On June 3, 2026, Splunk published SVD-2026-0603 describing CVE-2026-20253 — an unauthenticated arbitrary file creation flaw via a PostgreSQL sidecar endpoint — with limited exploitation observed and fixed versions in 10.4.0 / 10.2.4 / 10.0.7.1 On the same registry-ecosystem track that produced the June npm worm wave, JetBrains disclosed on June 18 that fifteen malicious Marketplace plugins were exfiltrating AI provider API keys to a hardcoded C2 IP after installing a JVM-wide X509TrustManager to weaken TLS — a credential-theft campaign targeting precisely the developer-tooling surface where AI tokens get pasted into IDE settings.2 Microsoft 365 Copilot absorbed CVE-2026-42824 — a one-click prompt-injection “SearchLeak” that exfiltrates data through the assistant’s own search pipeline — while a use-after-free in Chrome’s DigitalCredentials surface (CVE-2026-12451) entered NVD as a sandbox-escape chain component for the post-renderer phase.34 The AIRekt incident catalog refreshed June 21 and now records 484 documented AI security incidents across the Feb–Jun 2026 window — up from 339 last week — against an engineering-checklist taxonomy that pins dependencies to SHAs and gates destructive actions on human approval.5 Each of these is a line item. Together they describe the document that is now landing on the treaty-market intake desk and the conformity-auditor’s evidence list at the same time: the underwriting file for high-risk AI.
Issue #13 established the SBOM question for AI stacks as the dependency-graph evidence the treaty market and the regulator both want. This issue widens the lens. The SBOM is one artifact inside a larger document — the underwriting file — that an in-scope deployer is increasingly being asked to assemble before the next renewal cycle and before the EU AI Act’s newly-restated applicability dates land on the calendar. The European Commission’s standardisation page now reiterates the “presumption of conformity” route via harmonised standards, with the Digital Omnibus framing pushing applicability to December 2, 2027 for Annex III high-risk systems and August 2, 2028 for Annex I harmonisation-legislation systems.6 The clock has not stopped — it has been re-pegged. The deployer who reads that shift as time gained will spend it building the wrong artifact. The deployer who reads it as time granted to assemble a defensible underwriting file is reading it correctly.
“The underwriting file for high-risk AI is not a single document the deployer hands across the table. It is a portfolio of artifacts — stack inventory, conformity narrative, incident-history posture, credential-boundary attestations, third-party CVD records, and operational-control evidence — that an underwriter and a regulator can both read against their respective frameworks without ambiguity. This week named four of the line items that file is now expected to address.”
— ASI Intelligence Team observation, W25 2026This edition examines the underwriting file as the structural document the treaty market and the conformity auditor are converging on, the JetBrains incident as the credential-boundary case study that re-prices the developer-tooling line item, the M365 Copilot SearchLeak as the prompt-injection one-click exfiltration class the file must now address, the Splunk and Chrome advisories as the operational-vulnerability evidence the file needs as supporting documentation, the EU AI Act applicability shift as the regulatory clock that has been re-pegged rather than relieved, the W25 Market Index reading under the v3.1 methodology released this week, and the five operational moves a high-risk deployer should be making before the file becomes a renewal precondition.
What an Underwriting File for High-Risk AI Actually Contains
Six Line Items, One Document, Two Audiences
The treaty market and the conformity auditor are different counterparties asking related questions. The underwriting file is the artifact that answers both without translation. Six line items now appear on enough intake forms and conformity worksheets to qualify as a working specification. Stack inventory — the SBOM-extended dependency graph covered in Issue #13 — enumerates model weights, fine-tuning checkpoints, MCP connectors, gateway components, embedding stores, and the proxy substrate. Conformity narrative documents how the deployment meets the applicable framework (EU AI Act, NIST AI RMF, ISO/IEC 42001) and which harmonised standards the deployer is relying on for presumption of conformity. Incident-history posture aligns the deployer’s own incidents to a public catalog — AIRekt is the working candidate — and documents the gap between observed events and the deployer’s classification. Credential-boundary attestations describe where AI provider tokens live, who can move them, and which surfaces (IDE plugins, CI runners, shared workstations) sit inside the boundary. Third-party CVD records capture the vulnerability-disclosure substrate the deployer’s upstream providers operate. Operational-control evidence ties the rest to runtime: containment, gating, logging, and the human-approval steps for destructive actions.
