@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/skills/compliance-theater/skill.md

@@ -43,8 +43,8 @@ The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is
 The defining mid-2026 reality is that an organization can pass a clean ISO 27001:2022, SOC 2 Type II, or PCI DSS 4.0 audit while remaining exposed to KEV-listed deterministic LPEs and zero-interaction RCEs. The contrast cases drive every theater pattern below:
 
 - **CVE-2026-31431 (Copy Fail)** — Linux kernel LPE, CISA KEV, AI-discovered in approximately one hour, deterministic 732-byte public PoC, no race condition. An organization with an A.8.8 / SI-2 / PCI 6.3.3 program that meets the framework's "appropriate timescale" language (commonly 30 days for High) is *passing the audit* during the active-exploitation window. This is the canonical Patch Management Theater case. Catalog entry: `data/cve-catalog.json`.
-- **CVE-2026-30615 (Windsurf MCP zero-interaction RCE)** — 150M+ affected downloads. An organization's CC9 / SA-12 / A.5.19 vendor management program rated as "operating effectively" by an auditor typically has zero coverage of MCP servers running in developer environments. The vendor-management control passes the audit and provides no control surface for the attack class. Catalog entry: `data/cve-catalog.json`.
-- **CVE-2025-53773 (GitHub Copilot prompt-injection RCE)** — CVSS 9.6. An organization's SOC 2 CC6 access control program is rated "passed" while prompt injection executes attacker-chosen actions using the AI service account's authorized identity. The audit evidence (IAM reviews, access logs with no unauthorized events) is correct and complete; it provides zero signal about the intrusion.
+- **CVE-2026-30615 (Windsurf MCP local-vector RCE)** — CVSS 8.0 / AV:L / RWEP 35. 150M+ combined downloads across MCP-capable assistants share the architectural surface. An organization's CC9 / SA-12 / A.5.19 vendor management program rated as "operating effectively" by an auditor typically has zero coverage of MCP servers running in developer environments. The vendor-management control passes the audit and provides no control surface for the attack class. Catalog entry: `data/cve-catalog.json`.
+- **CVE-2025-53773 (GitHub Copilot YOLO-mode RCE)** — CVSS 7.8 / AV:L / RWEP 30. An organization's SOC 2 CC6 access control program is rated "passed" while prompt injection coerces the AI assistant into flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution under the AI service account's authorized identity. The audit evidence (IAM reviews, access logs with no unauthorized events) is correct and complete; it provides zero signal about the intrusion.
 
 In each case, a real-world public exploit produced by current adversary TTPs renders a passing audit non-informative about actual security posture. The seven theater patterns below codify the most common recurrences of this pattern.
 
@@ -57,7 +57,7 @@ Compliance theater is the operational shadow of framework lag. Per-framework lag
 | Framework | Control | Lag (what the control language does not cover) |
 |---|---|---|
 | SOC 2 | CC6 (Logical and Physical Access) | Logical-access language was drafted for human-controlled accounts and machine identities in traditional IAM. It does not cover prompt injection as an access control bypass: the AI service account is authorized, monitored, and within least-privilege scope; the attacker's intent travels through the model's context window and never appears in access logs. See CVE-2025-53773. |
-| ISO 27001:2022 | A.8.8 (Management of Technical Vulnerabilities) | "Appropriate timescales" is undefined; auditor practice typically reads as 30 days for High / 90 days for Medium. The language does not operationalize the CISA KEV class. For CVE-2026-31431 these timescales mean active exploitation during the "compliant" remediation window. |
+| ISO 27001:2022 | A.8.8 (Management of Technical Vulnerabilities) | "Appropriate timescales" is undefined; auditor practice typically reads as 30 days for High / 90 days for Medium. The language does not operationalize the CISA KEV class. For CVE-2026-31431 (KEV-listed 2026-05-01, federal due 2026-05-15) these timescales mean active exploitation during the "compliant" remediation window. |
 | PCI DSS 4.0 | 6.3.3 (Patches) | The one-month critical-patch window predates AI-assisted exploit development. For any CVE with CISA KEV listing and a public PoC, the one-month window is an exploitation-acceptance window, not a security window. |
 | SOC 2 | CC7 (System Operations) | Anomaly detection guidance has no baseline for AI API traffic, AI-as-C2 (SesameOp), or PROMPTFLUX behavioral patterns. The control passes the audit with no AI-relevant detection surface. |
 | ISO 27001:2022 | A.5.19 / A.5.20 (Supplier relationships) | Drafted for SaaS and outsourced-service vendors. Does not cover MCP servers as third-party code executing inside the developer environment, nor LLM API providers as data processors for sensitive prompt content. |
@@ -78,11 +78,11 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 |---|---|---|
 | Patch Management Theater (Pattern 1) | T1068 (Exploitation for Privilege Escalation), T1203 (Exploitation for Client Execution) | Public PoC + KEV + AI-accelerated weaponization compresses the exploitation window inside the SLA |
 | Network Segmentation Theater — IPsec (Pattern 2) | T1190 (Exploit Public-Facing Application) targeting the IPsec kernel subsystem | The control's cryptographic mechanism is the attack surface |
-| Access Control Theater — AI Agents (Pattern 3) | AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP), T1059 (Command and Scripting Interpreter) | Authorized service account executes attacker-chosen actions; no identity boundary is crossed |
+| Access Control Theater — AI Agents (Pattern 3) | AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak), T1059 (Command and Scripting Interpreter) | Authorized service account executes attacker-chosen actions; no identity boundary is crossed |
 | Incident Response Theater — AI Pipeline (Pattern 4) | AML.T0020 (Poison Training Data), AML.T0096 (LLM Integration Abuse as C2), AML.T0010 (ML Supply Chain Compromise) | Detection triggers do not exist, so documented IR procedures have no input |
 | Change Management Theater — AI Models (Pattern 5) | AML.T0018 (Backdoor ML Model), AML.T0020 | Externally-managed model updates bypass operator change control entirely |
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
-| Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Acquire Public ML Artifacts — misuse) | AI-generated content evades grammar/style heuristics and template-matching detectors |
+| Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
 Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.1.0, November 2025). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
 
@@ -95,8 +95,8 @@ The theater patterns most acutely under attack today are those backed by high-RW
 | Theater pattern | Evidence CVE | CVSS | RWEP tier | KEV | Public PoC | AI-accelerated | Live-patchable | Active exploitation |
 |---|---|---|---|---|---|---|---|---|
 | Patch Management Theater | CVE-2026-31431 (Copy Fail) | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes (AI-discovered) | Yes (kpatch/livepatch) | Confirmed |
-| Vendor Management Theater (AI APIs / MCP) | CVE-2026-30615 (Windsurf MCP) | 9.8 | Critical | No | Partial | No | N/A (vendor-side) | Suspected |
-| Access Control Theater (AI agents) | CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | High | No | Yes (demonstrated) | Yes (AI tooling enables) | N/A (vendor-side) | Suspected |
+| Vendor Management Theater (AI APIs / MCP) | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
+| Access Control Theater (AI agents) | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
 | Network Segmentation Theater (IPsec) | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
 | Incident Response Theater (AI pipeline) | SesameOp campaign + AML.T0096 | N/A | High | N/A | ATLAS-documented | Yes | N/A | Confirmed campaign |
 | Change Management Theater (AI models) | Continuous provider updates | N/A | Medium | N/A | N/A | N/A | N/A | Ongoing (uncontrolled) |
@@ -114,7 +114,7 @@ The first three rows (Critical / Critical / High RWEP with public PoC or active
 
 **The audit evidence:** Patch management policy document, ticketing system showing CVEs opened and closed within SLA, vulnerability scanner reports showing declining open vulnerabilities.
 
-**The reality:** CVE-2026-31431 (Copy Fail) was CISA KEV listed on 2026-03-15 with a public 732-byte exploit script. A 30-day SLA means an organization can be "compliant" while having a public deterministic root exploit unpatched for 30 days. During that window: active exploitation confirmed.
+**The reality:** CVE-2026-31431 (Copy Fail) was CISA KEV listed on 2026-05-01 with a public 732-byte exploit script (CISA due date 2026-05-15). A 30-day SLA means an organization can be "compliant" while having a public deterministic root exploit unpatched for weeks past the federal due date. During that window: active exploitation confirmed.
 
