npm - @blamejs/exceptd-skills - Versions diffs - 0.15.41 → 0.15.43 - Mend

@blamejs/exceptd-skills 0.15.41 → 0.15.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +6 -2
package/data/cve-catalog.json +84 -30
package/data/zeroday-lessons.json +214 -74
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.43 — 2026-05-30
+Draft-curation pass 40 — supply-chain embedded malicious code. Two CISA KEV-listed CVEs where malicious code shipped through a trusted distribution channel are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the ASUS Live Update updater (CVE-2025-59374), which executes attacker code in the trusted context of the vendor update utility, and the eslint-config-prettier npm package (CVE-2025-54313), where a maintainer-account compromise published versions carrying a malicious install-time payload that runs on developer and CI machines. Both map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification (code signing, Sigstore/in-toto, SLSA), dependency pinning, and publishing-account protections — not patching — and note that response is environment-wide because the tainted code reaches every host that installed it.
+## 0.15.42 — 2026-05-29
+Draft-curation pass 39 — sensitive data exposure. Three CISA KEV-listed CVEs that leak credentials and plaintext data through diagnostic surfaces are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the two TeleMessage TM SGNL flaws — a core-dump file exposed to an unauthorized control sphere (CVE-2025-48928) and an insecure-default Spring Boot Actuator `/heapdump` endpoint (CVE-2025-48927), which together leaked plaintext messages and credentials from the Signal-clone server — and the Wing FTP error-message disclosure (CVE-2025-47813). All map T1190 and T1552. The lessons make the point that an encryption-in-transit posture is undermined when the server holds and leaks plaintext through memory dumps and diagnostic endpoints, that least-functionality (disabling Actuator and core-dump generation in production) is the durable control, and that response must rotate every exposed secret and treat the disclosed data's confidentiality as already breached — a patch cannot recall data the attacker has.
 ## 0.15.41 — 2026-05-29
 Draft-curation pass 38 — access-control and security-control bypass. Four CISA KEV-listed CVEs that defeat an access-enforcement mechanism are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the CrushFTP unprotected-alternate-channel admin bypass (CVE-2025-54309), the SonicWall SMA1000 missing-authorization flaw (CVE-2025-40602), the SolarWinds Web Help Desk security-control bypass (CVE-2025-40536), and the Craft CMS assumed-immutable-parameter tampering flaw (CVE-2025-35939). All map T1190; the authorization-bypass trio also maps T1078. The lessons make the point that the access-control posture (passwords, roles) is irrelevant when the enforcement mechanism itself is bypassed — restricting the management plane to a trusted network is the load-bearing compensating control — and that the parameter-tampering flaw is chained to code execution, so it requires web-shell hunting and key rotation beyond the patch.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T06:05:46.422Z",
+  "generated_at": "2026-05-30T07:08:37.048Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "36a32308e02f7ab019a04684d57cb7391761d3a3ced05c0d9866244a538affe5",
+    "manifest.json": "970c197defcefa117bffcd713b167e14c90f36506e496794485d7bcb2e1789b0",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "95a196f3125417cb5a41c392f147d66d02c06f07aba5b05cb8f1a1ad39123c82",
-    "data/cve-catalog.json": "826b2174320f96b02ebe3a1c1c1f050931a3cd7703cb7b634c22d496d1babe3d",
+    "data/attack-techniques.json": "6255e929454291c9f2ab48b600bbedf68a1678c5eb04504e5323a2d6ff5f3e36",
+    "data/cve-catalog.json": "6a081bf58b2aafc37b7c297b63edb8bca7db6ee93ec69014d34ab9fc764cbb98",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "0d035b099f10ed055d23bc556ff74df0f72f07e25d147d20baca85c2db1f6315",
+    "data/zeroday-lessons.json": "5337ae234da930e89a31d185d739f081cd95086223006ae7b5121f1ab7674791",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -1110,6 +1110,7 @@
       "CVE-2025-4428",
       "CVE-2025-4632",
       "CVE-2025-47812",
+      "CVE-2025-47813",
       "CVE-2025-47827",
       "CVE-2025-48700",
       "CVE-2025-48703",
@@ -1131,7 +1132,6 @@
       "CVE-2025-54236",
       "CVE-2025-54253",
       "CVE-2025-54309",
-      "CVE-2025-54313",
       "CVE-2025-54948",
       "CVE-2025-55177",
       "CVE-2025-55182",
@@ -1141,7 +1141,6 @@
       "CVE-2025-58034",
       "CVE-2025-58360",
       "CVE-2025-59287",
-      "CVE-2025-59374",
       "CVE-2025-59389",
       "CVE-2025-59689",
       "CVE-2025-59718",
@@ -1324,6 +1323,8 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-51480",
+      "CVE-2025-54313",
+      "CVE-2025-59374",
       "CVE-2025-8747",
       "CVE-2026-31229",
       "CVE-2026-33634",
@@ -1758,6 +1759,9 @@
       "CVE-2025-30066",
       "CVE-2025-30154",
       "CVE-2025-31125",
+      "CVE-2025-47813",
+      "CVE-2025-48927",
+      "CVE-2025-48928",
       "CVE-2025-5777",
       "CVE-2025-68664",
       "CVE-2025-68665",

package/data/cve-catalog.json CHANGED Viewed

@@ -21690,7 +21690,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21711,7 +21713,7 @@
     "cwe_refs": [