The File Is Already Being Compiled, Just Not Always on Purpose
Every deployer with significant agent exposure has already produced fragments of each line item in the course of normal operations. The structural problem is that the fragments are scattered across security questionnaires, compliance reports, incident postmortems, and architecture documents that were never written to be read together. The deployers who will not be the rate-limiter on their own renewal cycle are the ones consolidating the fragments now — ahead of any individual line item becoming a hard precondition — into a single artifact the next intake form can be answered against. The market is converging on this format faster than any individual carrier or regulator has formally codified it. The deployer who waits for codification will produce the artifact under deadline.
The JetBrains Incident as the Credential-Boundary Case Study
On June 18, 2026, JetBrains disclosed that fifteen malicious third-party Marketplace plugins were exfiltrating AI provider API keys after weakening JVM-wide TLS by installing a custom X509TrustManager and exfiltrating credentials over unencrypted HTTP to a hardcoded C2 IP at 39.107.60.51.2 JetBrains removed the plugins, banned the publishers, and used the platform’s remote-disable mechanism to neutralize installations in place. The post-incident control changes are the substantively new evidence: JetBrains’ Marketplace ingestion rules now flag raw IP endpoints, non-HTTPS endpoints, and TLS-weakening patterns including custom X509TrustManager implementations — a defensive posture shift that operationalizes the lesson at the platform layer.
Operator Takeaway — The IDE Is a Credential Boundary, Not a Developer Convenience
AI provider tokens routinely live in IDE settings, plugin configurations, and shell environments alongside the developer’s workstation context. The JetBrains incident demonstrates that an attacker who lands a plugin on enough workstations can build a multi-tenant credential harvester whose monetization path is the deployer’s own provider-billing dashboard. The credential-boundary attestation on the underwriting file is the line item the JetBrains campaign just made concrete. It now needs to enumerate, at minimum: which AI provider keys exist, which workstations and CI runners hold them, what plugin ingestion policy governs the workstation, and what telemetry catches anomalous spend on the provider side.
The immediate remediation guidance applies directly. Any AI provider keys entered into impacted plugins should be revoked and rotated; provider dashboards should be reviewed for anomalous spend across the relevant window; outbound traffic to the 39.107.60.51 C2 should be blocked at the firewall and DNS layers.2 The deeper response is the policy shift: workstation plugin ingestion is now an AI-credential-boundary decision, not an individual-developer-productivity choice. The underwriting file’s credential-boundary section now needs to name an ingestion policy by reference.
The structural significance of the campaign is that the attacker read the AI-credential surface accurately ahead of the defender. Traditional credential-theft taxonomies focus on browser session cookies, OS keychains, and secret-store APIs. The JetBrains attackers correctly identified that the developer workstation has become the primary handling location for the highest-value tokens in the AI stack — the provider keys that authorize unmetered inference spend — and built the campaign against that surface. The underwriting question that follows is whether the deployer’s policy reflects the same accurate map.
The Prompt-Injection One-Click Exfiltration Class Enters the CVE Pipeline
CVE-2026-42824, indexed against Microsoft 365 Copilot under the “SearchLeak” designation, describes a one-click prompt-injection exfiltration through the assistant’s own search pipeline: a crafted document or search query manipulates the assistant into emitting a payload that exfiltrates context across the trust boundary.3 The CVE pipeline absorbing a prompt-injection exfiltration vector under a CVE number is the structurally interesting moment. CVE numbering historically tracks vulnerabilities expressible against a deterministic-software substrate. SearchLeak is the explicit acknowledgement that prompt-injection-class attacks against AI assistants are now treated as the same kind of evidence the rest of the underwriting file is built on.
A parallel sandbox-escape entry — CVE-2026-12451, a use-after-free in Chrome’s DigitalCredentials — landed in NVD with a Chromium “High” severity and a post-renderer sandbox-escape role.4 The pairing is significant for the underwriting file because the two vulnerabilities sit at adjacent points in the same attack graph: SearchLeak exfiltrates context from the assistant, and a renderer-side sandbox-escape chain harvests context from the browser. A deployer whose intake-form answer to “how is AI-mediated data exposure mitigated” references only the assistant layer is producing an incomplete file. The same line item now needs to address the browser-substrate layer the assistant runs inside.
484
Documented AI security incidents in the AIRekt catalog as of June 21, 2026 — up from 339 the prior week, reflecting both refresh velocity and the catalog’s emerging role as the public-incident baseline an underwriting file is expected to align against5
15
JetBrains Marketplace plugins removed for AI-credential exfiltration to 39.107.60.51 via TLS-weakening X509TrustManager installation — the developer-tooling credential boundary case study for the underwriting file2
The AIRekt catalog crossed 484 incidents this week — up from 339 a week ago, with the refresh tied to a control-checklist update emphasizing dependency pinning to SHAs and human-approval gating for destructive actions.5 Read against the underwriting file, the catalog is doing two structural jobs: it is the public baseline an in-scope deployer’s incident-history posture can be aligned against, and the control checklist published alongside it is converging on the kind of operational-control evidence the file’s last line item is going to need.