 **Why it's theater:** The 30-day SLA was designed for environments where weaponization takes weeks. Copy Fail's weaponization time was ~1 hour (AI-discovered and PoC-ready). The control measures compliance with a time window that no longer reflects exploit development reality.
 

package/skills/container-runtime-security/skill.md

@@ -144,7 +144,7 @@ CWE cross-walk (see `data/cwe-catalog.json`):
 
 | Class / CVE | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch / Mitigation | Admission-Detectable | Runtime-Detectable (Falco/Tetragon) |
 |---|---|---|---|---|---|---|---|---|---|
-| Host-kernel LPE as container escape — Copy Fail (CVE-2026-31431) | 7.8 | 90 (see `cve-catalog.json`) | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Kernel patch + live-patch (kpatch/livepatch/kGraft) on supported distros; reboot rolling fleet on others | No (admission doesn't see kernel ops) | Yes — Falco/Tetragon catches the post-escape host operations; the in-kernel write itself is invisible to eBPF |
+| Host-kernel LPE as container escape — Copy Fail (CVE-2026-31431) | 7.8 | 90 (see `cve-catalog.json`) | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Kernel patch + live-patch (kpatch/livepatch/kGraft) on supported distros; reboot rolling fleet on others | No (admission doesn't see kernel ops) | Yes — Falco/Tetragon catches the post-escape host operations; the in-kernel write itself is invisible to eBPF |
 | Container-runtime CVE class — runc CVE-2024-21626 ("LeakyVessels") family | 8.6 | varies (historical reference) | Yes (at time of disclosure) | Yes | No (manual disclosure) | Patched in modern fleets; brownfield self-managed clusters lag | runc / containerd / CRI-O upgrade | Partial — admission can require minimum runtime versions via node-feature labels | Yes — Tetragon can enforce SIGKILL on the abuse syscall sequence |
 | Misconfigured PSS — `pod-security.kubernetes.io/enforce: privileged` on a workload namespace | n/a (class) | n/a | n/a | Trivial — `kubectl run --privileged` | Operator misconfig + AI-coding-assistant template drift | Routinely observed in incident response 2024–2026 | Set namespace label to `restricted`; remediate the workload | Yes — Kyverno PolicyReport + Kubescape surface this; PSA itself enforces on admit if label set |
 | Misconfigured RBAC — ServiceAccount with `create/patch` on `pods` or `secrets` cluster-wide | n/a (class) | n/a | n/a | Trivial — `can-i --list --as=system:serviceaccount:...` | Operator misconfig | Routinely observed | Replace wildcard ClusterRoles with scoped Roles; deny `automountServiceAccountToken: true` by default | Yes — Kyverno + OPA policies; kube-bench check | Yes — Falco detects token use from unexpected ServiceAccount |

package/skills/dlp-gap-analysis/skill.md

@@ -152,7 +152,11 @@ DLP gaps in this skill are misuse patterns and architectural blind spots, not si
 | Embedding-store membership inference (`DLP-SURFACE-EMBEDDING-STORE`) | No | Academic and red-team work 2023-2025 demonstrating membership inference against Pinecone / Weaviate / Qdrant indexes built from sensitive corpora | N/A | Yes — AI-assisted query optimisation accelerates inference attacks | None — no commercial DLP product addresses this. Mitigations are architectural (DP-SGD fine-tuning, query rate limits, k-anonymity at retrieval). | None |
 | IDE / dev-tool telemetry leak (`DLP-CHAN-IDE-TELEMETRY`) | No | JetBrains / VS Code / Visual Studio crash-dump and error-report leakage cases 2022-2025 | N/A | Partial — AI-extension telemetry includes prompt previews | GPO/MDM telemetry suppression; SWG egress block on telemetry domains | None |
 
-**Interpretation:** no patch applies because there is no vendor CVE. Mitigation is architectural — defense-in-depth across SDK, gateway, browser-isolation, endpoint, and egress NTA. Vendor-side contractual controls (zero retention enterprise tiers, BAAs for HIPAA, EU data residency for GDPR Art 44) are necessary but technically un-verifiable; treat as compensating controls, not primary.
+**Interpretation:** no patch applies because there is no vendor CVE for the *architectural* DLP gaps above. Mitigation is architectural — defense-in-depth across SDK, gateway, browser-isolation, endpoint, and egress NTA. Vendor-side contractual controls (zero retention enterprise tiers, BAAs for HIPAA, EU data residency for GDPR Art 44) are necessary but technically un-verifiable; treat as compensating controls, not primary.
+
+### Adjacent CVE — LLM-Gateway Credential Exfiltration
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation confirmed). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the egress path this skill treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. DLP relevance: a compromised LiteLLM gateway hands the adversary every downstream model-provider credential plus the per-tenant routing config — every subsequent prompt/response pair routes through attacker-known credentials and the *exfiltration* channel becomes the legitimate AI-API egress that the DLP architectures above are designed to monitor. Any organisation whose DLP scope treats the LLM gateway as "just a reverse proxy" misses that the gateway is the credential-and-routing boundary that determines whether outbound LLM traffic is trustworthy at all.
 
 ---
 

package/skills/email-security-anti-phishing/skill.md

@@ -71,7 +71,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 
 **Business Email Compromise losses continued growing through 2025.** FBI IC3 2024 and 2025 reports place BEC at multi-billion-USD annual loss globally, with the wire-redirection and vendor-invoice-fraud subclasses dominant. The 2026 reality is that BEC is no longer "compromised mailbox sends a wire request" — it is increasingly "spoofed-or-look-alike domain plus deepfake voice/video confirmation channel" so that out-of-band verification by phone *fails open* unless the callback number is a pre-registered known-good.
 
-**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (RFC 9622, published 2024) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
+**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
 
 **Phishing-resistant authentication.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives AiTM proxy phishing (evilginx-class), Tycoon-2FA-style session-token relay, and push-notification fatigue attacks. TOTP, SMS, and push-MFA are all bypassable by 2026 phishing-kit ecosystems. Caffeine and Tycoon 2FA continue to evolve; observed 2025 telemetry shows passkey-relay attempts emerging against poorly configured WebAuthn relying-party verification.
 

package/skills/exploit-scoring/skill.md

@@ -42,7 +42,7 @@ RWEP exists because the exploit development cycle has compressed. The factors th
 
 - **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors.
 - **CVSS undercounts AI-discovered + KEV-listed bugs.** CVE-2026-31431 scores CVSS 7.8 (High). Treated as a CVSS-band-7 item, it lands in a 30-day remediation queue. Treated honestly — CISA KEV listed, 732-byte deterministic public PoC, all Linux ≥ 4.14, AI-discovered — it is a 4-hour incident. CVSS misses every one of those amplifiers.
-- **CVSS overscores supply-chain-prerequisite CVEs.** CVE-2026-30615 (Windsurf MCP) scores CVSS 9.8 because the worst-case is zero-interaction RCE. The actual exploitation rate is throttled by the requirement that a victim first install a malicious MCP server. RWEP correctly rates it 35, lower than Copy Fail at 90 despite the lower CVSS.
+- **CVSS local-vector blindness vs. RWEP exploitation reality.** CVE-2026-30615 (Windsurf MCP) scores CVSS 8.0 with AV:L (the NVD-authoritative corrected score; the initial CVSS 9.8 was withdrawn after attack-vector analysis confirmed the local-vector reality — the attacker must control HTML content that the Windsurf MCP client processes). RWEP rates it 35, lower than Copy Fail at 90: the supply-chain prerequisite (a victim first installs a malicious MCP server) plus the local attack vector throttle real exploitation rate. This pair is the canonical example of CVSS-vector-only scoring losing to RWEP's exploitation-evidence weighting.
 - **Compliance frameworks anchor SLAs on CVSS bands.** NIST 800-53 SI-2, PCI DSS 6.3.3, ISO 27001:2022 A.8.8, and most internal vuln-management policies translate CVSS High/Critical into 30-day/7-day windows. For AI-discovered KEV-listed LPEs with public PoCs, these windows are exploitation windows. RWEP is the layer that lets an org prioritize honestly without re-writing every framework control.
 
