npm - @blamejs/exceptd-skills - Versions diffs - 0.15.38 → 0.15.39 - Mend

@blamejs/exceptd-skills 0.15.38 → 0.15.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +4 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -1
package/data/cve-catalog.json +54 -18
package/data/zeroday-lessons.json +126 -42
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # Changelog
+## 0.15.39 — 2026-05-29
+Draft-curation pass 36 — webmail cross-site scripting. Three CISA KEV-listed webmail XSS CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the MDaemon WorldClient webmail flaw (CVE-2024-11182) and two Roundcube Webmail flaws (CVE-2024-42009, CVE-2025-68461). Script runs in the victim's authenticated mail session the moment they view a crafted email, so they map T1190 alongside T1539 (steal web session cookie). The lessons stress that patching the specific bug is not enough — a strict Content-Security-Policy and HttpOnly+SameSite session cookies are the durable controls that stop the next XSS from exfiltrating a session — and that response must invalidate webmail sessions and review mailboxes for unauthorized access and forwarding rules, because this class is repeatedly used by espionage actors for silent mailbox theft.
 ## 0.15.38 — 2026-05-29
 Draft-curation pass 35 — path traversal file access. Four CISA KEV-listed unauthenticated path-traversal CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Ruby on Rails Action View arbitrary file read (CVE-2019-5418), Srimax Output Messenger directory traversal chained to code execution (CVE-2025-27920), ZKTeco BioTime arbitrary file read (CVE-2023-38950), and the end-of-life D-Link DIR-859 router configuration disclosure (CVE-2024-0769). All map T1190; the secret-leaking file-read variants also map T1552. The lessons stress that patching does not undo the disclosure — every secret a traversal read must be rotated — that file-write traversals require hunting for dropped payloads, and that an end-of-life device (DIR-859) can only be replaced, not patched.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T05:05:33.943Z",
+  "generated_at": "2026-05-30T05:25:52.715Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "a98d7f6abe573e5ba73e7e1097cc30a1703fff81ccc9922b00630341b2ade670",
+    "manifest.json": "4308b0a5e326fe8fe860312fe2f462a0b7f9c507f1dc547ba19db01a7fca8dd5",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "b8799721fb6d455811f555410845423ec87f2c26f70fe1222ee19088aa6e43f5",
-    "data/cve-catalog.json": "0ca079ef9ae7f74755398ad434c2c0c5fe3ee7be488549af3a5ecf2394ae0ba8",
+    "data/attack-techniques.json": "0f8fe5c6ec54206645a8f5d4780bd820aa70df9c0256b4405256c9de45be2544",
+    "data/cve-catalog.json": "aafacd0b7fa88c145228b4e3fbf5167c158ecad4d8b5fb977621edfb6016ff9a",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "adf769626f304dd6cbd700f6f3bfe8359de02282929008e16599599470377c5c",
+    "data/zeroday-lessons.json": "821f5e2596ce5c4f1d42114ffe0c25a32f99dad1aee3f6d3beb32d78f75046ec",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -1011,6 +1011,7 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2024-0769",
+      "CVE-2024-11182",
       "CVE-2024-12450",
       "CVE-2024-12776",
       "CVE-2024-12987",
@@ -1028,6 +1029,7 @@
       "CVE-2024-37032",
       "CVE-2024-37079",
       "CVE-2024-39722",
+      "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-43468",
@@ -1151,6 +1153,7 @@
       "CVE-2025-66376",
       "CVE-2025-66644",
       "CVE-2025-67818",
+      "CVE-2025-68461",
       "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-68668",
@@ -2871,9 +2874,12 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-6571",
+      "CVE-2024-11182",
+      "CVE-2024-42009",
       "CVE-2024-9526",
       "CVE-2025-0133",
-      "CVE-2025-34291"
+      "CVE-2025-34291",
+      "CVE-2025-68461"
     ],
     "description_full": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.",
     "platforms": [

package/data/cve-catalog.json CHANGED Viewed

@@ -23612,7 +23612,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190",
+      "T1539"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23633,7 +23635,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12",
@@ -23663,11 +23665,21 @@
         "published_date": "2026-02-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-20; due date 2026-03-13. Notes reference: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ; https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb ; https://nvd.nist.gov/vuln/detail",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.",
+    "iocs": {
+      "behavioral": [
+        "Roundcube Webmail reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Emails containing script payloads (HTML/SVG/style-based XSS vectors) that render in the Roundcube Webmail, and outbound requests from a victim's webmail session to attacker infrastructure carrying session tokens.",
