The Plumb Line

24 hours ending 2026-05-07T12:00:00 UTC

Three things in the last 24 hours that form a pattern worth naming: Mayon volcano in the Philippines entered new eruptive activity while a M5.5 earthquake struck 25 km from Baganga on the same island arc; CISA added an Ivanti zero-day to its Known Exploited Vulnerabilities catalog with a 72-hour patch deadline; and the Moscow Exchange quietly registered new crypto-linked index instruments — Binance Coin, Solana, Ripple, and Tron indices — even as eight vessels in Russia's shadow fleet appeared in updated OpenSanctions records. None of these stories will lead a broadcast tonight. All three have direct operational consequences.

The Philippines headline is the right place to start. Mayon — one of the world's most active stratovolcanoes, located in Albay Province — shifted into new eruptive activity per the Smithsonian Institution's Global Volcanism Program weekly report covering April 30 through May 6. That's a status escalation, not a continuation of the prior cycle. Simultaneously, a M5.5 quake struck near Baganga, on Mindanao's eastern coast, at shallow 10-km depth. Neither event alone is catastrophic. Together, they indicate the Philippine arc is running hot this week, and logistics planners routing through the Visayas or Mindanao should be checking PHIVOLCS alerts before scheduling ground movement.

Meanwhile, Indonesia is carrying the heaviest volcanic load on the planet right now. Six Indonesian volcanoes — Dukono, Ibu, Lewotobi, Lewotolok, Marapi, Merapi, and Semeru — are all in active eruptive status simultaneously, per the same GVP weekly report. Semeru and Merapi are the two with the largest population exposure. If you have supply chain nodes in East Java or North Maluku, the question isn't whether ash disruption is possible; it's which week.

The Shadow Fleet Grows Its Paper Trail

Eight vessels and two shipping companies received updated sanctions records in OpenSanctions within this 24-hour window — a batch update that catches both new listings and cross-dataset matches. The vessels include *TOA PAYOH*, which carries both a U.S. OFAC SDN listing and a Black Sea MOU detention flag; *HE BO* and *SEADAR*, both on the EU Journal sanctions list and flagged by the Tokyo MOU port-state control inspectors; and *KRITI VIGOR* and *MARVEN*, appearing in EU and Ukrainian war sanctions datasets. The companies Best Way Tanker Corp and Ocean Voyage LLC appear in OFAC press releases and Taiwan's shipping trade control list, respectively.

The MosExchange angle is the strangest detail in this batch. Seventeen new Russian NSD-registered securities registered in the OpenSanctions feed — including indices formally tracking the price of Binance Coin, Solana, Ripple, and Tron. These are domestic Russian financial instruments, not accessible to sanctioned counterparties in the West, but their existence on Moscow's exchange signals that Russian retail and institutional capital is being formally channeled into crypto proxies inside the sanctions perimeter. That's a capital-flow intelligence data point, not just a curiosity.

Moscow just listed a Tron index. The sanctions perimeter has a membrane, not a wall.

Treasury's OFAC simultaneously published updated general licenses for Venezuela (nos. 46, 46A, 46B, 47, 48, 49, and 50), Iran, and Russia (55E, 115C, 13P, and 131C) in the Federal Register. General license updates of this density in a single day typically reflect either technical housekeeping or a deliberate signal about enforcement posture. The combination of new Venezuela and Russia licenses in the same 24-hour cycle as shadow fleet updates is worth a compliance counsel's attention before close of business Friday.

The 72-Hour Clock on Ivanti

CISA added CVE-2026-6973 — an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) — to its Known Exploited Vulnerabilities catalog at 00:00 UTC today, with a mandatory federal agency remediation deadline of May 10. That's Sunday. EPMM is a mobile device management platform used heavily in federal civilian agencies and by state and local governments; its prior CVEs (most notably the 2023 zero-days) were actively exploited within days of disclosure.