 ---
@@ -71,7 +71,7 @@ This skill is meta — it does not pin to a single TTP class. RWEP is the cross-
 | Catalog | Role for RWEP |
 |---|---|
 | `data/cve-catalog.json` | Source of factor values: CISA KEV flag, PoC availability, AI-discovery flag, active-exploitation status, patch and live-patch availability per CVE |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0017 Develop Capabilities) |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0016 Obtain Capabilities: Develop Capabilities, AML.T0017 Discover ML Model Ontology) |
 | `data/exploit-availability.json` | Authoritative PoC + KEV + last-verified date snapshot — drives factor freshness |
 | `data/zeroday-lessons.json` | Closes the loop: zero-day's lesson entry feeds back the framework gap that RWEP's score implied |
 
@@ -88,10 +88,10 @@ How each RWEP factor maps to a real CVE in `data/cve-catalog.json`:
 | CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes | Confirmed | All Linux ≥ 4.14 (30) | Yes | Yes (kpatch/livepatch/kGraft) | 90 | 7.8 |
 | CVE-2026-43284 (Dirty Frag ESP/IPsec) | No | Yes (chain) | No | Suspected | IPsec-using systems (18) | Yes | RHEL-only kpatch | 38 | 7.8 |
 | CVE-2026-43500 (Dirty Frag RxRPC) | No | Yes (chain) | No | Suspected | RxRPC-loaded systems | Yes | Partial | 32 | 7.6 |
-| CVE-2025-53773 (Copilot prompt-injection RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (22) | Yes (SaaS) | Yes (SaaS push) | 42 | 9.6 |
-| CVE-2026-30615 (Windsurf MCP RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads but supply-chain prereq | Yes | Yes (IDE update) | 35 | 9.8 |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (15) | Yes (SaaS) | Yes (SaaS push) | 30 | 7.8 |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads, local-vector + supply-chain prereq | Yes | Yes (IDE update) | 35 | 8.0 |
 
-Key reads: Copy Fail (RWEP 90, CVSS 7.8) and Windsurf MCP (RWEP 35, CVSS 9.8) sit at opposite ends — Copy Fail is the canonical case of CVSS under-prioritization; Windsurf MCP is the canonical case of CVSS over-prioritization (supply-chain prerequisite as throttle).
+Key reads: Copy Fail (RWEP 90, CVSS 7.8) and Windsurf MCP (RWEP 35, CVSS 8.0) sit at opposite ends of the exploitation-evidence axis — Copy Fail is the canonical case of CVSS under-prioritization (KEV + deterministic public PoC + AI-discovered + broad blast-radius dominate); Windsurf MCP is the canonical case of CVSS-vector blindness (the AV:L local-attack vector plus the supply-chain prerequisite throttle real exploitation rate even after CVSS was corrected from 9.8 to 8.0).
 
 ---
 
@@ -190,7 +190,7 @@ RWEP = min(100, max(0,
 
 ---
 
-### CVE-2025-53773 — GitHub Copilot Prompt Injection RCE
+### CVE-2025-53773 — GitHub Copilot YOLO-Mode RCE
 
 | Factor | Value | Points |
 |---|---|---|
@@ -198,17 +198,17 @@ RWEP = min(100, max(0,
 | PoC Public | Yes (demonstrated) | +20 |
 | AI-Assisted | Yes (AI tooling enables) | +15 |
 | Active Exploitation | Suspected | +10 |
-| Blast Radius | GitHub Copilot users — large developer population | +22 |
+| Blast Radius | GitHub Copilot users — large developer population, but local-vector via IDE interaction | +10 |
 | Patch Available | Yes (GitHub patched) | -15 |
 | Live Patch Available | Yes (SaaS patch) | -10 |
 | Reboot Required | No (SaaS update) | 0 |
-| **RWEP** | | **42** |
+| **RWEP** | | **30** |
 
-**Interpretation:** CVSS 9.6 vs. RWEP 42 — significant divergence. CVSS is high because the worst-case impact is critical RCE. RWEP is lower because there's no CISA KEV listing and exploitation is suspected (not confirmed at scale). The lack of framework coverage for prompt injection as an attack class (no control in any major framework) makes this a critical monitoring gap regardless of the RWEP score.
+**Interpretation:** CVSS 7.8 (AV:L) vs. RWEP 30 — the local-vector reality is baked into both scores; RWEP additionally throttles for "suspected, not confirmed" exploitation and for the SaaS live-patch path. The lack of framework coverage for prompt injection as an attack class (no control in any major framework) makes this a critical monitoring gap regardless of the RWEP score.
 
 ---
 
-### CVE-2026-30615 — Windsurf MCP Zero-Interaction RCE
+### CVE-2026-30615 — Windsurf MCP Local-Vector RCE
 
 | Factor | Value | Points |
 |---|---|---|
@@ -216,13 +216,13 @@ RWEP = min(100, max(0,
 | PoC Public | Partial | +10 |
 | AI-Assisted | No | 0 |
 | Active Exploitation | Suspected (supply chain targeting) | +10 |
-| Blast Radius | 150M+ AI coding assistant downloads (all affected IDEs) | +30 |
+| Blast Radius | 150M+ MCP-capable assistant downloads, local-vector + supply-chain prerequisite | +20 |
 | Patch Available | Yes | -15 |
 | Live Patch Available | Yes (IDE update) | -10 |
 | Reboot Required | No | 0 |
 | **RWEP** | | **35** |
 
-**vs. CVSS:** CVSS 9.8 vs. RWEP 35 — the largest CVSS/RWEP divergence in the catalog. CVSS is high because zero-interaction network RCE with no-auth is the maximum-severity scenario. RWEP is lower because no CISA KEV, suspected-only exploitation, and the attack requires a malicious MCP server to be installed first (the supply-chain prerequisite is the limiting factor). Key insight: RWEP correctly signals that this is an elevated priority, not an emergency — unlike Copy Fail where RWEP signals emergency regardless of CVSS.
+**vs. CVSS:** CVSS 8.0 (AV:L, NVD-corrected from initial 9.8) vs. RWEP 35 — this pair demonstrates CVSS local-vector blindness against RWEP exploitation-reality weighting. CVSS 8.0 is still high because the worst-case is RCE in user context, but the AV:L correction already reflects that the attacker must control HTML content the MCP client processes. RWEP additionally throttles for no CISA KEV, suspected-only exploitation, and the supply-chain prerequisite (a malicious MCP server must first be installed). Key insight: RWEP correctly signals elevated priority, not emergency — unlike Copy Fail (RWEP 90) where signal dominates regardless of CVSS band.
 
 ---
 
@@ -242,11 +242,11 @@ When CVSS and RWEP diverge significantly, it surfaces important context:
 - Example: Copy Fail — CVSS doesn't capture AI-discovered + deterministic + CISA KEV + all Linux
 - Framework compliance that uses CVSS thresholds for SLA will deprioritize Copy Fail relative to a CVSS 9.8 with no public exploit
 
-**High CVSS, moderate RWEP** — CVSS overstates urgency for AI/supply-chain threats:
-- Copilot RCE (CVSS 9.6 / RWEP 42): no KEV, suspected exploitation — important but not emergency
-- Windsurf MCP (CVSS 9.8 / RWEP 35): no KEV, supply-chain prerequisite limits actual exploitation rate
-- RWEP correctly prioritizes Copy Fail (RWEP 90) over Windsurf MCP (RWEP 35) despite Windsurf having higher CVSS
-- Framework compliance that uses CVSS alone will treat Windsurf MCP as MORE urgent than Copy Fail — incorrect
+**Moderate CVSS, low RWEP** — CVSS-vector still overstates urgency once exploitation evidence is weighted:
+- Copilot YOLO-mode RCE (CVSS 7.8 / RWEP 30): local-vector, no KEV, suspected exploitation — important monitoring gap but not emergency
+- Windsurf MCP (CVSS 8.0 / RWEP 35): local-vector, no KEV, supply-chain prerequisite limits actual exploitation rate
+- RWEP correctly prioritizes Copy Fail (RWEP 90, CVSS 7.8) over Windsurf MCP (RWEP 35, CVSS 8.0) despite the two CVEs sitting in adjacent CVSS bands
+- Framework compliance that uses CVSS alone may treat Windsurf MCP and Copy Fail as similar-urgency — incorrect
 
 ---
 
@@ -334,4 +334,4 @@ Run this check against any organization claiming vulnerability-management compli
 
 > "Open your last quarterly vuln-management metrics report. Does it report `mean time to remediate by CVSS band`? If that is the headline metric, the program optimizes for CVSS-band SLAs, not for actual exploit-priority response. The KPI itself is theater. The honest metric is: for CVEs that crossed RWEP ≥ 75 during the quarter, what was the mean time from RWEP-75 threshold crossing to deployed mitigation? If the org doesn't track RWEP at all, the program has no instrumentation to detect when CVSS-banded SLAs fail — which they do for every CISA KEV + AI-discovered class in `data/cve-catalog.json`."
 
