@blamejs/exceptd-skills 0.15.43 → 0.15.45

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1673904,
-    "total_approx_tokens": 418479,
+    "total_chars": 1673692,
+    "total_approx_tokens": 418426,
     "skill_count": 42
   },
   "skills": {
@@ -1080,10 +1080,10 @@
     },
     "attack-surface-pentest": {
       "path": "skills/attack-surface-pentest/skill.md",
-      "bytes": 33291,
-      "chars": 33148,
+      "bytes": 33158,
+      "chars": 33017,
       "lines": 388,
-      "approx_tokens": 8287,
+      "approx_tokens": 8254,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1092,14 +1092,14 @@
           "approx_tokens": 1173
         },
         "framework-lag-declaration": {
-          "bytes": 4563,
-          "chars": 4553,
-          "approx_tokens": 1138
+          "bytes": 4543,
+          "chars": 4533,
+          "approx_tokens": 1133
         },
         "ttp-mapping": {
-          "bytes": 2235,
-          "chars": 2214,
-          "approx_tokens": 554
+          "bytes": 2209,
+          "chars": 2188,
+          "approx_tokens": 547
         },
         "exploit-availability-matrix": {
           "bytes": 2455,
@@ -1107,9 +1107,9 @@
           "approx_tokens": 610
         },
         "analysis-procedure": {
-          "bytes": 9703,
-          "chars": 9651,
-          "approx_tokens": 2413
+          "bytes": 9656,
+          "chars": 9606,
+          "approx_tokens": 2402
         },
         "output-format": {
           "bytes": 3997,
@@ -1122,9 +1122,9 @@
           "approx_tokens": 576
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 1612,
-          "chars": 1610,
-          "approx_tokens": 403
+          "bytes": 1572,
+          "chars": 1570,
+          "approx_tokens": 393
         }
       }
     },
@@ -1735,10 +1735,10 @@
     },
     "sector-financial": {
       "path": "skills/sector-financial/skill.md",
-      "bytes": 50325,
-      "chars": 50160,
+      "bytes": 50285,
+      "chars": 50120,
       "lines": 401,
-      "approx_tokens": 12540,
+      "approx_tokens": 12530,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1762,9 +1762,9 @@
           "approx_tokens": 724
         },
         "analysis-procedure": {
-          "bytes": 8756,
-          "chars": 8726,
-          "approx_tokens": 2182
+          "bytes": 8716,
+          "chars": 8686,
+          "approx_tokens": 2172
         },
         "output-format": {
           "bytes": 3407,
@@ -2395,10 +2395,10 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "bytes": 44474,
-      "chars": 44316,
+      "bytes": 44433,
+      "chars": 44275,
       "lines": 416,
-      "approx_tokens": 11079,
+      "approx_tokens": 11069,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2422,9 +2422,9 @@
           "approx_tokens": 842
         },
         "analysis-procedure": {
-          "bytes": 7625,
-          "chars": 7601,
-          "approx_tokens": 1900
+          "bytes": 7620,
+          "chars": 7596,
+          "approx_tokens": 1899
         },
         "output-format": {
           "bytes": 2198,
@@ -2437,9 +2437,9 @@
           "approx_tokens": 1146
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 4076,
-          "chars": 4068,
-          "approx_tokens": 1017
+          "bytes": 4040,
+          "chars": 4032,
+          "approx_tokens": 1008
         },
         "hand-off": {
           "bytes": 3173,

package/data/attack-techniques.json

@@ -272,6 +272,7 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2014-3931",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2017-1000353",
@@ -969,6 +970,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-4250",
+      "CVE-2014-3931",
       "CVE-2014-6278",
       "CVE-2015-7755",
       "CVE-2016-10033",
@@ -1094,7 +1096,6 @@
       "CVE-2025-3248",
       "CVE-2025-32756",
       "CVE-2025-32975",
-      "CVE-2025-33053",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-3466",
@@ -1111,7 +1112,6 @@
       "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47813",
-      "CVE-2025-47827",
       "CVE-2025-48700",
       "CVE-2025-48703",
       "CVE-2025-48927",
@@ -1392,7 +1392,6 @@
       "CVE-2011-3402",
       "CVE-2013-3893",
       "CVE-2013-3918",
-      "CVE-2014-3931",
       "CVE-2020-9715",
       "CVE-2021-30952",
       "CVE-2022-48503",
@@ -1406,6 +1405,7 @@
       "CVE-2025-24201",
       "CVE-2025-30397",
       "CVE-2025-31277",
+      "CVE-2025-33053",
       "CVE-2025-43200",
       "CVE-2025-43300",
       "CVE-2025-43510",
@@ -5242,7 +5242,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-47827"
+    ]
   },
   "T1558": {
     "id": "T1558",
@@ -10805,6 +10808,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2025-33053",
       "CVE-2025-48384"
     ]
   },

