@blamejs/exceptd-skills 0.15.28 → 0.15.29

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.29 — 2026-05-29
+
+Draft-curation pass 26 — ICS/OT devices. Four CISA KEV-listed industrial-control and operational-technology CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: OpenPLC ScadaBR SCADA/HMI (CVE-2021-26828 unrestricted file upload, CVE-2021-26829 cross-site scripting), Hikvision IP camera authentication bypass (CVE-2017-7921), and the Rockwell Automation Logix protected-credential weakness (CVE-2021-22681). All map T1190, with per-class T1505.003, T1078, or T1552. The lessons carry an OT-specific framing: these devices frequently cannot be patched on an IT cadence, so the load-bearing controls are IEC 62443 zones-and-conduits segmentation, removal of IT/internet reachability, and OT-network monitoring — and response must validate process/control-logic integrity, not just perform IT cleanup, because compromise can have physical and safety consequences.
+
 ## 0.15.28 — 2026-05-29
 
 Draft-curation pass 25 — web applications and developer tooling. Six CISA KEV-listed unauthenticated server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Laravel Livewire code injection (CVE-2025-54068), n8n dynamic-code execution (CVE-2025-68613), JetBrains TeamCity authentication bypass via path traversal (CVE-2024-27199), and arbitrary file-read path traversals in Grafana (CVE-2021-43798), Gogs (CVE-2025-8110), and the Vite dev server (CVE-2025-31125). All map T1190, with per-class T1059 (code injection), T1078 (auth bypass), or T1552 (file reads that leak configuration/source secrets). The lessons stress that file-disclosure flaws demand rotation of every exposed secret, and that CI/developer-tool compromise (TeamCity) carries software-supply-chain risk to build artifacts beyond the server itself.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T01:16:22.729Z",
+  "generated_at": "2026-05-30T01:46:06.048Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3be5985b09e4e142de03abbce27588bc8606a489918b8d7b5a84d457908707c1",
+    "manifest.json": "0f5212a60d6b8f8f0b5861b3a9d7e37c9ed816a218bcf1ae7eb1e0d0c33633e5",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "85d09671bb4f6f3be0d7cbe70c405b9ebf8a680f1c9c5de8261461c2c4036a76",
-    "data/cve-catalog.json": "9626cd5f0c24b365ae96d39ebc584b41aa63124337f319f7bdd7d22e2052a651",
+    "data/attack-techniques.json": "5a7f8b7bd744fc05397c9e61925f620cc1edb4d52a39ccc991be044adfe80fc3",
+    "data/cve-catalog.json": "119c5540c49ab7999be6dbaf750281321cca7a86ab0d8379f1e03d21c3fe3177",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "4b9b2e9080ba9f723461b12e1bff989cb4ad5f794568ec8ae387e2a9a34c1f17",
+    "data/zeroday-lessons.json": "e8ea9a0126b278a0ecd012e8f23af44c9ccc631f75787919e96023ad8bee5c9a",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -943,6 +943,7 @@
       "CVE-2016-10033",
       "CVE-2016-7836",
       "CVE-2017-1000353",
+      "CVE-2017-7921",
       "CVE-2018-4063",
       "CVE-2019-6693",
       "CVE-2019-9621",
@@ -952,6 +953,7 @@
       "CVE-2020-7796",
       "CVE-2021-22681",
       "CVE-2021-26828",
+      "CVE-2021-26829",
       "CVE-2021-43798",
       "CVE-2022-1471",
       "CVE-2022-20775",
@@ -1693,6 +1695,7 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2021-22681",
       "CVE-2021-43798",
       "CVE-2023-47117",
       "CVE-2024-12450",
@@ -12115,6 +12118,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2021-26828",
       "CVE-2024-1708",
       "CVE-2024-7399",
       "CVE-2025-2749",

package/data/cve-catalog.json

@@ -22374,7 +22374,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22395,7 +22396,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/",
@@ -22424,11 +22425,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-7921",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Hikvision IP cameras reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Hikvision camera consistent with improper-authentication flaw.",
+        "Unexpected configuration, logic, or account changes on the Hikvision camera, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2017-7921, CISA KEV (added 2026-03-05), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
@@ -22470,7 +22481,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22491,7 +22503,7 @@
     "cwe_refs": [
