@blamejs/exceptd-skills 0.15.9 → 0.15.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +14 -6
  4. package/data/cve-catalog.json +245 -87
  5. package/data/zeroday-lessons.json +568 -193
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.15.11 — 2026-05-29
4
+
5
+ Draft-curation pass 9 — Apple client-side zero-days. Nine CISA KEV-listed Apple memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They map T1203 (Exploitation for Client Execution) — and T1068 for the sandbox-escape steps that act as privilege links in a multi-stage chain — rather than the network-service T1190: improper locking (CVE-2025-43510), buffer overflows (CVE-2025-43520, CVE-2025-31277, CVE-2026-20700), use-after-frees (CVE-2023-43000, CVE-2023-41974), an integer overflow (CVE-2021-30952), and two code-execution flaws (CVE-2022-48503, CVE-2025-43200). The lessons frame these as targeted-spyware-chain components and stress same-day OS update vs. MDM change windows, with Lockdown Mode for high-risk users.
6
+
7
+ ## 0.15.10 — 2026-05-29
8
+
9
+ Draft-curation pass 8 — Microsoft server-side RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Exchange Server deserialization (CVE-2023-21529), Configuration Manager SQL injection (CVE-2024-43468), Windows Server Update Services deserialization (CVE-2025-59287), and the SharePoint Server "ToolShell" chain — improper authentication (CVE-2025-49706), code injection (CVE-2025-49704), and deserialization (CVE-2025-53770). The lessons stress that for these deserialization RCEs patching alone is insufficient: stolen machine keys and dropped web shells survive the patch and require explicit key rotation and web-shell hunting.
10
+
3
11
  ## 0.15.9 — 2026-05-29
4
12
 
5
13
  Draft-curation pass 7 — network devices and the Ivanti EPMM chain. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: D-Link DIR-823X command injection (CVE-2025-29635), router buffer overflow (CVE-2022-37055), DCS-2530L/2670L camera code execution (CVE-2020-25078) and command injection (CVE-2020-25079), DNR-322L download-without-integrity (CVE-2022-40799), and the Ivanti EPMM authentication-bypass + code-injection preauth chain (CVE-2025-4427, CVE-2025-4428). The device lessons note that end-of-life consumer hardware is unpatchable, making network isolation the load-bearing control, and that firmware implants survive a reboot without a reflash.
package/data/_indexes/_meta.json CHANGED
@@ -1,13 +1,13 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-29T19:05:45.348Z",
3
+ "generated_at": "2026-05-29T19:51:04.683Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "9326c5db334d5bffb0c9dcd04232e4a27d69f50797e7057a8a052dfd332f1b82",
7
+ "manifest.json": "690cb7c701080f97144ae7df49c0fb2b2b017f6699859f6cfe1a2d07c2a1d32c",
8
8
  "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
9
- "data/attack-techniques.json": "550b7b9bfb22cde24fd9027c05332dfaa421f2d1d3c385e6f286d7b401d3c669",
10
- "data/cve-catalog.json": "cf03dc050252a8ff5d71ab56f9c6ab30c06dd9adbc391109b1f1b0d33030b8a4",
9
+ "data/attack-techniques.json": "874c1693aa263ff5161cc96bd28efa6056c0e018847e2b55f575502b47a45fc5",
10
+ "data/cve-catalog.json": "6787e2aea49819872301629954f5a5d3ce9c27d984ffd45835eb097cab95e98c",
11
11