-> "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. The gap between 'met SLA' and 'was exposed for ~30 days to a 732-byte public PoC on CISA KEV' is the size of the theater."
+> "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. CISA KEV listed the CVE on 2026-05-01 with federal due date 2026-05-15. Today (~13 days after listing) any unpatched estate is past the federal due date and demonstrably exposed to a 732-byte deterministic public PoC on CISA KEV. The gap between 'met internal SLA' and 'past federal due date with active exploitation in scope' is the size of the theater."

package/skills/framework-gap-analysis/skill.md

@@ -32,8 +32,8 @@ This skill analyzes the gap between what a compliance framework control was desi
 Compliance frameworks lag the threat environment by years. Most active controls in NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, and DORA were drafted against assumptions (human-speed exploit development, persistent inventoriable assets, human-controlled accounts) that current attacker TTPs no longer respect. Three concrete mid-2026 instances anchor the lag:
 
 - **CVE-2026-31431 (Copy Fail)** — CISA KEV-listed Linux kernel LPE, AI-discovered in roughly one hour, 732-byte deterministic public PoC, no race condition. NIST 800-53 SI-2 and ISO 27001:2022 A.8.8 patch-window language permits 30-day remediation, during which active exploitation is the documented condition. See `data/cve-catalog.json` for the full entry.
-- **CVE-2025-53773** — GitHub Copilot prompt-injection RCE, CVSS 9.6. Bypasses SOC 2 CC6 and NIST 800-53 AC-2 because the action executes under the AI service account's authorized identity; the access control audit shows "passed."
-- **CVE-2026-30615** — Windsurf MCP zero-interaction RCE, 150M+ affected downloads. ISO 27001:2022 A.5.19 / A.5.20 vendor-management language treats MCP servers as SaaS tools, not third-party code executing in production developer environments.
+- **CVE-2025-53773** — GitHub Copilot YOLO-mode RCE, CVSS 7.8 (AV:L — local-vector through developer-side IDE interaction; the NVD-authoritative score was corrected from an initial 9.6 / AV:N). Bypasses SOC 2 CC6 and NIST 800-53 AC-2 because the action executes under the AI service account's authorized identity; the access control audit shows "passed."
+- **CVE-2026-30615** — Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L (NVD-authoritative; corrected from initial 9.8 / AV:N once the attack-vector reality — attacker controls HTML the MCP client processes — was confirmed). 150M+ combined downloads across MCP-capable assistants share the architectural surface. ISO 27001:2022 A.5.19 / A.5.20 vendor-management language treats MCP servers as SaaS tools, not third-party code executing in production developer environments.
 
 This skill exists because every gap-analysis engagement encounters at least one control where a "compliant" auditor finding masks current-TTP exposure. The built-in gap catalog below is the codified evidence base.
 
@@ -76,7 +76,7 @@ This skill maps framework controls to attacker TTPs on demand rather than static
 | NIST 800-53 SI-2 vs. deterministic LPE | T1068 (Exploitation for Privilege Escalation), T1548.001 | Patch SLA permits active exploitation window |
 | NIST 800-53 SC-8/SC-28 vs. Dirty Frag | T1190 (Exploit Public-Facing Application) via IPsec subsystem | Cryptographic control is the attack surface |
 | NIST 800-53 AC-2 vs. prompt injection | AML.T0051 (LLM Prompt Injection), AML.T0054 | Authorized identity executes attacker intent |
-| NIST 800-53 SI-3 vs. AI-generated malware | AML.T0017, AML.T0018 | Signature-based detection has zero coverage |
+| NIST 800-53 SI-3 vs. AI-generated malware | AML.T0016 (adversary Develop Capabilities — payload generation), AML.T0018 | Signature-based detection has zero coverage |
 | ISO 27001 A.8.8 vs. CISA KEV class | T1068, T1203 | "Appropriate timescales" undefined for AI-accelerated weaponization |
 | SOC 2 CC6 vs. prompt injection | AML.T0051 | Authorization model has no prompt-level granularity |
 | PCI DSS 6.3.3 vs. AI-accelerated weaponization | T1068, T1190 | One-month window predates AI-assisted exploit development |
@@ -93,8 +93,8 @@ This skill consumes the matrix produced upstream by the exploit-scoring skill. T
 |---|---|---|---|---|---|---|---|
 | CVE-2026-31431 (Copy Fail) | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes (AI-discovered) | Yes (kpatch/livepatch) | Confirmed |
 | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
-| CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | High | No | Yes (demonstrated) | Yes (AI tooling enables) | N/A (vendor-side) | Suspected |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | Critical | No | Partial | No | N/A (vendor-side) | Suspected |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
 
 When a gap analysis cites a CVE not in this matrix, the analyst must populate the row from `data/cve-catalog.json` before producing the declaration. A declaration without an evidence row is incomplete.
 
@@ -368,7 +368,7 @@ Specific high-confidence theater signals (each triggers a mandatory Framework La
 |---|---|
 | Org claims SI-2 / A.8.8 / PCI 6.3.3 30-day patching as adequate for CISA KEV entries | CVE-2026-31431 KEV-listed; deterministic public PoC means active exploitation during the window |
 | Org claims AC-2 / CC6 as adequate for AI-agent access control | CVE-2025-53773 demonstrates AML.T0051 routing around the identity model entirely |
-| Org claims A.5.19 / SA-12 vendor management as adequate for MCP servers | CVE-2026-30615 demonstrates AML.T0010 supply-chain RCE with zero user interaction |
+| Org claims A.5.19 / SA-12 vendor management as adequate for MCP servers | CVE-2026-30615 demonstrates AML.T0010 supply-chain RCE via attacker-controlled HTML processed by the MCP client (local-vector, not network) |
 | Org claims IPsec-based SC-8 segmentation as adequate without a kernel-patch status check | CVE-2026-43284 makes the IPsec implementation the attack surface |
 
 When this check fires, hand off to the compliance-theater skill for the theater-pattern detection test and to policy-exception-gen if the org needs to grant a defensible exception with concrete compensating controls.

package/skills/global-grc/skill.md

@@ -453,8 +453,9 @@ A summary of the multi-jurisdiction control surface vs. the high-priority TTPs f
 | ML supply chain (MCP, models) | AML.T0010 | EU CRA Annex I (post 2026-09-11 reporting) | All others — supply-chain controls do not name AI plugins |
 | LLM C2 abuse (SesameOp) | AML.T0096 | None | All — no jurisdiction has a control for AI-API as C2 |
 | Poison Training Data | AML.T0020 | EU AI Act Art. 10 (data and data governance for high-risk AI) | All others |
-| Craft Adversarial Data — NLP | AML.T0054 | None — same gap as AML.T0051 | All |
-| Develop Capabilities (AI-assisted) | AML.T0017 | None — adversary capability, not directly controllable | All |
+| LLM Jailbreak | AML.T0054 | None — same gap as AML.T0051 | All |
+| Discover ML Model Ontology | AML.T0017 | None — adversary reconnaissance against deployed models, no mapped control | All |
+| Obtain Capabilities: Develop Capabilities (AI-assisted weaponization) | AML.T0016 | None — adversary capability, not directly controllable | All |
 | Privilege escalation (T1068) | ATT&CK T1068 | AU ISM-1623 / Essential 8 ML3 (48h patch with exploit) | EU (no specific SLA), UK (14d generic), SG (30d), JP, IN, CA |
 | Exploit public-facing app (T1190) | ATT&CK T1190 | AU Essential 8 (patching applications) | All — none address AI-mediated T1190 like CVE-2025-53773 |
 | Phishing (T1566) | ATT&CK T1566 | None updated for AI-generated content | All — phishing guidance generally pre-AI-baseline |

package/skills/identity-assurance/skill.md

@@ -67,7 +67,7 @@ last_threat_review: "2026-05-11"
 
 Identity is the new perimeter, and the perimeter expanded. The 2026 principal population is no longer "humans + service accounts" — it now includes AI agents acting on behalf of users, MCP servers exchanging short-lived tokens, and ephemeral workload identities minted per function invocation. Each of these is a principal that authenticates, holds scopes, and shows up in audit logs — and each was outside the design envelope of every identity standard in production use before NIST 800-63 rev 4 (Q4 2025).
 