+        "Mailbox access or session reuse from unexpected sources following a victim viewing a crafted email, with no matching legitimate login (KEV-confirmed in-the-wild exploitation; this class is used in espionage credential-theft campaigns)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-68461, CISA KEV (added 2026-02-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1539 steal web session cookie) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22175": {
     "name": "GitLab Server-Side Request Forgery (SSRF) Vulnerability",
@@ -40211,7 +40223,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190",
+      "T1539"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40232,7 +40246,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8",
@@ -40261,11 +40275,21 @@
         "published_date": "2025-06-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-09; due date 2025-06-30. Notes reference: https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-42009",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.",
+    "iocs": {
+      "behavioral": [
+        "Roundcube Webmail reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Emails containing script payloads (HTML/SVG/style-based XSS vectors) that render in the Roundcube Webmail, and outbound requests from a victim's webmail session to attacker infrastructure carrying session tokens.",
+        "Mailbox access or session reuse from unexpected sources following a victim viewing a crafted email, with no matching legitimate login (KEV-confirmed in-the-wild exploitation; this class is used in espionage credential-theft campaigns)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-42009, CISA KEV (added 2025-06-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1539 steal web session cookie) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32433": {
     "name": "Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability",
@@ -41790,7 +41814,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190",
+      "T1539"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41811,7 +41837,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html",
@@ -41841,11 +41867,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html ; https://mdaemon.com/pages/downloads-critical-updates ; https://nvd.nist.gov/vuln/detail/CVE-2024-11182",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.",
+    "iocs": {
+      "behavioral": [
+        "MDaemon Email Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Emails containing script payloads (HTML/SVG/style-based XSS vectors) that render in the MDaemon WorldClient webmail, and outbound requests from a victim's webmail session to attacker infrastructure carrying session tokens.",
+        "Mailbox access or session reuse from unexpected sources following a victim viewing a crafted email, with no matching legitimate login (KEV-confirmed in-the-wild exploitation; this class is used in espionage credential-theft campaigns)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-11182, CISA KEV (added 2025-05-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1539 steal web session cookie) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-4428": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2025-4428)",

package/data/zeroday-lessons.json CHANGED Viewed

@@ -12703,35 +12703,63 @@
   },
   "CVE-2025-68461": {
     "name": "RoundCube Webmail Cross-site Scripting Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) in Roundcube Webmail (a later variant), letting an attacker run script in a victim's authenticated session via a crafted email. CISA KEV-listed 2026-02-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker sends an email; the victim's act of viewing it triggers the script in their authenticated session)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the webmail update; enforce a strict Content-Security-Policy, HttpOnly+SameSite session cookies, and robust output encoding so a stored/reflected XSS cannot exfiltrate the session — these flaws are favored by espionage actors for silent mailbox access.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch closes the specific bug; CSP and HttpOnly/SameSite cookies are the durable controls that keep the next XSS from stealing a session."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Roundcube Webmail: emails carrying XSS payloads, webmail sessions making outbound requests to unexpected hosts, and mailbox access from anomalous sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because the exploit fires silently when the victim opens the email; the anomaly is the session exfiltration and out-of-pattern mailbox access."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, invalidate all webmail sessions and force re-authentication, review mailboxes for unauthorized access and forwarding rules, and rotate credentials for affected users.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a webmail-XSS compromise targets mailbox data and persistent access (forwarding rules), which a patch alone does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed webmail XSS; these are favored by espionage actors for silent mailbox access and weaponized within days of disclosure."