       "CWE-522"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.rockwellautomation.com/app/answers/answer_view/a_id/1130301/~/cve-2021-22681%3A-authentication-bypass-vulnerability-found-in-logix-controllers-",
@@ -22521,11 +22533,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.rockwellautomation.com/app/answers/answer_view/a_id/1130301/~/cve-2021-22681%3A-authentication-bypass-vulnerability-found-in-logix-controllers- ; https://www.cisa.gov/news-events/ics-a",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
+    "iocs": {
+      "behavioral": [
+        "Rockwell Automation Logix controllers reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Rockwell Logix PLC consistent with insufficiently-protected-credentials flaw.",
+        "Unexpected configuration, logic, or account changes on the Rockwell Logix PLC, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22681, CISA KEV (added 2026-03-05), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -29188,7 +29210,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29209,7 +29232,7 @@
     "cwe_refs": [
       "CWE-434"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/SCADA-LTS/Scada-LTS/pull/2174",
@@ -29238,11 +29261,21 @@
         "published_date": "2025-12-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-03; due date 2025-12-24. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
+    "iocs": {
+      "behavioral": [
+        "OpenPLC ScadaBR reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScadaBR HMI consistent with unrestricted file-upload flaw.",
+        "Unexpected configuration, logic, or account changes on the ScadaBR HMI, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-26828, CISA KEV (added 2025-12-03), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -29494,7 +29527,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29515,7 +29549,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/SCADA-LTS/Scada-LTS/pull/3211",
@@ -29544,11 +29578,21 @@
         "published_date": "2025-11-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-28; due date 2025-12-19. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
+    "iocs": {
+      "behavioral": [
+        "OpenPLC ScadaBR reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScadaBR HMI consistent with cross-site scripting flaw.",
+        "Unexpected configuration, logic, or account changes on the ScadaBR HMI, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-26829, CISA KEV (added 2025-11-28), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",

package/data/zeroday-lessons.json

@@ -11923,67 +11923,123 @@
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-authentication flaw (CWE-287) on Hikvision IP cameras, letting an unauthenticated attacker escalate to administrator and access the device and its video feed. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Hikvision camera, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Hikvision IP cameras is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an insufficiently-protected-credentials flaw (CWE-522) in the Studio 5000 / Logix secret-key handling, letting an unauthenticated attacker bypass authentication and connect to the PLC to alter its configuration or control logic. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Rockwell Logix PLC, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Rockwell Automation Logix controllers is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -15103,35 +15159,63 @@
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an unrestricted file-upload flaw (CWE-434) on the ScadaBR SCADA/HMI web interface, letting an unauthenticated attacker upload a file (e.g. a web shell) for code execution on the HMI server. CISA KEV-listed 2025-12-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -15245,35 +15329,63 @@
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) on the ScadaBR SCADA/HMI web interface, letting an attacker run script in an operator's authenticated session. CISA KEV-listed 2025-11-28 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.28",
+  "version": "0.15.29",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-30T01:13:00.646Z",
+      "signed_at": "2026-05-30T01:42:46.417Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-30T01:13:00.648Z",
+      "signed_at": "2026-05-30T01:42:46.419Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-30T01:13:00.648Z",