-**Agent-as-principal is operational reality.** When an AI coding assistant calls an MCP tool, it does so under the IDE user's OAuth session by default. The agent inherits the user's scopes wholesale — not because anyone designed it that way, but because no current identity standard defines an agent-as-principal model. CVE-2026-30615 (Windsurf MCP zero-interaction RCE, CVSS 9.8) hinged in part on this implicit inheritance: tool calls executed under the IDE user's privileges with no separate authentication challenge for the agent's actions. The principal who authenticated (the human) is not the principal who took the action (the agent), and the audit trail does not distinguish them.
+**Agent-as-principal is operational reality.** When an AI coding assistant calls an MCP tool, it does so under the IDE user's OAuth session by default. The agent inherits the user's scopes wholesale — not because anyone designed it that way, but because no current identity standard defines an agent-as-principal model. CVE-2026-30615 (Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L) hinged in part on this implicit inheritance: tool calls executed under the IDE user's privileges with no separate authentication challenge for the agent's actions. The principal who authenticated (the human) is not the principal who took the action (the agent), and the audit trail does not distinguish them.
 
 **Phishing-resistant authentication is now table-stakes.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives credential phishing, AiTM proxy phishing (evilginx-class), and push-notification fatigue attacks. Orgs still standing on TOTP / SMS / push-MFA in 2026 are shipping password-equivalent risk forward, and the framework gap analysis must say so. AI-assisted phishing kit development means the time-to-weaponize a new bypass technique is hours, not weeks (per DR-5: AI acceleration is current operational reality, not a future consideration).
 
@@ -125,7 +125,7 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 | Threat | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated Weaponization? | Patch / Mitigation? |
 |---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE — implicit identity inheritance) | 9.8 | 35 | Partial — conceptual exploit demonstrated | No (architectural class) | No direct AI-assisted weaponization recorded; the attack rides on agent tool-call autonomy under the user's inherited session | Vendor IDE update; identity-layer mitigation is scoped agent token + tool allowlist (see mcp-agent-trust). |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE — implicit identity inheritance) | 8.0 | 35 | Partial — conceptual exploit demonstrated | No (architectural class) | No direct AI-assisted weaponization recorded; the attack rides on agent tool-call autonomy under the user's inherited session, AV:L through attacker-controlled HTML the MCP client processes | Vendor IDE update; identity-layer mitigation is scoped agent token + tool allowlist (see mcp-agent-trust). |
 | AiTM passkey-relay / FIDO2-bypass phishing kits | N/A (kit class, not vendor CVE) | N/A | Public research and limited in-the-wild observations; nothing fully bypasses **synced** passkeys without endpoint compromise (the device-bound private key remains in the secure enclave). Bypasses against TOTP / push-MFA / SMS are commodity. | Technique class | Yes — AI-assisted kit configuration and target-tailored lure generation are documented capabilities. | Mitigation: enforce phishing-resistant authenticators (passkey or hardware-token AAL3) for privileged roles; endpoint-binding (D3-CBAN) for highly-privileged roles. |
 | OAuth refresh-token theft + replay (RFC 9700 BCP §2.2.2) | N/A (technique) | N/A | Yes — public research; commodity in adversary toolkits. | No (technique) | Yes — credential-theft → automated replay is well-AI-assisted. | Mitigation: short-lived access tokens, sender-constrained tokens (DPoP / mTLS per RFC 9700), rotated refresh tokens, refresh-token-reuse detection. |
 | JWT validation-bypass class (RFC 8725 BCP failures: `alg=none`, key confusion, audience confusion, `kid` traversal) | Class-level — multiple vendor CVEs over time, current high-RWEP entries vary | N/A (class) | Yes — generic class with library-specific PoCs. | No (class) | Yes — AI-assisted scanning for vulnerable verifier configurations. | Mitigation: pin allowed algorithms server-side, validate `iss` / `aud` / `exp` / `nbf`, treat `kid` as untrusted input, follow RFC 8725 BCP. |

package/skills/incident-response-playbook/skill.md

@@ -66,7 +66,7 @@ last_threat_review: "2026-05-11"
 
 Incident response (IR) is the operational closure of every other skill in this catalog. A vulnerability becomes a CVE through `coordinated-vuln-disclosure`; a CVE becomes a lesson through `zeroday-gap-learn`; a lesson becomes a control through `framework-gap-analysis`; an attack on that control becomes an incident — and the incident handler runs the playbook this skill defines. If the playbook is wrong, every preceding investment leaks at the last yard.
 
-This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v15.1, and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
+This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v17 (2025-06-25), and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
 
 ---
 
@@ -129,10 +129,10 @@ This skill is response-shaped — the TTPs below name the incident classes the p
 | **T1567** | Exfiltration Over Web Service | Exfiltration via legitimate web/SaaS services including AI-API | Identification: web-egress to anomalous services or anomalous-volume to legitimate services; for AI-API channel pair with `ai-c2-detection`. Containment: egress block of identified channel, AI-API key revocation, MCP-server scope reduction. Eradication: identify exfiltrated dataset, follow data-incident sub-playbook. Recovery: re-key + re-issue access. | AI-API exfiltration (sub-technique T1567.<sub-technique-id> pattern; ATLAS overlap with AML.T0017) typically blends with legitimate traffic — see `ai-c2-detection` for content-layer detection. |
 | **T1078** | Valid Accounts | Identity compromise as initial access | Identification: anomalous-sign-in UEBA, impossible-travel, MFA-fatigue patterns. Containment: account disable + session revocation + re-authentication for affected blast radius. Eradication: credential rotation, token revocation, OAuth-grant audit, AI-agent service-account rotation. Recovery: re-issue under zero-trust posture. Lessons: identity-control gap analysis. | Dominant initial-access vector mid-2026; coverage strong for human accounts, weak for AI-agent / service-account / OAuth-app identities. |
 | **AML.T0096** | LLM API as C2 | AI-API as command-and-control channel (SesameOp pattern) | Identification: see `ai-c2-detection` skill — content-layer detection at the AI API egress boundary, prompt-and-response correlation, anomalous AI-API usage shape. Containment: AI-API egress block or proxy-mediated allowlist. Eradication: identify the agent or workload abusing the channel. Recovery: re-issue AI-API keys under scoped least-privilege. | Detection coverage near-absent in legacy SOC stacks; the AI traffic shape is novel and signatures do not exist for most enterprise SIEMs. |
-| **AML.T0017** | ML Model Exfiltration | Model weights, training data, or system-prompt extraction | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess data sensitivity. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
+| **AML.T0017** | Discover ML Model Ontology | Adversary mapping of deployed model family, system-prompt structure, guardrails, and training-data signal — precursor to extraction and adversarial-input crafting | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess what model-ontology data was exposed. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
 | **AML.T0051** | LLM Prompt Injection | Prompt-injection breach as incident trigger | Identification: AI-assistant or agentic-system anomalous action (unauthorized data access, anomalous tool invocation, identity-context confusion). Containment: revoke AI-system tool scopes, disable agent autonomy, isolate affected RAG corpus. Eradication: identify injection vector (web content, email signature, document metadata, RAG corpus poisoning) and remove. Recovery: re-deploy with hardened system prompt + tool-scoping per `mcp-agent-trust`. | Detection lags; most orgs discover the incident from downstream effect (unauthorized action) rather than detection at the prompt boundary. |
 
-ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #12. ATT&CK pinned to v15.1 (April 2025) per the same rule; ATT&CK v16 was released October 2024 with the v15-to-v16 ID migration not introducing breaking changes for the T-IDs cited above.
+ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule; the v15-to-v17 ID migration does not introduce breaking changes for the T-IDs cited above.
 