+      },
+      "NIST-800-53-SI-10-output-encoding": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Output encoding / input validation is named, but the durable compensating controls — a strict Content-Security-Policy and HttpOnly+SameSite session cookies that prevent a stored/reflected XSS from exfiltrating the session — are not mandated, leaving the session stealable even when an encoding bug slips through."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited, internet-facing webmail server holding high-value mailbox data."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing mail as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not require the session-invalidation / mailbox-access review a webmail-XSS compromise needs."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Internet-facing webmail is run by audited organizations on a standard patch SLA and is repeatedly targeted by espionage actors; the durable controls (CSP, HttpOnly/SameSite cookies) and the session-invalidation / mailbox-review response are rarely part of the documented procedure.",
+      "theater_pattern": "secure_coding"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-22175": {
     "name": "GitLab Server-Side Request Forgery (SSRF) Vulnerability",
@@ -21358,35 +21386,63 @@
   },
   "CVE-2024-42009": {
     "name": "RoundCube Webmail Cross-Site Scripting Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) in Roundcube Webmail, letting an attacker run script in a victim's authenticated session via a crafted email (exploited in espionage credential-theft campaigns). CISA KEV-listed 2025-06-09 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker sends an email; the victim's act of viewing it triggers the script in their authenticated session)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the webmail update; enforce a strict Content-Security-Policy, HttpOnly+SameSite session cookies, and robust output encoding so a stored/reflected XSS cannot exfiltrate the session — these flaws are favored by espionage actors for silent mailbox access.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch closes the specific bug; CSP and HttpOnly/SameSite cookies are the durable controls that keep the next XSS from stealing a session."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Roundcube Webmail: emails carrying XSS payloads, webmail sessions making outbound requests to unexpected hosts, and mailbox access from anomalous sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because the exploit fires silently when the victim opens the email; the anomaly is the session exfiltration and out-of-pattern mailbox access."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, invalidate all webmail sessions and force re-authentication, review mailboxes for unauthorized access and forwarding rules, and rotate credentials for affected users.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a webmail-XSS compromise targets mailbox data and persistent access (forwarding rules), which a patch alone does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed webmail XSS; these are favored by espionage actors for silent mailbox access and weaponized within days of disclosure."
+      },
+      "NIST-800-53-SI-10-output-encoding": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Output encoding / input validation is named, but the durable compensating controls — a strict Content-Security-Policy and HttpOnly+SameSite session cookies that prevent a stored/reflected XSS from exfiltrating the session — are not mandated, leaving the session stealable even when an encoding bug slips through."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited, internet-facing webmail server holding high-value mailbox data."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing mail as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not require the session-invalidation / mailbox-access review a webmail-XSS compromise needs."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Internet-facing webmail is run by audited organizations on a standard patch SLA and is repeatedly targeted by espionage actors; the durable controls (CSP, HttpOnly/SameSite cookies) and the session-invalidation / mailbox-review response are rarely part of the documented procedure.",
+      "theater_pattern": "secure_coding"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-32433": {
     "name": "Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability",
@@ -22182,35 +22238,63 @@
   },
   "CVE-2024-11182": {
     "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) in the MDaemon webmail (WorldClient), letting an attacker run script in a victim's authenticated session when they view a crafted email — used to steal session credentials and access the mailbox. CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker sends an email; the victim's act of viewing it triggers the script in their authenticated session)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the webmail update; enforce a strict Content-Security-Policy, HttpOnly+SameSite session cookies, and robust output encoding so a stored/reflected XSS cannot exfiltrate the session — these flaws are favored by espionage actors for silent mailbox access.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch closes the specific bug; CSP and HttpOnly/SameSite cookies are the durable controls that keep the next XSS from stealing a session."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the MDaemon WorldClient webmail: emails carrying XSS payloads, webmail sessions making outbound requests to unexpected hosts, and mailbox access from anomalous sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because the exploit fires silently when the victim opens the email; the anomaly is the session exfiltration and out-of-pattern mailbox access."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, invalidate all webmail sessions and force re-authentication, review mailboxes for unauthorized access and forwarding rules, and rotate credentials for affected users.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a webmail-XSS compromise targets mailbox data and persistent access (forwarding rules), which a patch alone does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed webmail XSS; these are favored by espionage actors for silent mailbox access and weaponized within days of disclosure."
