Skip to content

feat: add SUP-023, PSV-006, PSV-007 + intel updates (2026-03-30)#152

Open
kurtpayne wants to merge 2 commits intomainfrom
pattern-update-2026-03-30
Open

feat: add SUP-023, PSV-006, PSV-007 + intel updates (2026-03-30)#152
kurtpayne wants to merge 2 commits intomainfrom
pattern-update-2026-03-30

Conversation

@kurtpayne
Copy link
Copy Markdown
Owner

@kurtpayne kurtpayne commented Mar 30, 2026

Pattern Update — 2026-03-30

New Detection Rules

ID Category Severity Title
SUP-023 supply_chain critical TeamPCP Telnyx PyPI supply chain attack (WAV steganography payload)
PSV-006 patch_signal high Langflow CVE-2026-33017 unauthenticated RCE via /api/v1/run
PSV-007 patch_signal high OpenClaw CVE-2026-32922 privilege escalation via device.token.rotate

Intel Updates

  • ioc_db.json: 3 new IOC entries (telnyx-sdk-python, telnyx-utils, Langflow /api/v1/run endpoint)
  • vuln_db.json: 2 new CVE entries (CVE-2026-33017, CVE-2026-32922)

Artifacts

  • 3 showcase examples (100–102)
  • 3 held-out eval files for CI gate coverage

CI

  • All 7 showcase tests pass ✅
  • YAML structure fix: moved new static rules before capability_patterns block to resolve Pydantic all_of validation error on chain rules

@kurtpayne
feat: add SUP-023, PSV-006, PSV-007 detection rules + intel updates (…
0770add 
…2026-03-30)

Rules added:
- SUP-023: TeamPCP Telnyx PyPI supply chain attack (WAV steganography payload)
- PSV-006: Langflow CVE-2026-33017 unauthenticated RCE via /api/v1/run endpoint
- PSV-007: OpenClaw CVE-2026-32922 privilege escalation via device.token.rotate

Intel updates: 3 new IOC entries, 2 new CVE entries
Showcase: 100_teampcp_telnyx_wav_stego, 101_langflow_rce, 102_openclaw_priv_esc
Eval: 3 new held-out eval files for CI gate coverage
Fix: moved new static rules before capability_patterns block (Pydantic validation)
@kurtpayne
feat: add add_rules.py — safe static rule insertion before capability…
29d9785 
…_patterns

Replaces the ad-hoc per-run apply_pattern_update.py approach.
Inserts new static rules at the correct position (before capability_patterns:)
to avoid Pydantic RulePack validation errors on chain rules.
Idempotent: skips rule IDs already present. Validates YAML after insertion.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kurtpayne