       "CWE-209"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.wftpserver.com/serverhistory.htm",
@@ -21740,11 +21742,21 @@
         "published_date": "2026-03-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-16; due date 2026-03-30. Notes reference: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47813",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.",
+    "iocs": {
+      "behavioral": [
+        "Wing FTP Server reachable on the network at a version below the fixed release named in the vendor advisory; the web interface processes a client-supplied UID session cookie.",
+        "Requests to the Wing FTP web interface (e.g. loginok.html) carrying an oversized or malformed UID session cookie that triggers an error response.",
+        "Error responses from Wing FTP Server disclosing the installation / local file path, used to map the server for a follow-on attack (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-47813, CISA KEV (added 2026-03-16), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3910": {
     "name": "Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability",
@@ -27362,7 +27374,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27383,7 +27395,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions",
@@ -27413,11 +27425,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.",
+    "iocs": {
+      "behavioral": [
+        "A tainted version of eslint-config-prettier (or a sibling package compromised in the same incident) present in a project's lockfile or node_modules.",
+        "The package's install/post-install step executing unexpected code (e.g. launching a Windows DLL/payload) during npm install on developer or CI machines.",
+        "Outbound connections or process execution from an npm install step with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54313, CISA KEV (added 2026-01-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20045": {
     "name": "Cisco Unified Communications Products Code Injection Vulnerability",
@@ -28204,7 +28226,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28225,7 +28247,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.asus.com/support/faq/1018727/",
@@ -28254,11 +28276,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2026-01-07. Notes reference: https://www.asus.com/support/faq/1018727/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59374",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "ASUS Live Update installed at a version flagged in the ASUS advisory on an ASUS endpoint.",
+        "The ASUS Live Update process fetching or executing an unexpected/unsigned payload, or behaving anomalously (unexpected outbound connections, unexpected child processes).",
+        "Execution of attacker code in the trusted context of the update utility with no corresponding legitimate ASUS update (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59374, CISA KEV (added 2025-12-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-40602": {
     "name": "SonicWall SMA1000 Missing Authorization Vulnerability",
@@ -39187,7 +39219,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39208,7 +39241,7 @@
     "cwe_refs": [
       "CWE-528"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2025-48928"
@@ -39229,11 +39262,21 @@
         "published_date": "2025-07-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump.",
+    "iocs": {
+      "behavioral": [
+        "TeleMessage TM SGNL reachable on the network at a version below the fixed release named in the vendor advisory, with a diagnostic/dump surface or verbose errors exposed.",
+        "Unauthenticated requests to the TeleMessage (Signal clone) targeting diagnostic endpoints (/heapdump, actuator), core-dump files, or error-triggering inputs.",
+        "Retrieval of memory dumps, core files, or error output disclosing credentials or plaintext data, followed by use of the disclosed material elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48928, CISA KEV (added 2025-07-01), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48927": {
     "name": "TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability",
@@ -39275,7 +39318,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39296,7 +39340,7 @@
     "cwe_refs": [
       "CWE-1188"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2025-48927"
@@ -39317,11 +39361,21 @@
         "published_date": "2025-07-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.",
+    "iocs": {
+      "behavioral": [
+        "TeleMessage TM SGNL reachable on the network at a version below the fixed release named in the vendor advisory, with a diagnostic/dump surface or verbose errors exposed.",
+        "Unauthenticated requests to the TeleMessage (Signal clone) targeting diagnostic endpoints (/heapdump, actuator), core-dump files, or error-triggering inputs.",
+        "Retrieval of memory dumps, core files, or error output disclosing credentials or plaintext data, followed by use of the disclosed material elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48927, CISA KEV (added 2025-07-01), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6543": {
     "name": "Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability",

package/data/zeroday-lessons.json CHANGED Viewed

@@ -11681,35 +11681,63 @@
   },
   "CVE-2025-47813": {