+      },
+      "NIST-800-53-SI-10-output-encoding": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Output encoding / input validation is named, but the durable compensating controls — a strict Content-Security-Policy and HttpOnly+SameSite session cookies that prevent a stored/reflected XSS from exfiltrating the session — are not mandated, leaving the session stealable even when an encoding bug slips through."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited, internet-facing webmail server holding high-value mailbox data."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing mail as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not require the session-invalidation / mailbox-access review a webmail-XSS compromise needs."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Internet-facing webmail is run by audited organizations on a standard patch SLA and is repeatedly targeted by espionage actors; the durable controls (CSP, HttpOnly/SameSite cookies) and the session-invalidation / mailbox-review response are rarely part of the documented procedure.",
+      "theater_pattern": "secure_coding"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-4428": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2025-4428)",

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.38",
+  "version": "0.15.39",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-30T05:02:13.741Z",
+      "signed_at": "2026-05-30T05:22:00.145Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-30T05:02:13.743Z",
+      "signed_at": "2026-05-30T05:22:00.147Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-30T05:02:13.743Z",
+      "signed_at": "2026-05-30T05:22:00.147Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-30T05:02:13.744Z"
+      "signed_at": "2026-05-30T05:22:00.147Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-30T05:02:13.744Z"
+      "signed_at": "2026-05-30T05:22:00.148Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-30T05:02:13.745Z"
+      "signed_at": "2026-05-30T05:22:00.149Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-30T05:02:13.745Z",
+      "signed_at": "2026-05-30T05:22:00.149Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-30T05:02:13.745Z",
+      "signed_at": "2026-05-30T05:22:00.149Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-30T05:02:13.746Z",
+      "signed_at": "2026-05-30T05:22:00.150Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-30T05:02:13.746Z",
+      "signed_at": "2026-05-30T05:22:00.150Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-30T05:02:13.747Z"
+      "signed_at": "2026-05-30T05:22:00.150Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-30T05:02:13.747Z",
+      "signed_at": "2026-05-30T05:22:00.151Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-30T05:02:13.747Z",
+      "signed_at": "2026-05-30T05:22:00.151Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-30T05:02:13.748Z"
+      "signed_at": "2026-05-30T05:22:00.151Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-30T05:02:13.748Z",
+      "signed_at": "2026-05-30T05:22:00.152Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-30T05:02:13.748Z"
+      "signed_at": "2026-05-30T05:22:00.152Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-30T05:02:13.749Z"
+      "signed_at": "2026-05-30T05:22:00.152Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-30T05:02:13.749Z"
+      "signed_at": "2026-05-30T05:22:00.153Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-30T05:02:13.749Z"
+      "signed_at": "2026-05-30T05:22:00.153Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-30T05:02:13.750Z"
+      "signed_at": "2026-05-30T05:22:00.153Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-30T05:02:13.750Z"
+      "signed_at": "2026-05-30T05:22:00.153Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-30T05:02:13.750Z"
+      "signed_at": "2026-05-30T05:22:00.154Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-30T05:02:13.751Z"
+      "signed_at": "2026-05-30T05:22:00.154Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-30T05:02:13.751Z"
+      "signed_at": "2026-05-30T05:22:00.154Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-30T05:02:13.751Z"
+      "signed_at": "2026-05-30T05:22:00.155Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-30T05:02:13.752Z",
+      "signed_at": "2026-05-30T05:22:00.155Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-30T05:02:13.752Z"
+      "signed_at": "2026-05-30T05:22:00.155Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-30T05:02:13.753Z"
+      "signed_at": "2026-05-30T05:22:00.156Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-30T05:02:13.753Z"
+      "signed_at": "2026-05-30T05:22:00.156Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-30T05:02:13.753Z"
+      "signed_at": "2026-05-30T05:22:00.157Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-30T05:02:13.754Z"
+      "signed_at": "2026-05-30T05:22:00.157Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-30T05:02:13.754Z"
+      "signed_at": "2026-05-30T05:22:00.157Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-30T05:02:13.754Z",
+      "signed_at": "2026-05-30T05:22:00.158Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-30T05:02:13.755Z"
