npm - @blamejs/exceptd-skills - Versions diffs - 0.15.22 → 0.15.24 - Mend

@blamejs/exceptd-skills 0.15.22 → 0.15.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/attack-techniques.json +24 -10
package/data/cve-catalog.json +261 -93
package/data/zeroday-lessons.json +638 -198
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.24 — 2026-05-29
+Draft-curation pass 22 — IT-management and enterprise platforms. Eight CISA KEV-listed unauthenticated server-side CVEs on platforms whose compromise reaches the managed estate are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: N-able N-Central RMM (CVE-2025-8876 command injection, CVE-2025-8875 insecure deserialization), SysAid On-Prem ITSM XXE (CVE-2025-2775, CVE-2025-2776), SimpleHelp remote support (CVE-2024-57728 path traversal, CVE-2024-57726 missing authorization), Quest KACE Systems Management Appliance authentication bypass (CVE-2025-32975), and Oracle E-Business Suite remote code execution (CVE-2025-61882). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass). The lessons stress that management-platform compromise is fleet-wide — response must rotate credentials and audit every action pushed to downstream managed systems during the exposure window, not just patch the server.
+## 0.15.23 — 2026-05-29
+Draft-curation pass 21 — Microsoft client-side document/web exploitation and protection bypass. Eight CISA KEV-listed CVEs that all begin with a victim opening attacker-controlled content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They are mapped by technique class: memory-corruption code execution (CVE-2025-30397 Scripting Engine type confusion, CVE-2026-21519 type confusion, CVE-2009-1537 DirectShow media parsing) maps T1203; Mark-of-the-Web / SmartScreen protection bypass (CVE-2026-21513 MSHTML, CVE-2026-21510 Windows Shell) maps T1211 with T1553.005; Office security-feature bypass (CVE-2026-21514 Word Protected View, CVE-2026-21509 Office) maps T1211; and VBA insecure library loading (CVE-2012-1854) maps T1574.001. The lessons stress that the protection-bypass flaws prove a single control (SmartScreen, Protected View, Mark-of-the-Web) cannot be the only barrier — layered defenses (ASR rules, application control, content filtering) are required.
 ## 0.15.22 — 2026-05-29
 Draft-curation pass 20 — Windows kernel/driver LPE. Five CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: an Ancillary Function Driver for WinSock use-after-free (CVE-2025-32709), a Common Log File System driver heap overflow (CVE-2025-32706), a kernel use-after-free (CVE-2025-62221), an improper-privilege-management flaw (CVE-2026-21533), and an improper-access-control elevation in a privileged service (CVE-2025-59230). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the escalation half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and name hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T23:44:49.444Z",
+  "generated_at": "2026-05-30T00:14:30.380Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "e5726822ecbdc05881e4d1145cdce3bfbf2e13d872acfbfbef6601ac5fc9084b",
+    "manifest.json": "bdfa62ec546c293e03f8ed60adb72c09d72413efe313e20407ca7f19bd607d28",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "bfa065774b88d45c3fca7b69ecd267b0bd36a117a7c2da8178ce0783679d41c9",
-    "data/cve-catalog.json": "44bbe46dd3cbcf8fe836ee3ffb59850a1e63a31afb98ae3557978658cf67c247",
+    "data/attack-techniques.json": "c882080eff805eb5a2b35940d85c60919605ef9754cbf448291be053498040c3",
+    "data/cve-catalog.json": "177f37585b11bb848b62c4598f3fcb565003a1e3289ac8144932d57d7e45bc39",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "c9a28986c40ca19b8a54444a6c680c96a4dbdce17119a0e50dd8937035dff07a",
+    "data/zeroday-lessons.json": "895bdef8ae63d68a8497df0b374b846d34fee139a7b84d11d5bc719e4f6af66e",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json CHANGED Viewed

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 425
+      "entry_count": 426
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json CHANGED Viewed

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 425,
+      "entry_count": 426,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json CHANGED Viewed

@@ -333,6 +333,7 @@
       "CVE-2025-55319",
       "CVE-2025-58034",
       "CVE-2025-60455",
+      "CVE-2025-61882",
       "CVE-2025-6204",
       "CVE-2025-64328",
       "CVE-2025-64496",
@@ -341,6 +342,8 @@
       "CVE-2025-68665",
       "CVE-2025-68668",
       "CVE-2025-8747",
+      "CVE-2025-8875",
+      "CVE-2025-8876",
       "CVE-2025-9377",
       "CVE-2026-0766",
       "CVE-2026-1281",
@@ -591,6 +594,7 @@
       "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-54085",
+      "CVE-2024-57726",
       "CVE-2025-12480",
       "CVE-2025-1796",
       "CVE-2025-21085",
@@ -929,7 +933,6 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2012-1854",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -987,6 +990,7 @@
       "CVE-2024-50050",
       "CVE-2024-56145",
       "CVE-2024-57726",
+      "CVE-2024-57728",
       "CVE-2024-6587",
       "CVE-2024-7694",
       "CVE-2024-8068",
@@ -1027,7 +1031,6 @@
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
-      "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31161",
       "CVE-2025-31324",
@@ -1037,6 +1040,7 @@
       "CVE-2025-32463",
       "CVE-2025-3248",
       "CVE-2025-32756",
+      "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34291",
@@ -1126,11 +1130,6 @@
       "CVE-2026-20133",
       "CVE-2026-20182",
       "CVE-2026-20963",
-      "CVE-2026-21509",
-      "CVE-2026-21510",
-      "CVE-2026-21513",
-      "CVE-2026-21514",
-      "CVE-2026-21519",
       "CVE-2026-21525",
       "CVE-2026-21643",
       "CVE-2026-21858",
@@ -1342,6 +1341,7 @@
       "CVE-2025-13223",
       "CVE-2025-14174",
       "CVE-2025-24201",
+      "CVE-2025-30397",
       "CVE-2025-31277",
       "CVE-2025-43200",
       "CVE-2025-43300",
@@ -1353,6 +1353,7 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2026-20700",
+      "CVE-2026-21519",
       "CVE-2026-2441",
       "CVE-2026-25592",
       "CVE-2026-34621",
@@ -4610,7 +4611,13 @@
       "IaaS"
     ],
     "stix_id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-21509",
+      "CVE-2026-21510",
+      "CVE-2026-21513",
+      "CVE-2026-21514"
+    ]
   },
   "T1216": {
     "id": "T1216",
@@ -13772,7 +13779,11 @@
     "stix_id": "attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2026-21510",
+      "CVE-2026-21513"
+    ]
   },
   "T1553.006": {
     "id": "T1553.006",
@@ -15514,7 +15525,10 @@
     "stix_id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2012-1854"
+    ]
   },
   "T1574.004": {
     "id": "T1574.004",