 ---
 
@@ -215,7 +215,7 @@ Apply containment matching the class. Common patterns:
 - **Data exfiltration (T1041 / T1567)**: egress block at the identified channel; certificate-pinned proxy enforcement; identify what was exfiltrated (scope determination drives notification scope).
 - **Identity compromise (T1078)**: account disable, session revocation, MFA re-enrollment, OAuth-grant audit; for service / AI-agent accounts, scope-reduce + rotate.
 - **AI-API C2 (AML.T0096)**: AI-API egress block or proxy-mediated allowlist; identify the workload abusing the channel; AI-API key revocation.
-- **Model exfiltration (AML.T0017)**: rate-limit the inference API; revoke the abusing API key; IP-block as supplemental; assess sensitivity of extracted data / weights.
+- **Model ontology discovery (AML.T0017)**: rate-limit the inference API; revoke the abusing API key; IP-block as supplemental; assess what model-ontology data (system prompt, guardrail surface, model family signal) was exposed and tighten the inference-API rate + shape baseline before re-issue.
 - **Prompt-injection breach (AML.T0051)**: disable the affected agent autonomy or revoke its tool scopes; isolate the RAG corpus suspected as injection vector; capture the injected content for forensics.
 - **Supply-chain (T1195)**: identify affected component versions via SBOM; coordinate with vendor (hand off to `coordinated-vuln-disclosure` reverse-direction — receiving vendor advisory); VEX-driven inventory of affected workloads.
 

package/skills/kernel-lpe-triage/skill.md

@@ -41,8 +41,10 @@ cwe_refs:
 d3fend_refs:
   - D3-ASLR
   - D3-EAL
+  - D3-PA
   - D3-PHRA
   - D3-PSEP
+  - D3-SCP
 last_threat_review: "2026-05-13"
 ---
 
@@ -130,7 +132,7 @@ Note: ATLAS refs are intentionally empty in frontmatter — these are Linux kern
 
 | CVE | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live Patch | Reboot Required |
 |---|---|---|---|---|---|---|---|---|---|
-| CVE-2026-31431 (Copy Fail) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) | Yes |
+| CVE-2026-31431 (Copy Fail) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) | Yes |
 | CVE-2026-43284 (Dirty Frag ESP) | 7.8 | 38 | No | Yes | No | Suspected | Yes | No (kpatch RHEL-only) | Yes |
 | CVE-2026-43500 (Dirty Frag RxRPC) | 7.6 | 81 | No | Yes (chain component) | No | Suspected | Yes | Partial (kpatch) | Yes if no live patch |
 
@@ -234,7 +236,7 @@ Additional exposure: any IPsec-based network control becomes unreliable
 
 Run this check for any org claiming patch management compliance:
 
-> "Your patch management control (SI-2 / A.8.8 / PCI 6.3.3) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public 732-byte exploit script requiring no privileges. What is the actual time between CISA KEV listing (2026-03-15) and confirmed patch-or-mitigate? If it exceeds 72 hours without live patching as a deployed capability, the patch management control is theater for CISA KEV class vulnerabilities."
+> "Your patch management control (SI-2 / A.8.8 / PCI 6.3.3) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public 732-byte exploit script requiring no privileges. What is the actual time between CISA KEV listing (2026-05-01, federal due 2026-05-15) and confirmed patch-or-mitigate? If it exceeds 72 hours without live patching as a deployed capability, the patch management control is theater for CISA KEV class vulnerabilities."
 
 ### Step 6: Assess IPsec dependency
 
@@ -312,6 +314,23 @@ vm.unprivileged_userfaultfd = 0
 
 ---
 
+## Defensive Countermeasure Mapping
+
+Maps the kernel LPE findings above to MITRE D3FEND techniques with explicit defense-in-depth layer position, least-privilege scope, and zero-trust posture (per AGENTS.md Hard Rule #9). Source: `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Mapping | Defense-in-Depth Layer | Least-Privilege Scope | Zero-Trust Posture |
+|---|---|---|---|---|
+| **D3-PSEP** (Process Segment Execution Prevention) | Counters T1068 page-cache CoW write primitives (Copy Fail) and adjacent kernel write-where exploits by enforcing NX / W^X on user-mapped segments and rejecting writeable-and-executable kernel mappings. | Layer 1 (Harden — kernel build flags + runtime mitigations: SMEP, SMAP, KPTI, KRG). | Per-system — the entire kernel image is the principal scope. | Treat every userspace write to a kernel-shared mapping as untrusted until verified by an immutable mapping policy; auditd / eBPF rules emit a tamper signal on any anomalous write path. |
+| **D3-ASLR** (Address Space Layout Randomization) | Raises the cost of reliable kernel LPE exploitation by randomising kernel base and module load addresses; Copy Fail is deterministic without an info-leak primitive, so KASLR alone is not sufficient but is the first-floor mitigation against the broader class. | Layer 1 (Harden). | Per-boot — randomisation applies system-wide each boot. | Combine with `kernel.kptr_restrict=2` (already in the sysctl block above) so unprivileged processes cannot read kernel pointers that would defeat KASLR. |
+| **D3-EAL** (Executable Allowlisting) | Restricts which userspace executables can run on the host. A Copy Fail PoC is a 732-byte binary; allowlisting denies unauthorised execution of any binary not on the allowlist, raising the cost of post-exploit shell payloads even when the in-kernel write itself succeeds. | Layer 2 (Harden — execve gate). | Per-system / per-workload — fleet baselines (gold images) define the allowlist; SOC / EDR enforces it. | Verify the binary identity on every `execve`; reject on hash mismatch. AGENTS.md rule #9: in ephemeral / serverless contexts bake the allowlist into the function image at build-time. |
+| **D3-PHRA** (Process Hardware Resource Access) | Constrains hardware-resource access from userspace (page table writes via `/proc/self/mem`, `userfaultfd`, `process_vm_writev`) that the Copy Fail PoC relies on. The sysctl hardening above (`vm.unprivileged_userfaultfd=0`, `kernel.unprivileged_userns_clone=0`) is the D3-PHRA enforcement layer. | Layer 1 (Isolate — kernel-syscall surface). | Per-process — capability set + namespace + seccomp filter define the syscall allowlist. | Default-deny: an unprivileged process gets the minimum syscall surface and is denied `userfaultfd`, `unshare(CLONE_NEWUSER)`, and `process_vm_writev` unless explicitly required. |
+| **D3-SCP** (System Call Filtering) | Per-container / per-workload seccomp profile blocks the syscalls Copy Fail abuses (`userfaultfd`, `process_vm_writev`, `pwritev2`) without requiring kernel patch. For container-escape variants (T1611 — Copy Fail in a privileged container), this is the only viable runtime mitigation between KEV-listing and the next reboot window. | Layer 2 (Isolate — runtime syscall gate). | Per-container — runtime profile is the principal scope. | Define a default-deny seccomp baseline; the host kernel patch is necessary but seccomp is the per-workload extension that survives an unpatched kernel during the live-patch deployment window. |
+| **D3-PA** (Process Analysis) | Detects post-exploit anomalies — root shell spawned by previously-unprivileged process, suid-binary creation, capability escalation — that follow a Copy Fail-class write. The auditd and Falco / Tetragon rules in the Detection Rules section above are the D3-PA enforcement layer. | Layer 5 (Detect). | Per-host — SOC / EDR ingest the audit stream. | Continuously evaluate process lineage; alert on uid transitions, capability gains, or suid mounts that don't appear in the baseline. |
+
+**Defense-in-depth posture:** the live-patch is the closure; the five D3FEND techniques above are the layers that must remain active *during* the live-patch deployment window. A SOC claiming "we have EDR" is at one D3FEND layer (D3-PA) for a six-layer-deep finding — the harden / isolate / detect stack collapses to a detect-only posture, and a kernel-write primitive that succeeds before EDR fires is unrecoverable. Per AGENTS.md rule #9: in ephemeral / serverless contexts, D3-PSEP / D3-EAL / D3-SCP / D3-PHRA are configured at image build time; the host-kernel layer remains the CSP's responsibility for managed runtimes, with the consumer responsible for the guest-OS posture on IaaS workloads.
+
+---
+
 ## Hand-Off / Related Skills
 
 After producing the kernel LPE triage output, the operator should chain into the following skills. Each entry names a downstream or sibling skill and the specific reason to invoke it from this finding.

package/skills/mcp-agent-trust/skill.md

@@ -87,25 +87,31 @@ There is no mandatory:
 
 This means: a malicious or compromised MCP server can execute arbitrary code by simply returning adversarial instructions in tool responses, which the AI model then follows.
 
