@blamejs/exceptd-skills 0.16.8 → 0.16.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -1
- package/data/_indexes/_meta.json +10 -10
- package/data/_indexes/activity-feed.json +18 -18
- package/data/_indexes/catalog-summaries.json +6 -6
- package/data/_indexes/chains.json +1139 -0
- package/data/_indexes/frequency.json +1 -0
- package/data/atlas-ttps.json +8 -3
- package/data/attack-techniques.json +34 -12
- package/data/cve-catalog.json +684 -3
- package/data/cwe-catalog.json +39 -8
- package/data/framework-control-gaps.json +51 -18
- package/data/zeroday-lessons.json +527 -2
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +24 -24
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,16 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.16.9 — 2026-06-01
|
|
4
|
+
|
|
5
|
+
The catalog now covers a set of real, vendor-patched protocol-layer flaws it previously did not name, so scans, triage, and reports surface them with RWEP scoring and behavioral indicators:
|
|
6
|
+
|
|
7
|
+
- **SMTP smuggling** — CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), CVE-2023-51766 (Exim): a mail server that accepts a non-standard end-of-data sequence lets an attacker smuggle a second message that passes SPF, DKIM, and DMARC on the outer envelope and spoofs the sender. The fix is an end-of-data hardening setting (or upgrade), not a control sender-authentication can supply.
|
|
8
|
+
- **STARTTLS command/response injection** — CVE-2021-38371 (Exim), CVE-2021-33515 (Dovecot), CVE-2011-0411 (Postfix): a server that does not discard bytes buffered before the TLS handshake executes attacker-supplied plaintext inside the encrypted session. Transport encryption strength is irrelevant — the bytes cross the boundary before TLS applies.
|
|
9
|
+
- **DNSSEC validating-resolver CPU exhaustion** — CVE-2023-50387 (KeyTrap) and CVE-2023-50868 (NSEC3): a single crafted DNSSEC response forces worst-case signature evaluation or NSEC3 hash iteration and stalls the resolver for every client.
|
|
10
|
+
- **HTTP/2 Rapid Reset** — CVE-2023-44487 (CISA KEV, confirmed exploited): rapid stream open-then-reset cycles exhaust the server at near-zero cost to the attacker.
|
|
11
|
+
|
|
12
|
+
CWE-93 (CRLF injection) is added to the weakness catalog to back the SMTP-smuggling class.
|
|
13
|
+
|
|
3
14
|
## 0.16.8 — 2026-05-31
|
|
4
15
|
|
|
5
16
|
`discover` now recommends the `containers` playbook whenever a Dockerfile, Containerfile, or compose file exists anywhere in the tree — a Dockerfile in a subdirectory, or a compose variant like `docker-compose.test.yml` — matching exactly the surface the containers collector scans. Previously it probed only for a root-level `Dockerfile` / `docker-compose.yml`, so a repository whose container config lived in a subdirectory or used a variant filename was never told to run the container security review and its Dockerfile findings went unsurfaced.
|
|
@@ -3635,7 +3646,7 @@ Adds detection for the npm supply-chain worm disclosed 2026-05-11 (84 malicious
|
|
|
3635
3646
|
|
|
3636
3647
|
- `skills/supply-chain-integrity/SKILL.md` — adds the CVE-2026-45321 case at the top of Threat Context with the chained-primitives explanation and the new SLSA-L3-insufficient framing.
|
|
3637
3648
|
|
|
3638
|
-
###
|
|
3649
|
+
### Self-applied supply-chain hardening
|
|
3639
3650
|
|
|
3640
3651
|
- `.npmrc` — adds `before=72h` + `minimumReleaseAge=4320` so this repo refuses fresh-publish installs. Survives downgrade to older npm via both flags.
|
|
3641
3652
|
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,21 +1,21 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-06-
|
|
3
|
+
"generated_at": "2026-06-02T05:46:26.678Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
8
|
-
"data/atlas-ttps.json": "
|
|
9
|
-
"data/attack-techniques.json": "
|
|
10
|
-
"data/cve-catalog.json": "
|
|
11
|
-
"data/cwe-catalog.json": "
|
|
7
|
+
"manifest.json": "3dab3ebc6c86b2318f956da3e343ad7b470f05dd30e2afbee5a8e3b3a845a926",
|
|
8
|
+
"data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
|
|
9
|
+
"data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
|
|
10
|
+
"data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",
|
|
11
|
+
"data/cwe-catalog.json": "5def8d82bbe51382ec55fc7186722974077e1289194e4ea002df0e3c52c6a017",
|
|
12
12
|
"data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
14
14
|
"data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
|
|
15
|
-
"data/framework-control-gaps.json": "
|
|
15
|
+
"data/framework-control-gaps.json": "3f9ad83198da40d920e70933e615ac14ade4add037e1c664586c2ee3524edec4",
|
|
16
16
|
"data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
|
|
17
17
|