+      "signed_at": "2026-05-30T05:22:00.158Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-30T05:02:13.755Z",
+      "signed_at": "2026-05-30T05:22:00.158Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-30T05:02:13.755Z"
+      "signed_at": "2026-05-30T05:22:00.159Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-30T05:02:13.756Z"
+      "signed_at": "2026-05-30T05:22:00.159Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-30T05:02:13.756Z"
+      "signed_at": "2026-05-30T05:22:00.159Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-30T05:02:13.756Z"
+      "signed_at": "2026-05-30T05:22:00.160Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-30T05:02:13.757Z"
+      "signed_at": "2026-05-30T05:22:00.160Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-30T05:02:13.757Z",
+      "signed_at": "2026-05-30T05:22:00.160Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-30T05:02:13.758Z",
+      "signed_at": "2026-05-30T05:22:00.161Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "1cEfkwTIVieCZG9ReOh2UVf2r0nFePnP8D5qssFFFQ3FLRHmJ8h0iJl6qSY4W3LkCDWVQ1Qiuym4XXkYx2PkDQ=="
+    "signature_base64": "qKfkSa6UoLWnoUh+EAnfyeHbIfEg6myujRJgNJZwzmPqhDvuydX6NperjDB/xLinNRegt6HO+oUDgv35b+6iAQ=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.38",
+  "version": "0.15.39",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:b16a51db-551d-41d2-9329-c7fa3eb78e6e",
+  "serialNumber": "urn:uuid:5840103f-1b87-45bd-9075-c4a9f2513a76",
   "version": 1,
   "metadata": {
-    "timestamp": "2120-04-28T15:16:43.000Z",
+    "timestamp": "2072-12-01T11:57:51.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.38"
+        "version": "0.15.39"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.38",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.39",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.38",
+      "version": "0.15.39",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.38",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.39",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "714a135fd916d11a3f6eceef79ad71704425daa1727d14a905b72e5cb85f4040"
+          "content": "772d80234f76166dc186d7d5edad9b13f5ffbaf626552686e58505e97b8fa257"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.38"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.39"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "dab67d6205d3359c007931fe174db2a25353878766799036627e0b6eeda41ae2"
+          "content": "54cca398e304465436b3a09d2226fb1813884ea5e800b5624fee82e9ff1978ca"
         },
         {
           "alg": "SHA3-512",
-          "content": "2e7e1ef53d0656956c8faa6d4bf9535e08790d79bcdeced44ab18083dd7a2a7689404344fbd0e77e649c74940406f08d58a5bd1b55bc4eb94d9e058b4d7eba14"
+          "content": "e20d1f753a228925c8cde72e91bbe0b46dca7eb37962950f1efbb5b817e423831a2151cea2498aa38824dc2a31d40a65a5042ea9a263f2250228d6ffe883ceeb"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b8799721fb6d455811f555410845423ec87f2c26f70fe1222ee19088aa6e43f5"
+          "content": "0f8fe5c6ec54206645a8f5d4780bd820aa70df9c0256b4405256c9de45be2544"
         },
         {
           "alg": "SHA3-512",
-          "content": "327ad1d5b88627cf030d5d95bbfb777e1f503f4f115ae29bfd4eadbc5c87398a984d00b9ab98dbf67e0b33e2513a5703bcbd799640a9ceec28884f7d46bd1ca7"
+          "content": "a3840d1718b42b9415a272a590a4a8d5866c95b82b9a01de22e055ce6305e2136e011e829e19b3671c8815307402cf95e3cb1b15e1ab1b7790122fd59c879320"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0ca079ef9ae7f74755398ad434c2c0c5fe3ee7be488549af3a5ecf2394ae0ba8"
+          "content": "aafacd0b7fa88c145228b4e3fbf5167c158ecad4d8b5fb977621edfb6016ff9a"
         },
         {
           "alg": "SHA3-512",
-          "content": "05d07620864f02596125f32027bd0c7e6f7088a6a577c5253aaf7434084e416b98025880a783114acad1114d58a1d0260d7d02922e263f9a34f9990b92242afa"
+          "content": "b99fa6d95a9f573772544e4757f5ebe3e44b9c73bbbf7dd71aa1e1fa70d9ec889173087f6a2b17dd204ad1bf125343f3d7a2c404cd9472d9dede8d16ab1f06d6"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "adf769626f304dd6cbd700f6f3bfe8359de02282929008e16599599470377c5c"
+          "content": "821f5e2596ce5c4f1d42114ffe0c25a32f99dad1aee3f6d3beb32d78f75046ec"
         },
         {
           "alg": "SHA3-512",
-          "content": "e7517715aa5d66b332e7c1756d1714855c04d7159a2011730bce45e4889b08115ae7b9c10a02d48ea650f352adac6d547ce09a0fa0f2b1690e46b4161408a89d"
+          "content": "51a327da2de076a80e5a47e4af86ca6e83921ed58966dcbf82a229bf71faf497bcc57b586a82db6324ed3a05871e75588b53302d1458b85d068d85cfedcd3537"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a98d7f6abe573e5ba73e7e1097cc30a1703fff81ccc9922b00630341b2ade670"
+          "content": "4308b0a5e326fe8fe860312fe2f462a0b7f9c507f1dc547ba19db01a7fca8dd5"
         },
         {
           "alg": "SHA3-512",
-          "content": "e621f955940c320845a6ee96caede41dc72fb11cb31eaab9caf1a70a717d029b2c3460de2751badfd532583bde5186d929eda7af706528af949437061b679595"
+          "content": "9d7c956058f102d6da5ebf5068eb2373fbad40a9dde7306744a0a1d942a8ccfbe5e206e89a8d05a251bcde360181d6489011f6899440367df146ea101131a470"
         }
       ]
     },