Operational Vulnerabilities Are the Supporting Documentation
Splunk’s SVD-2026-0603 for CVE-2026-20253 describes an unauthenticated arbitrary file creation/truncation flaw via a PostgreSQL sidecar service endpoint, fixed in 10.4.0 / 10.2.4 / 10.0.7, with PSIRT noting limited exploitation observed in June 2026 and an operational workaround ([postgres] disabled = true) for deployers who cannot upgrade immediately.1 The advisory is doing the work the underwriting file needs from the operational-vulnerability line item: a first-party disclosure with documented limited exploitation, a fix path with explicit version targets, and an operational mitigation that does not require the upgrade window. A deployer who can answer the intake question “how do you handle KEV-relevant first-party advisories from your security-tooling stack” by reference to this advisory’s handling is producing the right kind of evidence.
Two additional CERT-feed entries name the surface explicitly. CVE-2026-54420 (LiteSpeed cPanel plugin symlink-to-root) and CVE-2026-20262 (Cisco Catalyst SD-WAN Manager escalation) appear in active-exploitation feeds this week, with both carrying the kind of escalation profile that maps onto an underwriter’s “perimeter-exposure” line item.3 A national CERT advisory feed that surfaces Microsoft 365 Copilot SearchLeak alongside LiteSpeed cPanel and Cisco SD-WAN is the working artifact of a convergence the underwriting file already assumes: AI-specific CVEs and classical-perimeter CVEs are now read together because the underwriter and the regulator are both asking for both.
The structural lesson from this section is the supporting-documentation principle. The underwriting file does not need to demonstrate that the deployer has zero vulnerabilities. It needs to demonstrate that the deployer’s vulnerability-management process produces evidence at the same cadence and granularity as the upstream advisories. A Splunk advisory like SVD-2026-0603 is, in this framing, a positive example of what the deployer’s own response artifacts should look like — first-party, version-targeted, workaround-bearing, and timestamped against the disclosure date.
The Regulatory Clock Has Been Re-Pegged, Not Relieved
The European Commission’s AI Act standardisation page now reiterates the “presumption of conformity” route via harmonised standards, with the Digital Omnibus framing linking applicability dates to the availability of support tools and standards.6 The latest stated applicability dates: December 2, 2027 for Annex III high-risk AI systems, and August 2, 2028 for Annex I harmonisation-legislation AI systems. The August 2, 2026 date that anchored the conformity narrative in Issues #11–#13 has been re-pegged. The conformity work is not relieved; it is now sequenced against a longer runway with a higher expected evidentiary bar at the new date.
The structural interpretation: the regulator has acknowledged the substrate is not yet ready, but the substrate the regulator is waiting on is precisely the harmonised-standards-and-support-tools layer that will determine what evidence the conformity narrative carries. A deployer who reads the new applicability dates as time to defer the conformity work is misreading the signal. The deployer who reads the new dates as the period during which the harmonised standards will be finalised — and uses the runway to align the conformity narrative against the emerging standards rather than against the deployer’s ad-hoc interpretation — is reading the signal correctly. The presumption of conformity is the dispositive shortcut for the deployer who is positioned to claim it. The presumption is also the dispositive trap for the deployer who positions against the wrong standard.
The underwriting file maps onto the regulatory clock the same way. Eighteen months to Annex III applicability is the assembly window for the conformity-narrative line item, and the early-cycle treaty placements between now and Q1 2027 are the assembly window for the rest of the file. The deployer who waits for the regulator to publish the harmonised standard before starting on the conformity narrative will produce both artifacts under deadline. The deployer who starts on the underwriting file now produces the regulator’s artifact as a derivative of the broader portfolio.
Market Index — W25 Reading and the v3.1 Methodology Release
Market Index Reading — W25
37.9 for W25, up +0.2 from the W24 close of 37.7. The first composite-level movement since W18. The reading absorbs CVE-2026-20253 (Splunk), CVE-2026-42824 (M365 Copilot SearchLeak), and CVE-2026-12451 (Chrome sandbox-escape chain) through the vulnerability surface, and the JetBrains 15-plugin AI-credential exfiltration campaign — together with the new analyst-portal additions covering the LiteLLM AI gateway privilege-escalation chain, the Google Vertex AI SDK bucket-squatting flaw, the Mastra npm package compromise, and the Waymo and Zoox autonomous-driving recalls — through the threat surface. Signal of the Week: practitioner / industry signal, selected by the deterministic ranker at score 0.7188 — a week in which the new line items on the underwriting file outweighed any single headline event.