     "name": "Wing FTP Server Information Disclosure Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "Generation of an error message containing sensitive information (CWE-209) in Wing FTP Server: an oversized or malformed UID session cookie triggers an error (on loginok.html) that discloses the installation / local file path, aiding a follow-on attack. CISA KEV-listed 2026-03-16 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none-to-low (the data is exposed through an unauthenticated diagnostic surface or a low-privilege error path)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Wing FTP update; suppress verbose error output on the production surface and rotate any session/credential material the error disclosure could reveal.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any credential or plaintext the exposure disclosed survives the patch and must be rotated/treated as breached; removing diagnostic surfaces from production is the durable control."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Wing FTP Server: requests carrying oversized or malformed UID session cookies (to loginok.html and the web interface) and error responses that disclose the installation / local file path.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch the disclosure and the downstream use of leaked secrets."
+      },
+      "response": {
+        "what_would_have_worked": "Patch, suppress verbose error output that reveals local paths, rotate any session/credential material the disclosure aided, and review for follow-on attacks that used the leaked path.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a data-exposure flaw cannot be remediated by a patch alone because the disclosed data is already in the attacker's hands."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed sensitive-data-exposure flaw; diagnostic surfaces (heap/core dumps) and verbose errors leak credentials and plaintext data without the attacker breaking encryption, and are mass-exploited within days."
+      },
+      "NIST-800-53-SC-28-data-at-rest": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Encryption-in-transit claims do not protect data exposed in plaintext via memory dumps, diagnostic endpoints, or error messages; protecting information at rest and in memory — and not exposing it through diagnostic surfaces — is the unmet control, and a 'messages are encrypted' posture is undermined when the server holds and leaks plaintext."
+      },
+      "NIST-800-53-CM-7-least-functionality": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Diagnostic and management endpoints (Spring Boot Actuator, core-dump generation, verbose error output) left enabled in production are unnecessary functionality that should be disabled; these flaws exist because least-functionality was not enforced on the internet-facing surface."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited data-exposure flaw, and the disclosed plaintext/credentials remain compromised until rotated."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Internet-facing Wing FTP Server can pass an audit while returning verbose errors that leak the local installation path to an attacker who manipulates the UID session cookie; the path disclosure aids follow-on attacks, and suppressing verbose errors plus rotating exposed material is rarely part of the patch procedure.",
+      "theater_pattern": "encryption_in_transit_masks_plaintext_at_rest"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-3910": {
     "name": "Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability",
@@ -14725,35 +14753,63 @@
   },
   "CVE-2025-54313": {
     "name": "Prettier eslint-config-prettier Embedded Malicious Code Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-30",
     "attack_vector": {
-      "description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "embedded malicious code (CWE-506) published in compromised versions of the eslint-config-prettier npm package (maintainer-account compromise), executing on developer and CI machines that installed the tainted versions. CISA KEV-listed 2026-01-22 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the malicious code is delivered through a trusted update channel or package; no authentication to the victim is required)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Enforce cryptographic integrity and provenance verification on all installed/updated code (code signing with verification, Sigstore/in-toto, SLSA provenance), pin dependencies to verified versions, and require multi-factor and review gates on package-publishing/maintainer accounts.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 SR-11 / NIST SSDF 800-218 / SLSA",
+        "adequacy": "Signature and provenance verification is the definitive control; the compromise succeeded precisely because the trusted channel was trusted without independent verification."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring for unexpected install/post-install script execution and outbound connections during npm install on developer/CI machines, and version-pinning alerts on dependency changes.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because supply-chain compromise runs in a trusted context — the anomaly is the unexpected code execution alongside the legitimate tool."