CISA also published an ICS advisory for the MAXHUB Pivot Client Application — a conferencing and collaboration platform used widely in corporate and government meeting rooms. The combination of an MDM platform vulnerability and a conferencing application advisory in the same window is a useful reminder that the attack surface for hybrid-work environments runs through both device management and room technology. If your organization uses either product, the patch window is not a suggestion.

The Federal Money Moving Quietly

The largest single contract action in today's USASpending data is a $100 million option exercise by the Department of Veterans Affairs to Signature Choice II, LLC for pharmacy benefit management. That's a nine-figure continuation of outsourced VA pharmacy administration — not a new award, but a signal that the contract structure remains intact despite ongoing scrutiny of VA third-party administration.

$100M

VA's pharmacy benefit management option exercise — a nine-figure renewal that received no press release.

Tutor Perini Corporation received a $61.6 million action from the U.S. Coast Guard for commercial and institutional building construction, and Stone & Lime Imports received $36.8 million from the National Park Service for heavy civil engineering. Anduril Industries pulled a $9.1 million award from the Department of Energy for navigation and guidance systems manufacturing — a notable agency pairing, as DOE is not Anduril's typical defense-channel client. Johns Hopkins Applied Physics Laboratory received $9.4 million in additional NASA R&D work. Booz Allen Hamilton had a $16.8 million VA computer systems contract closed out, the largest single negative action in the window.

The Seismology You Can Ignore (Mostly)

The M5.8 near Attu Station, Alaska — the largest quake in this window — is deep in the Aleutian arc, green-alerted, no tsunami. Three separate events clustered near Attu in a six-hour span (M5.8, M4.3, M4.1) suggest stress release along the same fault segment rather than an isolated event. No infrastructure exposure of note. The M4.42 at The Geysers, California deserves a footnote: that geothermal field has been seismically active for decades due to fluid injection, and USGS assigned it a significance score of 549 — higher than the M5.8 — because of its proximity to population. Green alert, no action required, but the scoring inversion is a useful reminder that magnitude and impact are not the same number.

The NIH Grants That Tell You Where the Science Is Going

NIH obligated over $68 million across 25 grants in this window, with the heaviest concentration in three areas: Alzheimer's disease and neurodegeneration (Washington University's retinal biomarker study at $7.3 million leads, followed by USC's Alzheimer's Disease Research Center at $4.7 million); HIV structural biology (Utah's CHEETAH Center received multiple awards totaling over $8.6 million across three sub-investigators including Pamela Bjorkman and Walther Mothes); and CAR-T oncology (Sloan Kettering's CD28-KITv CAR T cell program received $2.6 million from NCI). The University of Pennsylvania received $1.3 million for IND-enabling gene therapy studies for Duchenne muscular dystrophy patients excluded from current dystrophin trials — a small grant with a narrow patient population and no obvious near-term commercial pathway.

What We Can't Tell You

1. Whether the Ivanti EPMM vulnerability is already being exploited in the wild — CISA's KEV listing confirms known exploitation as a category, but the source data does not specify active campaigns or affected agencies.

2. The operational status of the shadow fleet vessels following this sanctions update — OpenSanctions records the paper trail; current AIS positions and cargo manifests are not in this data window.

3. Whether the Mayon eruptive activity escalation has triggered a PHIVOLCS alert level change — the GVP weekly report confirms new activity through May 6 but does not specify the current Philippine alert level.