The ASI Market Index reads 37.9 for Week 25, up +0.2 from W24’s 37.7. The +0.2 is the first composite-level motion since Week 18, and the first reading published under v3.1, the recency-weighted scoring revision the ASI Intelligence Team shipped this week. Under v3.0, the W25 composite would have returned 37.7 for the seventh consecutive week — not because the underlying environment was quiet, but because the aggregation step was averaging in-week motion against a cumulative-substrate baseline of more than two hundred historical records. v3.1 corrects that.
The public-signal readings for W25 under v3.1: VSS 55.1, TSS 49.8, AIRS 38.9. The threat surface absorbed the largest single-week motion of the year — twenty new incidents entered the database between W24 close and the W25 calculation, with a mean composite severity of 71.0 and twelve classified Critical (composite ≥ 70). The full index page carries the W25 audit.
The v3.1 methodology release. The signal-aggregation step has been moved from a cumulative-substrate mean to an eight-week exponentially-weighted moving average with a bounded incidence adjustment. The intent is to preserve the actuarial properties of the scoring while letting in-week event clusters register at the composite level rather than being absorbed into the long-run mean. The W25 reading is the first to ship against v3.1. A publication that scores risk to a treaty market does not change the substrate beneath the scoring without an audit trail; the methodology transition is recorded in market-index-data.json with v3_1_start: 25, and the v3.0 series remains in the weekly history for back-testing.
The Bottom Line — Five Moves Before the File Becomes a Renewal Precondition
Watchlist — Assembling the Underwriting File Before the Intake Form Forces the Question
June 22, 2026Consolidate the six line items into a single artifact, indexed against both audiences
Stack inventory, conformity narrative, incident-history posture, credential-boundary attestations, third-party CVD records, operational-control evidence. Pick the canonical home (an internal living document, a secured drive, a compliance platform), assign an owner per line item, and produce a working index that maps each section to the relevant treaty-market intake field and the relevant conformity-narrative requirement. The artifact does not need to be perfect on the first pass; it needs to exist before the next intake form arrives.
Pull AI provider keys into a credential-boundary policy and revoke any plugin-resident tokens
Inventory every AI provider API key currently in production. For each, identify the workstations, CI runners, and shared environments where it lives. Apply an immediate rotation for any key resident in a JetBrains Marketplace plugin within the impacted window, audit provider dashboards for anomalous spend, and block outbound traffic to 39.107.60.51 at the firewall and DNS layers. Then write the policy that prevents the next plugin-resident-token incident from being possible: ingestion controls on workstation plugin marketplaces, telemetry on provider-side spend, and rotation cadence tied to plugin-installation events.2
Treat prompt-injection exfiltration as a CVE-class exposure on the file
CVE-2026-42824 (M365 Copilot SearchLeak) establishes that prompt-injection one-click exfiltration is now CVE-numbered evidence. The underwriting file’s AI-mediated-data-exposure section should now address the assistant layer (input-validation, output-filtering, search-pipeline isolation) and the browser substrate (sandbox-escape coverage, renderer-process boundaries) as a paired exposure. Document the deployer’s response posture for both, and reference the relevant first-party advisories by version.34
Anchor the conformity narrative against harmonised standards, not against ad-hoc interpretation
The Digital Omnibus applicability shift to December 2, 2027 for Annex III and August 2, 2028 for Annex I is the assembly window, not the relief valve. Identify which harmonised standards the conformity narrative will be anchored against (the AI Act standardisation page is the current authoritative source on what is in flight); align the deployer’s internal documentation against the emerging standard structure rather than against a fixed-in-time custom interpretation; and instrument the conformity-narrative line item with a quarterly check against new standardisation publications.6
Map the deployer’s incident history against the AIRekt 484-entry baseline
The AIRekt catalog crossing 484 documented incidents (Feb–Jun 2026) is now operating at the scale where a treaty market counterparty can ask: what does your deployment’s incident-history posture look like against this catalog, and which entries does your own classification correspond to. Maintain a quarterly review of the catalog against the deployer’s own incident records, document the alignment in the incident-history-posture line item of the underwriting file, and ensure the engineering checklist published alongside the catalog (dependency pinning to SHAs, human-approval gating for destructive actions) is reflected in the operational-control-evidence section.5