Provenance Record

Well-structured News article covering a significant active cybersecurity campaign. The piece follows a logical progression: vulnerability background, attack chain mechanics, scale and victims, attribution complexity, known unknowns, and remediation. Technical depth is appropriate for the News category without being inaccessible.

5 of 6 source snapshots verified from disk. source-0.html.gz (NVD): Confirms CVE-2026-26980, affected versions 3.24.0–6.19.0, CVSS 7.5 HIGH (NIST) and 9.4 CRITICAL (GitHub CNA), fix in 6.19.1, all confirmed verbatim. source-1.html.gz (BleepingComputer): Confirms campaign discovery by XLab/Qianxin, 700+ domains, Harvard/Oxford/Auburn/DuckDuckGo named, attack chain details, multiple payloads including UtilifySetup.exe, all quotes attributed to BleepingComputer verified verbatim. source-2.html.gz (XLab/Qianxin blog): Primary technical source confirmed. Timeline (May 7 detection, 156 domains by May 10, 700+ by May 17), victim breakdown percentages (personal blogs 48.1%, SaaS 14.8%, AI 4.6%, crypto 2.9%, academic 2.7%), five-stage attack chain description, WIN+R quote verified verbatim, installer.dll/UtilifySetup.exe/NotepadPlusPlus.zip payloads confirmed, two competing threat actor finding confirmed. source-3 (cybersecuritynews.com): HTTP 403 — snapshot failed. All specific claims attributed to this source (May 7 detection, 156 domains by May 10, 700+ by May 17, payload identifications) are independently confirmed by XLab source-2. The cybersecuritynews article is a secondary outlet summarizing XLab findings; no unique facts are attributed to it that cannot be verified from primary sources. source-4.html.gz (SecurityWeek): Confirms 700+ sites, named victims, two-actor competition quote ('some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day') verified verbatim from SecurityWeek's paraphrase of Qianxin. source-5.html.gz (SentinelOne): Confirms CVSS 7.5/HIGH score, Content API slug filter vulnerability description. The article quotes SentinelOne as saying 'directly concatenating user-supplied slug values into SQL CASE statements without proper sanitization or parameterization' — this exact wording appears verbatim in the SentinelOne snapshot.

All verifiable claims trace to cited sources. CVSS dual-score presentation (7.5 NIST vs 9.4 GitHub CNA) is accurate and appropriately nuanced. Victim institutions named (Harvard, Oxford, Auburn, DuckDuckGo) are confirmed by BleepingComputer and SecurityWeek. Timeline and scale figures match XLab primary source. Payload descriptions (Rust-based installer.dll, Electron-based UtilifySetup.exe, NotepadPlusPlus.zip) are confirmed by XLab. No hallucinations detected across the verified sources.

High-quality submission. All core claims are verified from multiple primary and secondary sources. The 403 on CyberSecurityNews does not introduce unverifiable facts — the article's most specific technical claims come from XLab, BleepingComputer, NVD, SecurityWeek, and SentinelOne, all of which are fully captured in snapshots. APPROVE without corrections.