Signals
Signals
Signals: evidence-linked clusters of independent sources highlighting what’s changing now.
LiveWindow 24hEvidence trails in app
Signals dashboard
Sorted by impact x momentum. Use the chevron to expand a card. Use the action button for the full drawer.
No investment advice. Research signals and sources only. EarlyNarratives provides informational signals derived from public sources. It does not provide financial, legal, or tax advice.
Filters & sortTap to open
Filters
Sort by
Impact x momentum blends evidence strength with recent acceleration. See the whitepaper for methodology.
Filter matches title, tags, and tickers.
Limited evidence
Live dashboards and rankings are open; unlock source trails, evidence timestamps, archive access, workflow tools, and alerts.
New & accelerating
Fresh signals showing clear momentum shifts across sources.
New & accelerating
Ubuntu ships security updates for Linux kernel, Emacs, and GitHub CLI
Ubuntu released a batch of security notices covering Linux kernel vulnerabilities across multiple kernel variants (standard, FIPS, Real-time, and NVIDIA), plus fixes for Emacs and GitHub CLI.
Updated 27h agoActive span 11h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.1
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
9
PostsCount of items included in the signal cluster for this window.Learn more
9
Details
1 publishers9 posts1 platformsTop source 100%
Evidence: 1 primary
#1 of 6Structural
NewEmerging confirmationSingle source
advisorypatching
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
1
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
1
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
22%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
100%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- Multiple Ubuntu Security Notices were published in a short window
- Kernel updates cover several Ubuntu kernel variants (FIPS/RT/NVIDIA)
- Advisories enumerate specific CVEs to drive immediate patch triage
New & accelerating
CERT-UA warns APT28 is exploiting patched Microsoft Office flaw CVE-2026-21509
Ukraine’s CERT-UA and multiple outlets report active exploitation of CVE-2026-21509, a recently patched Microsoft Office vulnerability.
Updated 2d agoActive span 22h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.6
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
5
PostsCount of items included in the signal cluster for this window.Learn more
5
Details
5 publishers5 posts1 platformsTop source 20%
Evidence: 5 primary
#2 of 6Structural
NewBroad confirmationEmerging confirmation
cveExploitation In The Wild
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
5
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
5
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
20%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- CERT-UA and outlets say exploitation began shortly after Microsoft disclosed the flaw
- Multiple reports in the last day consolidate attribution and targeting details
- Follow-on analysis is being published as the campaign is observed in the wild
New & accelerating
Substack notifies users after breach and dark web leak claims
Substack is notifying users of a data breach after attackers stole user contact data. Reporting says the exposed information includes email addresses and phone numbers, and that the notification follows a hacker’s dark web claims and alleged leak of Substack user records.
Updated 9h agoActive span 2h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.3
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
3
PostsCount of items included in the signal cluster for this window.Learn more
3
Details
3 publishers3 posts1 platformsTop source 33%
Evidence: 3 primary
#3 of 6Structural
NewBroad confirmation
breachData Exposure
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
3
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
3
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
33%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- Substack is actively notifying users about the incident.
- Coverage links the disclosure to a hacker’s dark web claims and alleged data leak.
- Reports surface new details about what data types were taken (emails, phone numbers).
New & accelerating
Critical n8n flaw CVE-2026-25049 enables sandbox escape and command execution
Multiple reports describe a critical vulnerability in the n8n workflow automation platform, tracked as CVE-2026-25049 (CVSS 9.4), that could enable sandbox escape and arbitrary system command execution.
Updated 13h agoActive span 5h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.3
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
3
PostsCount of items included in the signal cluster for this window.Learn more
3
Details
3 publishers3 posts1 platformsTop source 33%
Evidence: 3 primary
#4 of 6Structural
NewBroad confirmation
cvevulnerability
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
3
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
3
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
33%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- New disclosure of CVE-2026-25049 with critical CVSS score reported across outlets
- Coverage highlights bypass of safeguards for an earlier critical n8n issue
- Security research attribution noted (Pillar Security) in reporting
New & accelerating
CVE-2025-11953 “Metro4Shell” in React Native Metro dev server reportedly exploited in
Multiple security outlets report that attackers are actively exploiting a critical vulnerability in React Native’s Metro Development Server, associated with the “@react-native-community/cli” npm package.
Updated 2d agoActive span 5h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.3
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
3
PostsCount of items included in the signal cluster for this window.Learn more
3
Details
3 publishers3 posts1 platformsTop source 33%
Evidence: 3 primary
#5 of 6Structural
NewBroad confirmation
cveExploitation In The Wild
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
3
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
3
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
33%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- Outlets report active exploitation and malware delivery tied to Metro dev server
- CVE-2025-11953 (“Metro4Shell”) is being highlighted as critical severity
- Researchers are calling attention to insufficient public acknowledgement
New & accelerating
CISA flags actively exploited SolarWinds Web Help Desk RCE and orders rapid patching
CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551, CVSS 9.8) as actively exploited by adding it to the Known Exploited Vulnerabilities (KEV) catalog. Separately, CISA ordered U.S. federal agencies to patch the exploited bug by Friday.
Updated 38h agoActive span 12h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.3
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
3
PostsCount of items included in the signal cluster for this window.Learn more
3
Details
3 publishers3 posts1 platformsTop source 33%
Evidence: 3 primary
#6 of 6Structural
NewBroad confirmation
cveExploitation In The Wild
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
3
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
3
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
33%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- CISA added the issue to KEV as actively exploited
- CISA set a near-term deadline for federal agencies to patch
- Multiple outlets report exploitation activity around the same vulnerability
Signal
Notepad++ update infrastructure hijacked to deliver “Chrysalis” backdoor (Lotus Blossom)
Multiple outlets and a Rapid7 technical analysis report that infrastructure used to deliver Notepad++ updates was compromised, allowing attackers to redirect update traffic for select users and deliver a previously undocumented backdoor dubbed “Chrysalis.” Rapid7 attributes the campaign with medium confidence to...
Updated 2d agoActive span 20h
Momentum
ScoreOverall signal strength in the selected window; higher means more evidence/consistency, not a prediction.Learn more
1.8
Momentum 24hChange in signal activity over the last 24 hours; higher means accelerating attention, not performance.Learn more
7
PostsCount of items included in the signal cluster for this window.Learn more
7
Details
5 publishers7 posts1 platformsTop source 29%
Evidence: 5 primary
#1 of 1Structural
Broad confirmationEmerging confirmation
Supply Chainmalware
OriginsDistinct origin sources contributing to this signal; higher means broader origin coverage.Learn more
5
PublishersDistinct publishers/accounts observed; higher means broader publisher participation.Learn more
5
Dup ratioShare of near-duplicate items in the cluster; higher can indicate repetition or amplification.Learn more
0%
Top origin sharePortion of items from the top origin; higher means more concentration.Learn more
29%
SourcesNumber of source types represented (e.g., news vs social).Learn more
1
Why now
- Rapid7 published a detailed technical analysis and attribution assessment
- Maintainer disclosure and follow-on media coverage raised defender awareness
- Multiple outlets amplified indicators of a targeted supply-chain intrusion