+      },
+      "response": {
+        "what_would_have_worked": "Pin and upgrade to a clean eslint-config-prettier version, delete node_modules and reinstall from a verified lockfile, rotate any credentials reachable from developer/CI machines that installed the tainted version, and verify build artifacts produced during the exposure window.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; supply-chain compromise propagates through every host that installed the tainted code, so response is environment-wide and includes build-artifact verification."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-53-SR-11": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "Component authenticity / anti-counterfeit is named, but verification is not enforced at install/update time — the tainted code shipped through a trusted channel without consumer-side signature/provenance verification, so the control is paper unless signed-artifact verification (Sigstore/in-toto) is mandated."
       },
-      "ISO-27001-2022-A.8.8": {
+      "NIST-SSDF-800-218-PS.2": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "The SSDF calls for protecting release integrity and providing provenance, but downstream consumers had no enforced way to verify it; without signed releases plus provenance a consumer cannot detect maliciously-published or substituted code."
+      },
+      "SLSA-build-provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA build provenance and signed releases would let a consumer detect a maliciously-published version; absent enforced verification at the install/update step, a compromised maintainer account or update channel propagates the malicious code unchecked."
+      },
+      "EU-CRA-secure-update": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The EU Cyber Resilience Act requires secure update mechanisms and shipping without known exploitable defects; an update channel or package registry that ships embedded malicious code violates the secure-update and integrity expectations."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "eslint-config-prettier (npm) is trusted by default; audited organizations that install vendor updates or npm dependencies without enforcing signature/provenance verification or pinning are exposed to maliciously-published code, and the compromise reaches every host that installed it.",
+      "theater_pattern": "maintainer_account_integrity_assumed_without_evidence"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-20045": {
     "name": "Cisco Unified Communications Products Code Injection Vulnerability",
@@ -15167,35 +15223,63 @@
   },
   "CVE-2025-59374": {
     "name": "ASUS Live Update Embedded Malicious Code Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-30",
     "attack_vector": {
-      "description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "embedded malicious code (CWE-506) in the ASUS Live Update software/update channel, executing on the ASUS endpoint in the trusted context of the vendor update utility. CISA KEV-listed 2025-12-17 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the malicious code is delivered through a trusted update channel or package; no authentication to the victim is required)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Enforce cryptographic integrity and provenance verification on all installed/updated code (code signing with verification, Sigstore/in-toto, SLSA provenance), pin dependencies to verified versions, and require multi-factor and review gates on package-publishing/maintainer accounts.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 SR-11 / NIST SSDF 800-218 / SLSA",
+        "adequacy": "Signature and provenance verification is the definitive control; the compromise succeeded precisely because the trusted channel was trusted without independent verification."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring for the update utility fetching/executing unsigned payloads and behaving anomalously, and version-pinning alerts on dependency changes.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because supply-chain compromise runs in a trusted context — the anomaly is the unexpected code execution alongside the legitimate tool."