  "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
12
12
  "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
15
15
  "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
18
- "data/zeroday-lessons.json": "ae00fd4a94e214cee466e00091f9296b8e96d08bb064c4dcaa0555a8e0ec9e1b",
18
+ "data/zeroday-lessons.json": "775bcd4734117ccfc4d191f0a3ae337b43da6611a612c1e0074c3bb8e285bbbc",
19
19
  "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
20
20
  "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
21
21
  "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
package/data/attack-techniques.json CHANGED
@@ -317,6 +317,7 @@
317
317
  "CVE-2025-3466",
318
318
  "CVE-2025-4428",
319
319
  "CVE-2025-49596",
320
+ "CVE-2025-49704",
320
321
  "CVE-2025-51480",
321
322
  "CVE-2025-53773",
322
323
  "CVE-2025-54136",
@@ -475,7 +476,10 @@
475
476
  "cve_refs": [
476
477
  "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
477
478
  "CVE-2020-17103-REREGRESSION-2026",
479
+ "CVE-2021-30952",
478
480
  "CVE-2021-43226",
481
+ "CVE-2023-41974",
482
+ "CVE-2023-43000",
479
483
  "CVE-2024-0769",
480
484
  "CVE-2024-8068",
481
485
  "CVE-2025-10725",
@@ -483,6 +487,7 @@
483
487
  "CVE-2025-22225",
484
488
  "CVE-2025-24201",
485
489
  "CVE-2025-24990",
490
+ "CVE-2025-31277",
486
491
  "CVE-2025-32701",
487
492
  "CVE-2025-38352",
488
493
  "CVE-2025-40602",
@@ -917,7 +922,6 @@
917
922
  "CVE-2022-36551",
918
923
  "CVE-2022-37055",
919
924
  "CVE-2022-40799",
920
- "CVE-2022-48503",
921
925
  "CVE-2023-0386",
922
926
  "CVE-2023-21529",
923
927
  "CVE-2023-2533",
@@ -1014,9 +1018,6 @@
1014
1018
  "CVE-2025-40551",
1015
1019
  "CVE-2025-41244",
1016
1020
  "CVE-2025-42999",
1017
- "CVE-2025-43200",
1018
- "CVE-2025-43510",
1019
- "CVE-2025-43520",
1020
1021
  "CVE-2025-4427",
1021
1022
  "CVE-2025-4428",
1022
1023
  "CVE-2025-47812",
@@ -1028,6 +1029,7 @@
1028
1029
  "CVE-2025-49113",
1029
1030
  "CVE-2025-49596",
1030
1031
  "CVE-2025-49704",
1032
+ "CVE-2025-49706",
1031
1033
  "CVE-2025-49844",
1032
1034
  "CVE-2025-5086",
1033
1035
  "CVE-2025-52691",
@@ -1092,7 +1094,6 @@
1092
1094
  "CVE-2026-20131",
1093
1095
  "CVE-2026-20133",
1094
1096
  "CVE-2026-20182",
1095
- "CVE-2026-20700",
1096
1097
  "CVE-2026-20963",
1097
1098
  "CVE-2026-21509",
1098
1099
  "CVE-2026-21510",
@@ -1297,6 +1298,7 @@
1297
1298
  "CVE-2020-9715",
1298
1299
  "CVE-2021-22555",
1299
1300
  "CVE-2021-30952",
1301
+ "CVE-2022-48503",
1300
1302
  "CVE-2023-41974",
1301
1303
  "CVE-2023-43000",
1302
1304
  "CVE-2025-10585",
@@ -1307,9 +1309,13 @@
1307
1309
  "CVE-2025-27038",
1308
1310
  "CVE-2025-31277",
1309
1311
  "CVE-2025-32709",
1312
+ "CVE-2025-43200",
1310
1313
  "CVE-2025-43300",
1314
+ "CVE-2025-43510",
1315
+ "CVE-2025-43520",
1311
1316
  "CVE-2025-43529",
1312
1317
  "CVE-2025-4919",
1318
+ "CVE-2026-20700",
1313
1319
  "CVE-2026-21385",
1314
1320
  "CVE-2026-2441",
1315
1321
  "CVE-2026-25592",
@@ -12049,7 +12055,9 @@
12049
12055
  "_auto_imported": true,
12050
12056
  "_intake_method": "mitre-attack-stix",
12051
12057
  "cve_refs": [
12052
- "CVE-2025-31324"
12058
+ "CVE-2025-31324",
12059
+ "CVE-2025-49704",
12060
+ "CVE-2025-53770"
12053
12061
  ]
12054
12062
  },
12055
12063
  "T1505.004": {