@blamejs/exceptd-skills 0.12.10 → 0.12.13

package/data/attack-techniques.json

@@ -0,0 +1,96 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "last_updated": "2026-05-13",
+    "attack_version": "v17",
+    "attack_version_date": "2025-06-25",
+    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS. Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix (~700 techniques) is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
+    "tlp": "CLEAR",
+    "source_confidence": {
+      "scheme": "Admiralty (A-F + 1-6)",
+      "default": "A1",
+      "note": "A1 (completely reliable, confirmed) — MITRE ATT&CK is a public reference catalog. Per-entry overrides are not currently used; if an entry's mapping is uncertain it is left out of the catalog rather than carried with reduced confidence."
+    },
+    "freshness_policy": {
+      "default_review_cadence_days": 90,
+      "stale_after_days": 180,
+      "rebuild_after_days": 365,
+      "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
+    }
+  },
+  "T0001": { "name": "Authority Spoof", "version": "v17" },
+  "T0017": { "name": "Spearphishing Attachment (ICS)", "version": "v17" },
+  "T0051": { "name": "Position Tampering", "version": "v17" },
+  "T0096": { "name": "Remote System Discovery (ICS)", "version": "v17" },
+  "T0853": { "name": "Scripting", "version": "v17" },
+  "T0855": { "name": "Unauthorized Command Message", "version": "v17" },
+  "T0867": { "name": "Lateral Tool Transfer", "version": "v17" },
+  "T0883": { "name": "Internet Accessible Device", "version": "v17" },
+  "T1021": { "name": "Remote Services", "version": "v17" },
+  "T1027": { "name": "Obfuscated Files or Information", "version": "v17" },
+  "T1040": { "name": "Network Sniffing", "version": "v17" },
+  "T1041": { "name": "Exfiltration Over C2 Channel", "version": "v17" },
+  "T1053.003": { "name": "Scheduled Task/Job: Cron", "version": "v17" },
+  "T1055": { "name": "Process Injection", "version": "v17" },
+  "T1059": { "name": "Command and Scripting Interpreter", "version": "v17" },
+  "T1068": { "name": "Exploitation for Privilege Escalation", "version": "v17" },
+  "T1071": { "name": "Application Layer Protocol", "version": "v17" },
+  "T1078": { "name": "Valid Accounts", "version": "v17" },
+  "T1078.002": { "name": "Valid Accounts: Domain Accounts", "version": "v17" },
+  "T1078.003": { "name": "Valid Accounts: Local Accounts", "version": "v17" },
+  "T1078.004": { "name": "Valid Accounts: Cloud Accounts", "version": "v17" },
+  "T1098": { "name": "Account Manipulation", "version": "v17" },
+  "T1102": { "name": "Web Service", "version": "v17" },
+  "T1110": { "name": "Brute Force", "version": "v17" },
+  "T1110.001": { "name": "Brute Force: Password Guessing", "version": "v17" },
+  "T1133": { "name": "External Remote Services", "version": "v17" },
+  "T1136.001": { "name": "Create Account: Local Account", "version": "v17" },
+  "T1190": { "name": "Exploit Public-Facing Application", "version": "v17" },
+  "T1195": { "name": "Supply Chain Compromise", "version": "v17" },
+  "T1195.001": { "name": "Supply Chain Compromise: Software Dependencies and Development Tools", "version": "v17" },
+  "T1195.002": { "name": "Supply Chain Compromise: Software Supply Chain", "version": "v17" },
+  "T1199": { "name": "Trusted Relationship", "version": "v17" },
+  "T1203": { "name": "Exploitation for Client Execution", "version": "v17" },
+  "T1212": { "name": "Exploitation for Credential Access", "version": "v17" },
+  "T1213": { "name": "Data from Information Repositories", "version": "v17" },
+  "T1485": { "name": "Data Destruction", "version": "v17" },
+  "T1486": { "name": "Data Encrypted for Impact", "version": "v17" },
+  "T1505": { "name": "Server Software Component", "version": "v17" },
+  "T1518": { "name": "Software Discovery", "version": "v17" },
+  "T1525": { "name": "Implant Internal Image", "version": "v17" },
+  "T1528": { "name": "Steal Application Access Token", "version": "v17" },
+  "T1530": { "name": "Data from Cloud Storage", "version": "v17" },
+  "T1543": { "name": "Create or Modify System Process", "version": "v17" },
+  "T1546": { "name": "Event Triggered Execution", "version": "v17" },
+  "T1547": { "name": "Boot or Logon Autostart Execution", "version": "v17" },
+  "T1548.001": { "name": "Abuse Elevation Control Mechanism: Setuid and Setgid", "version": "v17" },
+  "T1548.003": { "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", "version": "v17" },
+  "T1552": { "name": "Unsecured Credentials", "version": "v17" },
+  "T1552.001": { "name": "Unsecured Credentials: Credentials In Files", "version": "v17" },
+  "T1552.004": { "name": "Unsecured Credentials: Private Keys", "version": "v17" },
+  "T1552.005": { "name": "Unsecured Credentials: Cloud Instance Metadata API", "version": "v17" },
+  "T1552.007": { "name": "Unsecured Credentials: Container API", "version": "v17" },
+  "T1554": { "name": "Compromise Host Software Binary", "version": "v17" },
+  "T1555": { "name": "Credentials from Password Stores", "version": "v17" },
+  "T1556": { "name": "Modify Authentication Process", "version": "v17" },
+  "T1557": { "name": "Adversary-in-the-Middle", "version": "v17" },
+  "T1562.001": { "name": "Impair Defenses: Disable or Modify Tools", "version": "v17" },
+  "T1562.006": { "name": "Impair Defenses: Indicator Blocking", "version": "v17" },
+  "T1565": { "name": "Data Manipulation", "version": "v17" },
+  "T1566": { "name": "Phishing", "version": "v17" },
+  "T1566.001": { "name": "Phishing: Spearphishing Attachment", "version": "v17" },
+  "T1566.002": { "name": "Phishing: Spearphishing Link", "version": "v17" },
+  "T1566.003": { "name": "Phishing: Spearphishing via Service", "version": "v17" },
+  "T1567": { "name": "Exfiltration Over Web Service", "version": "v17" },
+  "T1568": { "name": "Dynamic Resolution", "version": "v17" },
+  "T1570": { "name": "Lateral Tool Transfer", "version": "v17" },
+  "T1573": { "name": "Encrypted Channel", "version": "v17" },
+  "T1574": { "name": "Hijack Execution Flow", "version": "v17" },
+  "T1574.005": { "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness", "version": "v17" },
+  "T1595": { "name": "Active Scanning", "version": "v17" },
+  "T1600": { "name": "Weaken Encryption", "version": "v17" },
+  "T1606.001": { "name": "Forge Web Credentials: Web Cookies", "version": "v17" },
+  "T1610": { "name": "Deploy Container", "version": "v17" },
+  "T1611": { "name": "Escape to Host", "version": "v17" },
+  "T1613": { "name": "Container and Resource Discovery", "version": "v17" }
+}