+      },
+      "response": {
+        "what_would_have_worked": "Remove or upgrade ASUS Live Update to a known-good signed version, verify the update-channel integrity, and audit ASUS endpoints that ran the tainted updater for follow-on payloads and credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; supply-chain compromise propagates through every host that installed the tainted code, so response is environment-wide and includes build-artifact verification."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-53-SR-11": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "Component authenticity / anti-counterfeit is named, but verification is not enforced at install/update time — the tainted code shipped through a trusted channel without consumer-side signature/provenance verification, so the control is paper unless signed-artifact verification (Sigstore/in-toto) is mandated."
       },
-      "ISO-27001-2022-A.8.8": {
+      "NIST-SSDF-800-218-PS.2": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "The SSDF calls for protecting release integrity and providing provenance, but downstream consumers had no enforced way to verify it; without signed releases plus provenance a consumer cannot detect maliciously-published or substituted code."
+      },
+      "SLSA-build-provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA build provenance and signed releases would let a consumer detect a maliciously-published version; absent enforced verification at the install/update step, a compromised maintainer account or update channel propagates the malicious code unchecked."
+      },
+      "EU-CRA-secure-update": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The EU Cyber Resilience Act requires secure update mechanisms and shipping without known exploitable defects; an update channel or package registry that ships embedded malicious code violates the secure-update and integrity expectations."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "ASUS Live Update is trusted by default; audited organizations that install vendor updates or npm dependencies without enforcing signature/provenance verification or pinning are exposed to maliciously-published code, and the compromise reaches every host that installed it.",
+      "theater_pattern": "update_channel_integrity_unverified"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-40602": {
     "name": "SonicWall SMA1000 Missing Authorization Vulnerability",
@@ -21072,67 +21156,123 @@
   },
   "CVE-2025-48928": {
     "name": "TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "exposure of a core-dump file to an unauthorized control sphere (CWE-528), disclosing memory contents including plaintext messages and credentials from the TeleMessage server. CISA KEV-listed 2025-07-01 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none-to-low (the data is exposed through an unauthenticated diagnostic surface or a low-privilege error path)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the TeleMessage update; remove core-dump generation and diagnostic surfaces from the internet-facing server, rotate every credential and session secret that was in memory, and treat the confidentiality of all handled messages as breached — plaintext content was exposed.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any credential or plaintext the exposure disclosed survives the patch and must be rotated/treated as breached; removing diagnostic surfaces from production is the durable control."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the TeleMessage (Signal clone): requests to diagnostic/dump endpoints, retrieval of large memory/core artifacts, and subsequent use of disclosed credentials.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch the disclosure and the downstream use of leaked secrets."
+      },
+      "response": {
+        "what_would_have_worked": "Patch, remove the diagnostic surface, rotate every credential and session secret that was in memory, and — where plaintext content was exposed — notify affected parties and treat that data's confidentiality as breached.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a data-exposure flaw cannot be remediated by a patch alone because the disclosed data is already in the attacker's hands."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed sensitive-data-exposure flaw; diagnostic surfaces (heap/core dumps) and verbose errors leak credentials and plaintext data without the attacker breaking encryption, and are mass-exploited within days."
+      },
+      "NIST-800-53-SC-28-data-at-rest": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Encryption-in-transit claims do not protect data exposed in plaintext via memory dumps, diagnostic endpoints, or error messages; protecting information at rest and in memory — and not exposing it through diagnostic surfaces — is the unmet control, and a 'messages are encrypted' posture is undermined when the server holds and leaks plaintext."