package/data/cve-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "source": "NVD + CISA KEV + vendor advisories — see sources/index.json",
     "required_fields": [
       "type",
@@ -90,7 +90,7 @@
       ],
       "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
     },
-    "last_threat_review": "2026-05-15"
+    "last_threat_review": "2026-05-30"
   },
   "CVE-2025-0282": {
     "ai_assisted_weaponization": false,
@@ -25041,7 +25041,7 @@
     "cwe_refs": [
       "CWE-476"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525",
@@ -25070,11 +25070,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21525",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory, reachable on the affected network service.",
+        "Crashes or service restarts consistent with a NULL pointer dereference on the affected Windows component following crafted network input.",
+        "Unauthenticated network requests that trigger the fault, with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21525, CISA KEV (added 2026-02-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21510": {
     "name": "Microsoft Windows Shell Protection Mechanism Failure Vulnerability",
@@ -32396,7 +32406,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1553"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32417,7 +32427,7 @@
     "cwe_refs": [
       "CWE-324"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827",
@@ -32446,11 +32456,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827 ; https://nvd.nist.gov/vuln/detail/CVE-2025-47827",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.",
+    "iocs": {
+      "behavioral": [
+        "IGEL OS at a version below the fixed release named in the advisory on thin-client endpoints.",
+        "Booting of a modified or unsigned IGEL OS image, or Secure Boot reporting verification against an expired key.",
+        "Persistence or configuration changes on IGEL thin clients that survive a normal re-image, consistent with a tampered boot chain (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-47827, CISA KEV (added 2025-10-14), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1553) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24990": {
     "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
@@ -35727,7 +35747,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.whatsapp.com/security/advisories/2025/",
@@ -35756,11 +35776,21 @@
         "published_date": "2025-09-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-02; due date 2025-09-23. Notes reference: https://www.whatsapp.com/security/advisories/2025/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-55177",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.",
+    "iocs": {
+      "behavioral": [
+        "WhatsApp at a version below the fixed build named in the Meta advisory on a device, especially a high-risk-user device.",
+        "Linked-device synchronization messages from an unrelated party that cause the device to fetch or process content from an unexpected URL with no user interaction.",
+        "Indicators of a zero-click spyware chain following inbound WhatsApp content (paired Apple ImageIO exploitation, anomalous process/network activity) on a targeted device (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55177, CISA KEV (added 2025-09-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-57819": {
     "name": "Sangoma FreePBX Authentication Bypass Vulnerability",
@@ -37323,7 +37353,7 @@
     "cwe_refs": [
       "CWE-352"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.papercut.com/kb/Main/SecurityBulletinJune2023",
@@ -37352,11 +37382,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://www.papercut.com/kb/Main/SecurityBulletinJune2023 ; https://nvd.nist.gov/vuln/detail/CVE-2023-2533",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. ",
+    "iocs": {
+      "behavioral": [
+        "PaperCut NG/MF at a version below the fixed release named in the advisory with an internet-reachable admin interface.",
+        "Administrative setting changes (e.g. enabling print/device scripting or other code-execution-enabling options) that correlate with an administrator viewing external content, rather than a deliberate console action.",
+        "Configuration changes on the PaperCut server with no matching deliberate admin workflow (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-2533, CISA KEV (added 2025-07-28), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20337": {
     "name": "Cisco Identity Services Engine Injection Vulnerability",
@@ -39017,7 +39057,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39038,7 +39079,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://mrlg.op-sec.us/",
@@ -39067,11 +39108,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://mrlg.op-sec.us/ ; https://nvd.nist.gov/vuln/detail/CVE-2014-3931",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Multi-Router Looking Glass (MRLG) at a version below the fixed release on an internet-facing looking-glass / route server.",
+        "Requests to the looking-glass CGI with oversized or malformed parameters consistent with a buffer overflow.",
+        "Unexpected process execution from the looking-glass CGI / web server, with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2014-3931, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190 + T1059) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6554": {
     "name": "Google Chromium V8 Type Confusion Vulnerability (variant: CVE-2025-6554)",
@@ -40175,7 +40226,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203",
+      "T1204.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40196,7 +40248,7 @@
     "cwe_refs": [
       "CWE-73"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053",
@@ -40225,11 +40277,21 @@
         "published_date": "2025-06-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33053",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint that opens attacker-supplied shortcuts.",
+        "Internet Shortcut (.url) or LNK files that reference a remote WebDAV (file://, \\\\server@SSL\\) path, delivered by email or download.",
+        "Execution of binaries from a remote WebDAV share by Explorer or trusted utilities, and outbound WebDAV/SMB connections following the open of a shortcut (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-33053, CISA KEV (added 2025-06-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1203 + T1204.002) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24016": {
     "name": "Wazuh Server Deserialization of Untrusted Data Vulnerability",