026-21513",
+      "CVE-2026-21514"
+    ]
   },
   "T1216": {
     "id": "T1216",
@@ -13772,7 +13773,11 @@
     "stix_id": "attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2026-21510",
+      "CVE-2026-21513"
+    ]
   },
   "T1553.006": {
     "id": "T1553.006",
@@ -15514,7 +15519,10 @@
     "stix_id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2012-1854"
+    ]
   },
   "T1574.004": {
     "id": "T1574.004",