+      },
+      "NIST-800-53-CM-7-least-functionality": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Diagnostic and management endpoints (Spring Boot Actuator, core-dump generation, verbose error output) left enabled in production are unnecessary functionality that should be disabled; these flaws exist because least-functionality was not enforced on the internet-facing surface."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited data-exposure flaw, and the disclosed plaintext/credentials remain compromised until rotated."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Internet-facing TeleMessage TM SGNL can pass an audit while leaving diagnostic surfaces (Actuator, core dumps) or verbose errors exposed; an 'encrypted' posture is undermined when the server holds and leaks plaintext, and the required secret rotation / breach handling is rarely part of the patch procedure.",
+      "theater_pattern": "encryption_in_transit_masks_plaintext_at_rest"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48927": {
     "name": "TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an insecure-default initialization (CWE-1188) that leaves a Spring Boot Actuator diagnostic endpoint (/heapdump) exposed, letting an unauthenticated attacker retrieve a heap dump containing plaintext messages and credentials. CISA KEV-listed 2025-07-01 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none-to-low (the data is exposed through an unauthenticated diagnostic surface or a low-privilege error path)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the TeleMessage update; disable the exposed diagnostic endpoint (Spring Boot Actuator /heapdump) on the production surface, rotate all credentials and session secrets, and treat handled-message confidentiality as breached.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — any credential or plaintext the exposure disclosed survives the patch and must be rotated/treated as breached; removing diagnostic surfaces from production is the durable control."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the TeleMessage (Signal clone): requests to diagnostic/dump endpoints, retrieval of large memory/core artifacts, and subsequent use of disclosed credentials.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch the disclosure and the downstream use of leaked secrets."
+      },
+      "response": {
+        "what_would_have_worked": "Patch, remove the diagnostic surface, rotate every credential and session secret that was in memory, and — where plaintext content was exposed — notify affected parties and treat that data's confidentiality as breached.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; a data-exposure flaw cannot be remediated by a patch alone because the disclosed data is already in the attacker's hands."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed sensitive-data-exposure flaw; diagnostic surfaces (heap/core dumps) and verbose errors leak credentials and plaintext data without the attacker breaking encryption, and are mass-exploited within days."
+      },
+      "NIST-800-53-SC-28-data-at-rest": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Encryption-in-transit claims do not protect data exposed in plaintext via memory dumps, diagnostic endpoints, or error messages; protecting information at rest and in memory — and not exposing it through diagnostic surfaces — is the unmet control, and a 'messages are encrypted' posture is undermined when the server holds and leaks plaintext."
+      },
+      "NIST-800-53-CM-7-least-functionality": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Diagnostic and management endpoints (Spring Boot Actuator, core-dump generation, verbose error output) left enabled in production are unnecessary functionality that should be disabled; these flaws exist because least-functionality was not enforced on the internet-facing surface."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited data-exposure flaw, and the disclosed plaintext/credentials remain compromised until rotated."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Internet-facing TeleMessage TM SGNL can pass an audit while leaving diagnostic surfaces (Actuator, core dumps) or verbose errors exposed; an 'encrypted' posture is undermined when the server holds and leaks plaintext, and the required secret rotation / breach handling is rarely part of the patch procedure.",
+      "theater_pattern": "encryption_in_transit_masks_plaintext_at_rest"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-6543": {
     "name": "Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability",

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.41",