package/data/cve-catalog.json

@@ -708,11 +708,11 @@
       "Set npm registry cooldown: .npmrc `before=72h` (npm 11+) or `minimumReleaseAge=4320` to refuse any fresh-publish under 72 hours"
     ],
     "framework_control_gaps": {
-      "SLSA-L3": "FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance only proves WHICH pipeline built the artifact, not that the pipeline BEHAVED AS INTENDED. SLSA L3 build integrity is necessary but insufficient against cache-poisoning attacks within the build.",
+      "SLSA-v1.0-Build-L3": "FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance only proves WHICH pipeline built the artifact, not that the pipeline BEHAVED AS INTENDED. SLSA L3 build integrity is necessary but insufficient against cache-poisoning attacks within the build.",
       "NIST-800-53-SA-12": "Supply chain protection treats provenance + signing as the trust anchor. CVE-2026-45321 demonstrates both can be intact on a malicious package.",
       "NIST-800-218-SSDF": "PS.3 + PO.3 don't address cache poisoning between sibling workflows in the same repo. SSDF presumes per-workflow trust isolation that GitHub Actions' shared actions/cache breaks.",
       "EU-CRA-Art13": "Required vulnerability handling doesn't cover the case where the upstream maintainer is unwitting — the maintainer was a victim, not a participant.",
-      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check.",
+      "NIS2-Art21-patch-management": "Supply chain risk management presumes detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check.",
       "DORA-Art28": "ICT third-party risk doesn't cover transitive cache poisoning in upstream CI/CD."
     },
     "atlas_refs": [
@@ -875,11 +875,11 @@
       "GHCR :latest re-points to clean image; rebuild any image FROM elementary-data:0.23.3"
     ],
     "framework_control_gaps": {
-      "SLSA-L3": "Same shape as CVE-2026-45321 — provenance valid, payload malicious. The publishing pipeline ran on a malicious orphan commit and emitted a legitimate signed release. SLSA-L3 attests WHICH pipeline built the artifact, not that the pipeline was driven by trusted inputs.",
+      "SLSA-v1.0-Build-L3": "Same shape as CVE-2026-45321 — provenance valid, payload malicious. The publishing pipeline ran on a malicious orphan commit and emitted a legitimate signed release. SLSA-L3 attests WHICH pipeline built the artifact, not that the pipeline was driven by trusted inputs.",
       "NIST-800-53-SA-12": "Supply chain protection treats signed release as the trust anchor. The signature was valid; the input to the signing pipeline was attacker-controlled.",
-      "NIST-800-218-PO.4": "Define and use secure development security checks. Direct interpolation of github.event.* into run: scripts is a documented secure-development anti-pattern (GitHub Actions docs explicitly warn against it) but is not framework-enforced.",
+      "NIST-800-218-SSDF": "Define and use secure development security checks. Direct interpolation of github.event.* into run: scripts is a documented secure-development anti-pattern (GitHub Actions docs explicitly warn against it) but is not framework-enforced.",
       "EU-CRA-Art13": "Required vulnerability handling doesn't address the case where the maintainer was an unwitting publisher.",
-      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid signature neutralizes consumer-side checks."
+      "NIS2-Art21-patch-management": "Supply chain risk management presumes detectable signal at consumption. Valid signature neutralizes consumer-side checks."
     },
     "atlas_refs": [
       "AML.T0010",
@@ -1026,8 +1026,8 @@
     ],
     "framework_control_gaps": {
       "NIST-800-53-SI-10": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries. SI-10 is satisfied by 'we validate inputs' regardless of whether the validation runs before the SQL parameter binding.",
-      "OWASP-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
-      "NIS2-Art21-2e": "Cryptographic measures control doesn't address application-layer SQL injection.",
+      "OWASP-LLM-Top-10-2025-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
+      "NIS2-Art21-incident-handling": "Cryptographic measures control doesn't address application-layer SQL injection.",
       "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
     },
     "atlas_refs": [
@@ -1126,8 +1126,8 @@
     ],
     "framework_control_gaps": {
       "NIST-800-53-SI-10": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits — many MCP servers concatenate user input into shell commands without registering this as a code-review failure.",
-      "OWASP-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
-      "NIS2-Art21-2g": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
+      "OWASP-LLM-Top-10-2025-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
+      "NIS2-Art21-patch-management": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
     },
     "atlas_refs": [
       "AML.T0053",