By the Numbers

Metric	Value	Context
Largest earthquake (window)	M5.8, Attu Station, Alaska	Three events near Attu in 6 hours — likely same fault segment
Active volcanoes in Indonesia alone	6	Dukono, Ibu, Lewotobi, Lewotolok, Marapi/Merapi, Semeru — all eruptive simultaneously
New eruptive activity (status escalation)	Mayon, Philippines	Distinct from "continuing" — first new cycle this report period
CISA KEV patch deadline	May 10, 2026 (Sunday)	Ivanti EPMM; prior EPMM CVEs were exploited within days of disclosure
Shadow fleet vessels in OpenSanctions update	6 vessels, 2 companies	Cross-listed across OFAC SDN, EU Journal, Tokyo/Black Sea MOU
VA pharmacy benefit management option	$99.9M	Signature Choice II, LLC — largest single USASpending action in window
NIH obligations (window)	~$68M across 25 grants	Heaviest concentration in Alzheimer's and HIV structural biology
OFAC general license batches published	3 regimes (Russia, Iran, Venezuela)	Venezuela alone saw licenses 46 through 50 — five updates in one day
New MosExchange crypto indices	4 (BNB, SOL, XRP, TRX)	Domestic Russian instruments tracking sanctioned-ecosystem tokens

Mayon escalating, an Ivanti deadline landing on a Sunday, shadow fleet paperwork multiplying, and Moscow building crypto indices behind the sanctions wall — four different desks, one 24-hour window. Every claim above traces back to a primary record on disk. CISA's clock expires Sunday at midnight; if your patch cycle runs Monday, you are already late.

— *The Plumb Line*. Sourced from 161 grounded events across 27 source databases.

Sources

Seismic & Volcanic

usgs_earthquakes/us6000svnr — M5.8 Attu Station, Alaska
usgs_earthquakes/us6000svp9 — M5.5 Baganga, Philippines
usgs_earthquakes/nc75358752 — M4.42 The Geysers, California
usgs_volcanoes/vn_273030 — Mayon new eruptive activity
usgs_volcanoes/vn_268010, 268030, 264180, 264230, 261140, 263250, 263300 — Indonesia active volcanoes

Cybersecurity

cisa_kev/CVE-2026-6973 — Ivanti EPMM improper input validation, due 2026-05-10
cisa_advisories/node/24847 — MAXHUB Pivot Client ICS advisory

Sanctions & Finance

opensanctions/NK-57FX9juUeVrgdYnY4dwipt — Vessel Oceanic II
opensanctions/NK-7DkpLN7y5XSzu9yJQo6KBo — Ocean Voyage LLC
opensanctions/NK-F4rVsVTHVMVF4PCwS5WCUP — Vessel HE BO
opensanctions/NK-HQAR5MKnWwExdXWxnTMdyA — Best Way Tanker Corp
opensanctions/NK-JYFWZckFDFSJb4KQK6dGuk — Vessel SEADAR
opensanctions/NK-QrE26F2CD8REmkVWj2btmJ — Vessel TOA PAYOH
opensanctions/NK-TkUXgKLX64GoFBNx2YA5Eg — Vessel KRITI VIGOR
opensanctions/NK-Ty3i7mZnLEHLHeLQ2ELWmu — Vessel MARVEN
opensanctions/isin-RU000A10F4L7, F4M5, F4N3, F4Q6 — MosExchange crypto indices (BNB, SOL, Tron, XRP)
federal_register/2026-09088 — OFAC Russia general licenses 55E, 115C, 13P, 131C
federal_register/2026-09090, 2026-09092 — OFAC Venezuela general licenses 46-50
federal_register/2026-09094 — OFAC Iran general licenses

Federal Contracts

usaspending/279977689 — VA / Signature Choice II $99.9M
usaspending/357741627 — Coast Guard / Tutor Perini $61.6M
usaspending/357715408 — DOE / Anduril Industries $9.1M
usaspending/279968353 — VA / Booz Allen Hamilton closeout -$16.8M

NIH Grants

nih_reporter/R01AG060942_11419893 — Washington University Alzheimer's retinal study $7.3M
nih_reporter/U54AI170856_11327339 — Utah CHEETAH HIV Center $5.5M
nih_reporter/UH3CA290241_11457454 — Sloan Kettering CAR-T $2.6M
nih_reporter/U01NS134672_11494257 — UPenn DMD gene therapy $1.3M