+      "signed_at": "2026-05-30T01:42:46.419Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-30T01:13:00.649Z"
+      "signed_at": "2026-05-30T01:42:46.419Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-30T01:13:00.649Z"
+      "signed_at": "2026-05-30T01:42:46.420Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-30T01:13:00.650Z"
+      "signed_at": "2026-05-30T01:42:46.420Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-30T01:13:00.650Z",
+      "signed_at": "2026-05-30T01:42:46.421Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-30T01:13:00.650Z",
+      "signed_at": "2026-05-30T01:42:46.421Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-30T01:13:00.651Z",
+      "signed_at": "2026-05-30T01:42:46.421Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-30T01:13:00.651Z",
+      "signed_at": "2026-05-30T01:42:46.422Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-30T01:13:00.651Z"
+      "signed_at": "2026-05-30T01:42:46.422Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-30T01:13:00.652Z",
+      "signed_at": "2026-05-30T01:42:46.422Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-30T01:13:00.652Z",
+      "signed_at": "2026-05-30T01:42:46.423Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-30T01:13:00.652Z"
+      "signed_at": "2026-05-30T01:42:46.423Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-30T01:13:00.653Z",
+      "signed_at": "2026-05-30T01:42:46.423Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-30T01:13:00.653Z"
+      "signed_at": "2026-05-30T01:42:46.424Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-30T01:13:00.653Z"
+      "signed_at": "2026-05-30T01:42:46.424Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-30T01:13:00.654Z"
+      "signed_at": "2026-05-30T01:42:46.424Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-30T01:13:00.654Z"
+      "signed_at": "2026-05-30T01:42:46.425Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-30T01:13:00.654Z"
+      "signed_at": "2026-05-30T01:42:46.425Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-30T01:13:00.655Z"
+      "signed_at": "2026-05-30T01:42:46.425Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-30T01:13:00.655Z"
+      "signed_at": "2026-05-30T01:42:46.426Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-30T01:13:00.655Z"
+      "signed_at": "2026-05-30T01:42:46.426Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-30T01:13:00.656Z"
+      "signed_at": "2026-05-30T01:42:46.426Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-30T01:13:00.656Z"
+      "signed_at": "2026-05-30T01:42:46.426Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-30T01:13:00.656Z",
+      "signed_at": "2026-05-30T01:42:46.427Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-30T01:13:00.657Z"
+      "signed_at": "2026-05-30T01:42:46.427Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-30T01:13:00.657Z"
+      "signed_at": "2026-05-30T01:42:46.428Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-30T01:13:00.658Z"
+      "signed_at": "2026-05-30T01:42:46.428Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-30T01:13:00.658Z"
+      "signed_at": "2026-05-30T01:42:46.428Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-30T01:13:00.658Z"
+      "signed_at": "2026-05-30T01:42:46.429Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-30T01:13:00.659Z"
+      "signed_at": "2026-05-30T01:42:46.429Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-30T01:13:00.659Z",
+      "signed_at": "2026-05-30T01:42:46.429Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-30T01:13:00.659Z"
+      "signed_at": "2026-05-30T01:42:46.430Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-30T01:13:00.660Z",
+      "signed_at": "2026-05-30T01:42:46.430Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-30T01:13:00.660Z"
+      "signed_at": "2026-05-30T01:42:46.430Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-30T01:13:00.661Z"
+      "signed_at": "2026-05-30T01:42:46.431Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-30T01:13:00.661Z"
+      "signed_at": "2026-05-30T01:42:46.431Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-30T01:13:00.661Z"
+      "signed_at": "2026-05-30T01:42:46.431Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-30T01:13:00.662Z"
+      "signed_at": "2026-05-30T01:42:46.432Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-30T01:13:00.662Z",