+  "version": "0.15.43",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-30T06:02:24.924Z",
+      "signed_at": "2026-05-30T07:05:14.670Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-30T06:02:24.926Z",
+      "signed_at": "2026-05-30T07:05:14.672Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-30T06:02:24.926Z",
+      "signed_at": "2026-05-30T07:05:14.672Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-30T06:02:24.927Z"
+      "signed_at": "2026-05-30T07:05:14.673Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-30T06:02:24.927Z"
+      "signed_at": "2026-05-30T07:05:14.673Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-30T06:02:24.928Z"
+      "signed_at": "2026-05-30T07:05:14.674Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-30T06:02:24.928Z",
+      "signed_at": "2026-05-30T07:05:14.674Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-30T06:02:24.928Z",
+      "signed_at": "2026-05-30T07:05:14.674Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-30T06:02:24.929Z",
+      "signed_at": "2026-05-30T07:05:14.675Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-30T06:02:24.929Z",
+      "signed_at": "2026-05-30T07:05:14.675Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-30T06:02:24.929Z"
+      "signed_at": "2026-05-30T07:05:14.675Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-30T06:02:24.930Z",
+      "signed_at": "2026-05-30T07:05:14.676Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-30T06:02:24.930Z",
+      "signed_at": "2026-05-30T07:05:14.676Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-30T06:02:24.930Z"
+      "signed_at": "2026-05-30T07:05:14.676Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-30T06:02:24.931Z",
+      "signed_at": "2026-05-30T07:05:14.677Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-30T06:02:24.931Z"
+      "signed_at": "2026-05-30T07:05:14.677Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-30T06:02:24.931Z"
+      "signed_at": "2026-05-30T07:05:14.677Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-30T06:02:24.932Z"
+      "signed_at": "2026-05-30T07:05:14.678Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-30T06:02:24.932Z"
+      "signed_at": "2026-05-30T07:05:14.678Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "UY3tBi0n1K/OtSrWPkHcOCSuHEwKuPmRqGIf3MyPVXGWS72elGTWGXt4AN/uStLmefeEody1LuhnJR9PWjr4Cg==",
-      "signed_at": "2026-05-30T06:02:24.932Z"
+      "signed_at": "2026-05-30T07:05:14.678Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-30T06:02:24.933Z"
+      "signed_at": "2026-05-30T07:05:14.678Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-30T06:02:24.933Z"
+      "signed_at": "2026-05-30T07:05:14.679Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-30T06:02:24.933Z"
+      "signed_at": "2026-05-30T07:05:14.679Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-30T06:02:24.933Z"
+      "signed_at": "2026-05-30T07:05:14.679Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-30T06:02:24.934Z"
+      "signed_at": "2026-05-30T07:05:14.680Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-30T06:02:24.934Z",
+      "signed_at": "2026-05-30T07:05:14.680Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-30T06:02:24.934Z"
+      "signed_at": "2026-05-30T07:05:14.680Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-30T06:02:24.935Z"
+      "signed_at": "2026-05-30T07:05:14.681Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "QFKM76TdR408niqvDmF95HmmQuVmu9bLjOoQ9ydoBNPVOfFmF3AcpCv7zNWlLdLa2ZLxFqiBcND2qt9VDUn2Dg==",
-      "signed_at": "2026-05-30T06:02:24.935Z"
+      "signed_at": "2026-05-30T07:05:14.681Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-30T06:02:24.936Z"
+      "signed_at": "2026-05-30T07:05:14.682Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-30T06:02:24.936Z"
+      "signed_at": "2026-05-30T07:05:14.682Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-30T06:02:24.936Z"
+      "signed_at": "2026-05-30T07:05:14.682Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-30T06:02:24.937Z",
+      "signed_at": "2026-05-30T07:05:14.683Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-30T06:02:24.937Z"
+      "signed_at": "2026-05-30T07:05:14.683Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-30T06:02:24.937Z",
+      "signed_at": "2026-05-30T07:05:14.683Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-30T06:02:24.938Z"
+      "signed_at": "2026-05-30T07:05:14.684Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-30T06:02:24.938Z"
+      "signed_at": "2026-05-30T07:05:14.684Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-30T06:02:24.938Z"
+      "signed_at": "2026-05-30T07:05:14.684Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-30T06:02:24.939Z"