package/data/cwe-catalog.json

@@ -115,7 +115,7 @@
     "skills_referencing": [
       "exploit-scoring"
     ],
-    "evidence_cves": [],
+    "evidence_cves": ["CVE-2026-42208"],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
       "ISO-27001-2022-A.8.28",
@@ -247,7 +247,8 @@
     ],
     "evidence_cves": [
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "MAL-2026-3083"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -392,7 +393,7 @@
       "mcp-agent-trust",
       "ai-attack-surface"
     ],
-    "evidence_cves": [],
+    "evidence_cves": ["MAL-2026-3083"],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
       "ISO-27001-2022-A.8.28"

package/data/framework-control-gaps.json

@@ -1494,5 +1494,57 @@
       "AML.T0048"
     ],
     "attack_refs": []
+  },
+  "EU-CRA-Art13": {
+    "framework": "EU Cyber Resilience Act (2024/2847)",
+    "control_id": "Art. 13",
+    "control_name": "Essential cybersecurity requirements + technical documentation",
+    "designed_for": "Manufacturers placing products with digital elements on the EU market; sets the essential cybersecurity requirements (Annex I) and the technical-documentation duty",
+    "misses": [
+      "Vulnerability handling clauses presume the maintainer is aware of the vulnerability and able to remediate. The elementary-data PyPI worm (MAL-2026-3083) compromised the publishing pipeline — the maintainer was a victim, not a participant — and the published release carried a valid signature.",
+      "'Technical documentation' obligations do not require the manufacturer to retain or publish the build-pipeline configuration that produced each release. Operators consuming a malicious release have no way to inspect the workflow that built it.",
+      "Art. 14 (24-hour notification of actively-exploited vulnerabilities) clock starts from manufacturer awareness; supply-chain-victim manufacturers may not know they are exploited until consumer-side detection (StepSecurity / Snyk / OSV) surfaces the IoCs."
+    ],
+    "real_requirement": "Manufacturer publishes the canonical build-pipeline definition alongside each release (workflow file hash, runner attestation, scope of secrets accessed). Operators verify the published pipeline matches the pipeline that produced the release-being-installed. Notification clock starts from FIRST awareness — manufacturer's OR competent-authority's OR widely-published security researcher's.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "MAL-2026-3083",
+      "CVE-2025-53773"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002"
+    ]
+  },
+  "NIST-800-53-SI-10": {
+    "framework": "NIST SP 800-53 Rev 5",
+    "control_id": "SI-10",
+    "control_name": "Information Input Validation",
+    "designed_for": "Validating untrusted input at system boundaries before consumption by downstream code paths",
+    "misses": [
+      "Treats 'input validation' as a single layer at the trust boundary. Modern injection classes (SQL, argument, command, prompt) live INSIDE the trust boundary — the input is already 'validated' as authentic but the consumer concatenates it into a syntax the original validator did not anticipate (SQL query, kubectl argv, shell command).",
+      "Does not distinguish argv-array vs string-form invocation. CVE-2026-39884 (mcp-server-kubernetes argument injection) and the broader CWE-88 class are invisible to a SI-10-compliant codebase that 'validates' the user-input string for length and character class.",
+      "Does not address parameterised-query vs string-concat distinction. CVE-2026-42208 (LiteLLM SQLi on CISA KEV) is the cardinal recent example — input was validated, then concatenated into SQL during error-handling, which the validator did not gate.",
+      "Auditing for SI-10 typically samples function boundaries; the argument-injection / SQL-injection / prompt-injection failure modes all occur inside the boundary."
+    ],
+    "real_requirement": "Per-injection-class structural controls in addition to boundary validation. Parameterised queries enforced at the ORM/driver level (CWE-89). Argv-array form for spawned subprocesses (CWE-88). Tool-arg / function-call sanitisation in MCP / AI-agent surfaces (CWE-94). Lint rules flagging string-concat into SQL, exec, or AI-tool arguments. SI-10 compliance attestation augmented with a per-class checklist that names the specific structural control.",
+    "status": "open",
+    "opened_date": "2026-05-13",
+    "evidence_cves": [
+      "CVE-2026-42208",
+      "CVE-2026-39884"
+    ],
+    "atlas_refs": [
+      "AML.T0053"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ]
   }
 }