-### CVE-2026-30615 — Windsurf MCP Zero-Interaction RCE
+### CVE-2026-30615 — Windsurf MCP Local-Vector RCE
 
-**CVSS:** 9.8 | **RWEP:** 94/100
+**CVSS:** 8.0 (AV:L, NVD-authoritative; corrected from initial 9.8/AV:N) | **RWEP:** 35/100
 
-A vulnerability in the Windsurf MCP client that allows a malicious MCP server to achieve remote code execution without any user interaction. The user does not click anything, approve anything, or trigger any visible action. The AI assistant autonomously calls the malicious tool and the code executes.
+A vulnerability in the Windsurf MCP client that allows a malicious MCP server to drive code execution in the user's context by returning attacker-controlled HTML the client processes. The attack vector is local — the attacker must first land a malicious MCP server in the user's installed set (typosquatting, supply-chain compromise, or social engineering). Once installed, the AI assistant invokes the tool and follows the adversarial response without an additional user-action gate.
 
-**Affected:** Windsurf (all versions before patch), and by architectural similarity: Cursor, VS Code MCP extension, Claude Code, Gemini CLI (each has its own vulnerability profile; CVE-2026-30615 is specific to Windsurf's implementation but the attack surface is identical across clients).
+**Affected:** Windsurf (all versions before patch), and by architectural similarity: Cursor, VS Code MCP extension, Claude Code, Gemini CLI (each has its own vulnerability profile; CVE-2026-30615 is specific to Windsurf's implementation but the architectural attack surface is identical across clients).
 
-**Scale:** 150M+ combined downloads across affected AI coding assistants.
+**Scale:** 150M+ combined downloads across affected MCP-capable AI coding assistants.
 
 **Attack path:**
 1. Attacker publishes malicious MCP server to npm or creates a typosquatting package
 2. Developer installs the package (or a legitimate package is compromised via supply chain)
 3. AI assistant starts, connects to MCP server, receives tool list
 4. At any future point: AI assistant calls a tool on the malicious server (possibly triggered by a prompt injection in a code comment, PR description, or documentation)
-5. MCP server returns a response containing adversarial instructions
+5. MCP server returns a response containing adversarial HTML / instructions the Windsurf client renders or relays back to the agent loop
 6. AI assistant follows the instructions — executes code, exfiltrates files, persists backdoor
 
-No user interaction required after installation.
+The attack vector is local (AV:L): no network-side exploitation; the attacker's content must reach the client through the installed MCP server.
+
+### CVE-2026-39884 — mcp-server-kubernetes Argument Injection
+
+**CVSS:** 8.3 (AV:N/AC:L/PR:L/UI:N) | Patched in mcp-server-kubernetes 3.5.0+
+
+A second-order example of the MCP trust failure pattern. Flux159's mcp-server-kubernetes (a popular MCP server granting AI assistants `kubectl` control) built kubectl command lines by `.split(' ')`-ing a string instead of using an argv array. The `port_forward` tool's `resourceName` parameter therefore allowed an attacker who controlled prompt content (RAG-poisoned docs, commit messages, retrieved tool responses) to inject space-delimited kubectl flags — e.g. `resourceName='pod-name --address=0.0.0.0'` binds the port-forward to all interfaces, `-n kube-system` redirects to an attacker-chosen namespace. Upstream gates exploitation on PR-injection / RAG-poisoning rather than direct network reach, but once a tainted resourceName reaches the tool, the MCP server is the abuse channel for cluster-scope kubectl. This is exactly the AML.T0010 + adversarial-tool-input pattern the trust-tier model in Step 5 below classifies — apply tool allowlisting (drop `port_forward` until 3.5.0+) and argv-array auditing to any MCP server that shells out to a CLI.
 
 ### Supply Chain Attack Surface
 
@@ -143,11 +149,11 @@ Every MCP server listed in popular registries (MCP Hub, npm `@modelcontextprotoc
 | ATLAS/ATT&CK ID | Technique | MCP Relevance | Gap |
 |---|---|---|---|
 | AML.T0010 | ML Supply Chain Compromise | Direct: malicious MCP server in public registry compromises AI assistant's tool execution | ATLAS covers this conceptually; no framework has a technical control |
-| AML.T0054 | Craft Adversarial Data — NLP | Indirect: adversarial prompt in tool response triggers AI to call next malicious action | No framework control |
+| AML.T0054 | LLM Jailbreak | Indirect: adversarial prompt in tool response bypasses guardrails and triggers AI to call next malicious action | No framework control |
 | AML.T0096 | LLM Integration Abuse | AI assistant is the integration point being abused — MCP tool calls are the mechanism | Not in ATT&CK; only in ATLAS v5.1.0 |
 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies | MCP server package as supply chain attack target | ATT&CK covers but enterprise controls don't reach developer MCP configs |
 | T1059 | Command and Script Interpreter | MCP server causes shell command execution via model-mediated tool call | Standard SI-3/EDR doesn't attribute this to the MCP server as origin |
-| T1190 | Exploit Public-Facing Application | CVE-2026-30615: MCP client vulnerability exploited by server | Standard vuln management covers client; MCP server trust is unaddressed |
+| T1190 | Exploit Public-Facing Application | CVE-2026-30615: MCP client vulnerability driven by a locally-installed malicious server (AV:L) | Standard vuln management covers client; MCP server trust is unaddressed |
 
 ---
 
@@ -157,7 +163,8 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 | Threat | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated Weaponization? | Patch Available? | Reboot / Version Bump Required? |
 |---|---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE) | 9.8 | 35 | Partial — conceptual exploit demonstrated; weaponization stage `partial` | No (architectural class; not in KEV catalog as of 2026-05) | No direct AI-assisted weaponization recorded; the attack vector itself rides on the AI agent's tool-call autonomy | Yes — vendor IDE update | IDE update / version bump required (no reboot); `live_patch_available: true` via vendor channel |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | Partial — conceptual exploit demonstrated; weaponization stage `partial` | No (architectural class; not in KEV catalog as of 2026-05) | No direct AI-assisted weaponization recorded; the attack vector itself rides on the AI agent's tool-call autonomy | Yes — vendor IDE update | IDE update / version bump required (no reboot); `live_patch_available: true` via vendor channel |
+| CVE-2026-39884 (Flux159 mcp-server-kubernetes argument injection) | 8.3 | n/a | Yes — GHSA-4xqg-gf5c-ghwq publishes the PoC (port_forward `resourceName='pod --address=0.0.0.0'`) | No | No direct AI-assisted weaponization; the bug is reached by tricking the assistant via prompt injection in retrieved docs / commit messages into passing a tainted resourceName | Yes — upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor); workaround: disable `port_forward` in MCP allowlist | Version bump on the MCP server side; no client reboot |
 | MCP supply chain compromise — typosquatting / dependency confusion (ATLAS AML.T0010) | N/A (technique, not vendor CVE) | N/A | Yes — public typosquatting incidents in `@modelcontextprotocol/*` namespace observed | No (technique class) | Yes — AI assistants accelerate writing of convincing malicious tool descriptions | Mitigation only: pin versions, verify npm provenance attestation, enforce allowlist | Re-install / pin to known-good version |
 | Adversarial tool response → indirect prompt injection (ATLAS AML.T0054 in MCP context) | N/A (technique, not vendor CVE) | N/A | Yes — public research demonstrations; weaponizable wherever output is unsanitized | No | Yes — adversarial instruction crafting is a documented AI-accelerated capability | Mitigation only: output sanitization, system-prompt authority hierarchy, tool allowlisting | Client configuration change; no version bump strictly required |
 | AML.T0096 — MCP tool call as covert C2 conduit | N/A (technique) | N/A | Yes — SesameOp-class techniques apply when an MCP tool call is the relay | No | Yes — see `data/atlas-ttps.json` AML.T0096 real-world instances | Mitigation only: process-level AI/MCP egress monitoring | Configuration / monitoring change |