+      "signed_at": "2026-05-30T07:05:14.685Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-30T06:02:24.939Z"
+      "signed_at": "2026-05-30T07:05:14.685Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-30T06:02:24.939Z",
+      "signed_at": "2026-05-30T07:05:14.685Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-30T06:02:24.940Z",
+      "signed_at": "2026-05-30T07:05:14.686Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "j7BL3rxW3U9a43kDLOofSi61gkCkVUK93BlhkZs4w0yrTQUrweJfrAmdFnx0ZYsY5XJGmVTLoTq/EanHXeI5CA=="
+    "signature_base64": "/jogeZGNJrOwDQSqjhiRxTgipHyD5dKGMLC8R7jn5yH5KOhyU08ngwCfG79LZnAJ6sw7Cx8pihl3Exk8RaHzAg=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.41",
+  "version": "0.15.43",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:24500e8b-b64c-4860-bbe6-96d8719fa622",
+  "serialNumber": "urn:uuid:f5bb0fdc-9421-4e40-a1a9-0d43b119c40d",
   "version": 1,
   "metadata": {
-    "timestamp": "2045-04-22T05:32:59.000Z",
+    "timestamp": "2156-08-23T04:06:52.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.41"
+        "version": "0.15.43"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.41",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.43",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.41",
+      "version": "0.15.43",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.41",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.43",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1153939d923eda7514240207432aa522d22d25925529ff262363b3be6b912a7b"
+          "content": "6b34970deebc7e8329ba28443ce5adb1c3ebb7ad13262e27449ef67a7c5d0c88"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.41"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.43"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9451fab5d673cf8dd8b9fde8612508de5fe7fdc1e0b573c924e7fb426d9d55a1"
+          "content": "72bb63e47aab4d3fa469984cf47438ec8ec411a4d34f2b2a3f27ade296da70b8"
         },
         {
           "alg": "SHA3-512",
-          "content": "cbb8dacad1538bf1f8dd00c404225f9b248fb825bbde2e9c31bd4a7b2567ce806078a77f7684416c9837216c153457d8f140c1e6fc1038dc3c10f9f4be1e0f87"
+          "content": "fea95bfaa603f1f4a4a3659afc20dee6edea7187c46982a50fc2ef385adf3157a65a6302fd56207e3e3960bdcd8cb3058ce137dce80af57a3a0277903ab1867d"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "95a196f3125417cb5a41c392f147d66d02c06f07aba5b05cb8f1a1ad39123c82"
+          "content": "6255e929454291c9f2ab48b600bbedf68a1678c5eb04504e5323a2d6ff5f3e36"
         },
         {
           "alg": "SHA3-512",
-          "content": "fa1dc9572ae6335ec87f80cb2b778a1a88f87b4eb74a4216fd34643f873340ab8bb87ffbd8ed0828fdcae889305d66858f90673efff59539519c1117e085f9de"
+          "content": "3bc61a0597c460b77b58a06f8158e0c3713b7b2f25d56c01103e147813d74e1fd5d985e7944c297b30973053c2e83ab5337ebd2c492af197989148ffd6884aba"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "826b2174320f96b02ebe3a1c1c1f050931a3cd7703cb7b634c22d496d1babe3d"
+          "content": "6a081bf58b2aafc37b7c297b63edb8bca7db6ee93ec69014d34ab9fc764cbb98"
         },
         {
           "alg": "SHA3-512",
-          "content": "935e51e8fc75a14806936693a0e14e871f0c349183c8ab41b50b128fbdbcb51fef4e8df2d5cefdcbdcd63160329ab14937afcc2e5b5ffb6f99789434519d112b"
+          "content": "67c46b09e3aab8a772e148f16094b29b435156012c390c91be1649a17250aa9ff6933716514f5662cdb3e7cd3ac5a8deae874377b66257259df07750a3c10ca6"
         }
       ]
     },
@@ -806,11 +806,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0d035b099f10ed055d23bc556ff74df0f72f07e25d147d20baca85c2db1f6315"
+          "content": "5337ae234da930e89a31d185d739f081cd95086223006ae7b5121f1ab7674791"
         },
         {
           "alg": "SHA3-512",
-          "content": "af82b3caa545044e14cc8479ce0a146c5280c2624809f220d707355b13e9b4dd1c40fb0c146090d5103078e15d20d09a70f4cbdb19182841c5b08edd6fccf183"
+          "content": "64bd92f7027966cce31da50524a641f76ef4f04b714f2c8eb311d330924f96ef70534429fb4a0f205790775095b6aa86ac863613e2560da79e09bbda47ee7342"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "36a32308e02f7ab019a04684d57cb7391761d3a3ced05c0d9866244a538affe5"
+          "content": "970c197defcefa117bffcd713b167e14c90f36506e496794485d7bcb2e1789b0"
         },
         {
           "alg": "SHA3-512",
-          "content": "cc4e4712f36eb4050373bbf0c28526ad9cb772a92a2d193a2487158a93865a3ae29f21ddbf014ccca391530813805c49745eaf2a686d5237eea29dc80b8078fb"
+          "content": "9763760a19aba6737d68b677997036a9adbe11283ddcb38c20aa0f7ae0940403bb74b75406147b993b0ee27df29196700645e54a7e405ff05280ffb1c123127d"
         }
       ]
     },