"data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
|
|
18
|
-
"data/zeroday-lessons.json": "
|
|
18
|
+
"data/zeroday-lessons.json": "b6403d31f06e8f081217c338d2d5c515f8352295fbf58395f3c571cd95a05de0",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
|
|
20
20
|
"skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
|
|
21
21
|
"skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
|
|
@@ -72,8 +72,8 @@
|
|
|
72
72
|
"dlp_refs": 0
|
|
73
73
|
},
|
|
74
74
|
"trigger_table_entries": 538,
|
|
75
|
-
"chains_cve_entries":
|
|
76
|
-
"chains_cwe_entries":
|
|
75
|
+
"chains_cve_entries": 426,
|
|
76
|
+
"chains_cwe_entries": 174,
|
|
77
77
|
"jurisdictions_indexed": 29,
|
|
78
78
|
"handoff_dag_nodes": 42,
|
|
79
79
|
"summary_cards": 42,
|
|
@@ -6,12 +6,28 @@
|
|
|
6
6
|
},
|
|
7
7
|
"events": [
|
|
8
8
|
{
|
|
9
|
-
"date": "2026-
|
|
9
|
+
"date": "2026-06-01",
|
|
10
10
|
"type": "catalog_update",
|
|
11
11
|
"artifact": "data/cve-catalog.json",
|
|
12
12
|
"path": "data/cve-catalog.json",
|
|
13
13
|
"schema_version": "1.0.0",
|
|
14
|
-
"entry_count":
|
|
14
|
+
"entry_count": 439
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"date": "2026-06-01",
|
|
18
|
+
"type": "catalog_update",
|
|
19
|
+
"artifact": "data/cwe-catalog.json",
|
|
20
|
+
"path": "data/cwe-catalog.json",
|
|
21
|
+
"schema_version": "1.0.0",
|
|
22
|
+
"entry_count": 174
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"date": "2026-06-01",
|
|
26
|
+
"type": "catalog_update",
|
|
27
|
+
"artifact": "data/zeroday-lessons.json",
|
|
28
|
+
"path": "data/zeroday-lessons.json",
|
|
29
|
+
"schema_version": "1.1.0",
|
|
30
|
+
"entry_count": 439
|
|
15
31
|
},
|
|
16
32
|
{
|
|
17
33
|
"date": "2026-05-27",
|
|
@@ -100,14 +116,6 @@
|
|
|
100
116
|
"schema_version": "1.0.0",
|
|
101
117
|
"entry_count": 805
|
|
102
118
|
},
|
|
103
|
-
{
|
|
104
|
-
"date": "2026-05-19",
|
|
105
|
-
"type": "catalog_update",
|
|
106
|
-
"artifact": "data/cwe-catalog.json",
|
|
107
|
-
"path": "data/cwe-catalog.json",
|
|
108
|
-
"schema_version": "1.0.0",
|
|
109
|
-
"entry_count": 173
|
|
110
|
-
},
|
|
111
119
|
{
|
|
112
120
|
"date": "2026-05-19",
|
|
113
121
|
"type": "catalog_update",
|
|
@@ -159,14 +167,6 @@
|
|
|
159
167
|
"schema_version": "1.0.0",
|
|
160
168
|
"entry_count": 194
|
|
161
169
|
},
|
|
162
|
-
{
|
|
163
|
-
"date": "2026-05-18",
|
|
164
|
-
"type": "catalog_update",
|
|
165
|
-
"artifact": "data/zeroday-lessons.json",
|
|
166
|
-
"path": "data/zeroday-lessons.json",
|
|
167
|
-
"schema_version": "1.1.0",
|
|
168
|
-
"entry_count": 430
|
|
169
|
-
},
|
|
170
170
|
{
|
|
171
171
|
"date": "2026-05-17",
|
|
172
172
|
"type": "skill_review",
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
"path": "data/cve-catalog.json",
|
|
54
54
|
"purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
|
|
55
55
|
"schema_version": "1.0.0",
|
|
56
|
-
"last_updated": "2026-
|
|
56
|
+
"last_updated": "2026-06-01",
|
|
57
57
|
"tlp": "CLEAR",
|
|
58
58
|
"source_confidence_default": "A1",
|
|
59
59
|
"freshness_policy": {
|
|
@@ -62,7 +62,7 @@
|
|
|
62
62
|
"rebuild_after_days": 365,
|
|
63
63
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
64
64
|
},
|
|
65
|
-
"entry_count":
|
|
65
|
+
"entry_count": 439,
|
|
66
66
|
"sample_keys": [
|
|
67
67
|
"CVE-2022-23812",
|
|
68
68
|
"MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
|
|
@@ -75,7 +75,7 @@
|
|
|
75
75
|
"path": "data/cwe-catalog.json",
|
|
76
76
|
"purpose": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
|
|
77
77
|
"schema_version": "1.0.0",
|
|
78
|
-
"last_updated": "2026-
|
|
78
|
+
"last_updated": "2026-06-01",
|
|
79
79
|
"tlp": "CLEAR",
|
|
80
80
|
"source_confidence_default": "A1",
|
|
81
81
|
"freshness_policy": {
|
|
@@ -84,7 +84,7 @@
|
|
|
84
84
|
"rebuild_after_days": 365,
|
|
85
85
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
86
86
|
},
|
|
87
|
-
"entry_count":
|
|
87
|
+
"entry_count": 174,
|
|
88
88
|
"sample_keys": [
|
|
89
89
|
"CWE-20",
|
|
90
90
|
"CWE-22",
|
|
@@ -229,7 +229,7 @@
|
|
|
229
229
|
"path": "data/zeroday-lessons.json",
|
|
230
230
|
"purpose": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
|
|
231
231
|
"schema_version": "1.1.0",
|
|
232
|
-
"last_updated": "2026-
|
|
232
|
+
"last_updated": "2026-06-01",
|
|
233
233
|
"tlp": "CLEAR",
|
|
234
234
|
"source_confidence_default": "B2",
|
|
235
235
|
"freshness_policy": {
|
|
@@ -238,7 +238,7 @@
|
|
|
238
238
|
"rebuild_after_days": 365,
|
|
239
239
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
240
240
|
},
|
|
241
|
-
"entry_count":
|
|
241
|
+
"entry_count": 439,
|
|
242
242
|
"sample_keys": [
|
|
243
243
|
"CVE-2026-31431",
|
|
244
244
|
"CVE-2025-53773",
|