package/data/playbooks/library-author.json

@@ -760,10 +760,10 @@
         {
           "id": "gha-workflow-script-injection-sink",
           "type": "file_path",
-          "value": "Within the release-workflows artifact (any file under .github/workflows/*.yml): a `run:` shell script body directly interpolates an attacker-controllable github.event field — ${{ github.event.comment.body }}, ${{ github.event.issue.body }}, ${{ github.event.issue.title }}, ${{ github.event.pull_request.body }}, ${{ github.event.pull_request.title }}, ${{ github.event.review.body }}, ${{ github.event.head_commit.message }}, ${{ github.head_ref }}, ${{ github.event.discussion.body }}, ${{ github.event.discussion.title }} — without first capturing the value into an env: variable. Grep regex (multi-line YAML aware): `run:\\s*\\|[\\s\\S]*?\\$\\{\\{\\s*github\\.(event\\.(comment|issue|pull_request|review|head_commit|discussion)\\.|head_ref)`. Corroborate via the branch-tag-protection artifact: if any workflow with this sink also triggers on `pull_request_target` / `issue_comment` / `pull_request_review_comment` AND its job has `permissions: contents: write` (or unrestricted GITHUB_TOKEN), the sink is exploitable by any GitHub user who can comment on the repo.",
+          "value": "Within the release-workflows artifact (any file under .github/workflows/*.yml): a `run:` shell — block-scalar (`run: |`) OR single-line (`run: <command>`) — interpolates an attacker-controllable github.event field — ${{ github.event.comment.body }}, ${{ github.event.issue.body }}, ${{ github.event.issue.title }}, ${{ github.event.pull_request.body }}, ${{ github.event.pull_request.title }}, ${{ github.event.review.body }}, ${{ github.event.head_commit.message }}, ${{ github.head_ref }}, ${{ github.event.discussion.body }}, ${{ github.event.discussion.title }} — without first capturing the value into an env: variable. Grep regex (multi-line YAML aware, matches both block-scalar and single-line run: shapes): `run:[\\s\\S]*?\\$\\{\\{\\s*github\\.(event\\.(comment|issue|pull_request|review|head_commit|discussion)\\.|head_ref)`. Corroborate via the branch-tag-protection artifact: if any workflow with this sink also triggers on `pull_request_target` / `issue_comment` / `pull_request_review_comment` AND its job has `permissions: contents: write` (or unrestricted GITHUB_TOKEN), the sink is exploitable by any GitHub user who can comment on the repo.",
           "description": "GitHub Actions script-injection sink. Elementary-data 0.23.3 (April 2026) was forged via this exact pattern — `${{ github.event.comment.body }}` interpolated into a `run:` block in update_pylon_issue.yml, escalated via the workflow's GITHUB_TOKEN to publish a malicious release. Without this indicator, a publisher account compromise via attacker-controlled comments looks identical to a clean release at the consumer side.",
-          "confidence": "deterministic",
-          "deterministic": true,
+          "confidence": "high",
+          "deterministic": false,
           "false_positive_checks_required": [
             "If the run: block reads the github.event field via an `env:` variable first (env: COMMENT_BODY: ${{ github.event.comment.body }}) and then references $COMMENT_BODY in the shell — that is the documented-safe pattern; demote to miss.",
             "If the workflow only runs in a sandboxed `pull_request` event (not `pull_request_target`) AND has default `permissions: contents: read` AND does not use secrets.* — the sink is not exploitable; demote to miss."