+      "signed_at": "2026-05-30T01:42:46.432Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-30T01:13:00.662Z",
+      "signed_at": "2026-05-30T01:42:46.432Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "V8hk2A7vdLZg8IMGOztrVdeNVuVNOABEz7xdcMAcY++eIl5iRCHFHFl2jgwZ0JGd+7SfkpZxdKgnrWRxfLs2Cw=="
+    "signature_base64": "3C/mulV8+L4of+unLhcOG2UWk7Nd2TFtHl8FfWU+0FInUGAK7Tpqxj+KgxNUm9p0JXJsGUF0w9MtgUcqj358Dg=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.28",
+  "version": "0.15.29",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:bfbebb45-62a2-4307-8980-621ae24d2717",
+  "serialNumber": "urn:uuid:d8b18aa4-7e1c-451a-9b73-5f2b88f84fc8",
   "version": 1,
   "metadata": {
-    "timestamp": "2127-12-11T04:40:37.000Z",
+    "timestamp": "2141-03-16T17:00:20.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.28"
+        "version": "0.15.29"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.28",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.29",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.28",
+      "version": "0.15.29",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.28",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.29",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4f1ffdc626b0c669cb373cca89509d98a93bf3ece648812cd9571f7627481211"
+          "content": "02459c1ddd8d441b84aec934c6242aa145ef93d65480646f63fbda0d9abaaa07"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.28"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.29"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6dd21f8795a400581874f2a3a40f125f6b7b5dfb398c4a8b85375cc8b39f986f"
+          "content": "5b4ddacb2573aee89925267d4944d626398b7c82fe3d5af31cc775c354377f57"
         },
         {
           "alg": "SHA3-512",
-          "content": "9d74283c6c6ceb69720f0738d305e32fd04152b857b40f412df70b962ecbcae757a0a9bd095c0d8770c5305ae1edbf8960aee8c9dc25b78ebc2fc08f7d2303bc"
+          "content": "8d7154c32410e8d3558d15f8082fa12d134997a24da8a410ca887a1152b0167f504647efa9646261a0aec1c2703a7407fb214e4d66ff95988aee6edbdea3faf9"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "85d09671bb4f6f3be0d7cbe70c405b9ebf8a680f1c9c5de8261461c2c4036a76"
+          "content": "5a7f8b7bd744fc05397c9e61925f620cc1edb4d52a39ccc991be044adfe80fc3"
         },
         {
           "alg": "SHA3-512",
-          "content": "5c995df1bad95595bef6f39cd335843855cc097da94a8dc745835fd37a2af031f211aea66216c5848b3de51b174fc47ccf0a3649e88d610784a038a270b97871"
+          "content": "6c8ebd712a13a7bf1b2444333995d3f8e7843666b3abbce984c469c429a1e589b50e46f2760a2bc7d02bdd9b13035660fe3560e8622ec3c0dd40a1a584582d80"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9626cd5f0c24b365ae96d39ebc584b41aa63124337f319f7bdd7d22e2052a651"
+          "content": "119c5540c49ab7999be6dbaf750281321cca7a86ab0d8379f1e03d21c3fe3177"
         },
         {
           "alg": "SHA3-512",
-          "content": "b40076f225f1eaba9d9b41c35750392a27baf8e77b3da212d691e682349aa97dc2f4c0a116b0380770f52199e245f229ced49740eb4738e20281d6764a8f86d4"
+          "content": "64928c90017b3033c9a39e498086f7ff315c64da483e31f25ca351e49c2339f156e51ae9182daae012e52e14eaebcb9958d1a31f56face2c3b9cbafbe21dc4b0"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4b9b2e9080ba9f723461b12e1bff989cb4ad5f794568ec8ae387e2a9a34c1f17"
+          "content": "e8ea9a0126b278a0ecd012e8f23af44c9ccc631f75787919e96023ad8bee5c9a"
         },
         {
           "alg": "SHA3-512",
-          "content": "c802cab9e7dbf464a34fd7572ee227585539676f71c8d6c00a48a988effd1171545315059f75a58cafd968fb54b7bf0f896db56735c6bbbaec49a304fcf37207"
+          "content": "f64eaaa74ae9355ae85fa31d8dc51d841efd9a679c05a541abd9b06f0bc63a8559e92b3d09a363389c8b2686c91ae41f66ccc074d6b0bc9ab98d0e13d4740eba"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3be5985b09e4e142de03abbce27588bc8606a489918b8d7b5a84d457908707c1"
+          "content": "0f5212a60d6b8f8f0b5861b3a9d7e37c9ed816a218bcf1ae7eb1e0d0c33633e5"
         },
         {
           "alg": "SHA3-512",
-          "content": "471b9bc14f0586f09aa2f01a7faad605994074d7246ddfb4de866a4934b3c91c04c9ac3545785e5d9797b754a09674e16df7201b30fc8dd6e86d1de707520ce5"
+          "content": "0ac5c5c7bb0895a1c55122b768a77fed7710c187a1ad50e98ba9f9827b1757ea82c1ce7e6d7710083d1a5f6c592a07c7d7fbd91fa5993cb80ec1f5b8f3bc511a"
         }
       ]
     },