package/skills/mlops-security/skill.md

@@ -76,6 +76,7 @@ The defining realities for mid-2026:
 - **Training-data poisoning is documented operational practice, not academic exercise.** Hugging Face has executed periodic model and dataset takedowns through 2024-2026 for embedded backdoor weights and poisoned training corpora; the Mithril repository takedown in 2024 (embedded backdoor in distributed model weights) is the canonical public reference. Academic demonstrations of small-fraction targeted poisoning (BadNets, TrojanNN, BackdoorBench) show that <1% of training samples can achieve targeted misclassification at >90% attack success — this is the AML.T0020 class made concrete.
 - **Model weights are native binary artifacts that execute on load.** PyTorch `.pt` checkpoints in code-executing serialization (Python object-graph serialization) are CWE-502 deserialization vectors; periodic CVEs against PyTorch and TensorFlow demonstrate arbitrary code execution via crafted checkpoints (TorchServe deserialization issues, TensorFlow `SavedModel` deserialization, ONNX shape-inference parsers). GGUF format gaps are still maturing — parsing logic for quantized LLM weights has produced multiple memory-safety findings in 2025-2026. Hash-pinning a malicious blob does not prevent execution; only signature verification against a pinned publishing key (Sigstore keyless or OpenSSF model-signing) plus a non-executing format (safetensors) closes the class. See `supply-chain-integrity` for the artifact-layer treatment; this skill addresses the MLOps-pipeline integration.
 - **Deployment-pipeline compromise is a transitive supply chain.** The chain runs AI-codegen IDE (Copilot, Cursor, Claude Code) → notebook (Jupyter, Colab, Databricks) → training-run orchestrator (Kubeflow, Vertex, SageMaker) → model registry (MLflow Registry, SageMaker Model Registry, Vertex Model Registry, Hugging Face Hub) → deployment pipeline (KServe, SageMaker endpoint, Vertex endpoint, Azure ML online endpoint) → inference service. Each step is a handoff where provenance can be lost. AML.T0010 (ML Supply Chain Compromise) sub-techniques AML.T0010.001 (ML framework), AML.T0010.002 (model repository), and AML.T0010.003 (MCP server) are now all realized attack classes.
+- **MAL-2026-3083 (Elementary-Data PyPI worm, 2026-04-24) is the operational case for the data-observability subclass of MLOps supply chain.** A GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml` — `${{ github.event.comment.body }}` interpolated directly into a `run:` shell script — let any commenter on any open PR forge a release. The attacker pushed an orphan commit (`b1e4b1f3aad0d489ab0e9208031c67402bbb8480`, still readable on GitHub) and the workflow built and published `elementary-data==0.23.3` to PyPI with an install-time `.pth` payload that exfiltrated env vars and credentials to a `skyhanni.cloud` subdomain. Window of live exposure: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z (~8 hours). 1.1M monthly downloads in scope — anyone pip-installing elementary-data during the window inside a dbt analytics pipeline got hit. Cross-references: SNYK-PYTHON-ELEMENTARYDATA-16316110, kam193 campaign id `pypi/2026-04-compr-elementary-data`. Implication for MLOps: data-observability tooling sits *inside* the training-data lineage path — a poisoned elementary-data release that ran during a feature-engineering pipeline puts attacker code in front of every training dataset the pipeline ingested. Mitigation: per-package install audit-log review for `.pth`-file installation, `pip install --require-hashes`, `safety check` / `pip-audit` against the OSSF Malicious Packages dataset (which is where MAL-2026-3083's primary key resolves).
 - **Drift detection often only watches accuracy on labeled holdout sets, missing semantic-drift caused by silent input distribution shift or active adversarial probing.** Most production drift dashboards (Evidently, Arize, Fiddler, WhyLabs) instrument data-quality and accuracy regression but stop short of adversarial-input detection or output anomaly profiling. AML.T0043 (Craft Adversarial Data) is the class missed.
 - **Experiment-tracking systems are credential goldmines.** MLflow tracking servers, Weights & Biases workspaces, and Vertex Experiments routinely contain API keys, dataset access tokens, and customer-data sample rows in run artifacts. Public CVEs against MLflow (path-traversal, SSRF, authentication bypass — CVE-2023-43472 class and follow-ons through 2024-2025) demonstrate this is not theoretical. Model registries without RBAC are de-facto unauthenticated.
 - **The feedback loop is a poisoning vector.** Production models that retrain on human feedback, click-through data, or LLM-as-judge labels close the loop adversaries already exploit: AML.T0043 (Craft Adversarial Data) → feedback collection → retrain → poisoned model in production. The defense is provenance on every retrain plus statistical detection of feedback distribution shift.
@@ -118,7 +119,7 @@ Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.1.0, released 2025-11
 | AML.T0018 | Manipulate AI Model (sub-techniques: Poison Training Data, Trojan Model via direct weight manipulation, Federated Learning Poisoning) | Training pipeline and post-training tampering — adversary modifies weights either through poisoned training data persisted into weights or through direct binary edit of an unsigned checkpoint | No framework requires model-weight signature verification at registry write and at deployment read; CWE-502 deserialization risk on `.pt` / `SavedModel` is unmapped to compliance control |
 | AML.T0020 | Poison Training Data (sub-techniques: Inject at Scale, Craft Targeted, RAG Knowledge Base Poisoning) | Data ingestion → feature store → training. Adversary contaminates training corpus to embed targeted misbehavior. Sub-technique AML.T0020.002 is RAG-side (see `rag-pipeline-security`); AML.T0020.000 / 001 are MLOps-side. | No framework requires training-data lineage attestation, source signing, or poisoning-detection scanning at ingestion. EU AI Act Art. 10 requires data-governance documentation but not cryptographic attestation. |
 | AML.T0043 | Craft Adversarial Data (White-Box, Black-Box, Physical) | Inference serving and feedback loop — adversary crafts inputs to either cause misclassification at inference time or to poison the feedback corpus when feedback is logged for retraining | No framework requires adversarial-robustness testing for deployed models or adversarial-input detection at the serving layer; AI RMF MEASURE-2.5 recommends but does not require |
-| AML.T0017 | Discover ML Model Family / Ontology (Probe, Extract System Prompt, Map Filters) | Model registry exposure — adversary maps deployed model family, extracts metadata, infers training corpus, harvests prompts and guardrails | No framework requires model-registry RBAC at the granularity needed (per-project read scoping, signed registry queries, audit of model-extraction-pattern queries) |
+| AML.T0017 | Discover ML Model Ontology (Probe, Extract System Prompt, Map Filters) | Model registry exposure — adversary maps deployed model family, extracts metadata, infers training corpus, harvests prompts and guardrails | No framework requires model-registry RBAC at the granularity needed (per-project read scoping, signed registry queries, audit of model-extraction-pattern queries) |
 | T1195.001 | Supply Chain Compromise: Software Dependencies and Development Tools | Training pipeline dependency chain — Python wheels, CUDA drivers, ML framework versions, notebook kernels | SCA detects known-vulnerable; XZ-class novel compromise is not detectable without SLSA L3 + reproducible builds for the training environment |
 | T1565 | Data Manipulation (Stored, Transmitted, Runtime) | Cross-cuts every MLOps stage — manipulation of stored training data, transmitted features to inference, or runtime model state | SI-7 maps to traditional file/firmware integrity; extending to feature-store payload integrity and embedding-space integrity is not in current control |
 

package/skills/ot-ics-security/skill.md

@@ -114,7 +114,7 @@ ATT&CK for ICS is a separate matrix from Enterprise. Many IT-rooted SOCs do not
 
 | Surface / CVE Class | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live-Patchable | OT-Aware Detection |
 |---|---|---|---|---|---|---|---|---|---|
-| IT/OT bridge — HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in OT brownfield | Partial — auditd/eBPF rules apply if deployable on HMI host |
+| IT/OT bridge — HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in OT brownfield | Partial — auditd/eBPF rules apply if deployable on HMI host |
 | IT/OT bridge — HMI Windows host LPE (Print Spooler / win32k family) | varies | varies | Some entries KEV-listed | Yes | Mixed | Confirmed | Yes for in-support; out-of-support HMIs are exposed permanently | No — Windows live-patch is limited to Hotpatch on supported builds | EDR if deployable; many OT EDR carve-outs |
 | Vendor-side OT CVEs (Siemens, Rockwell, Schneider, ABB, GE Vernova) | varies | varies | Several KEV listings 2024–2026 | Mixed — vendor disclosures only sometimes accompanied by PoC | Increasing AI-assisted RE | Targeted exploitation by Sandworm-aligned and Volt-Typhoon-aligned actors | Vendor-dependent — typical lag 60–180 days; deploy lag 1–5 years | No — firmware updates require change windows | ICS-aware IDS (Claroty, Nozomi, Dragos, Tenable OT) detection signature lag varies |
 | AI-HMI prompt injection (no CVE-class yet) | n/a | risk-modelled, not CVSS | n/a | Demonstrated in research and 2025 incident-response engagements | n/a (vector is the AI conduit itself) | Suspected in 2025 advanced campaigns | Mitigation only — design-time controls on the AI integration | n/a | Requires LLM-aware telemetry — almost never present |

package/skills/policy-exception-gen/skill.md

@@ -87,7 +87,7 @@ A granted exception does not remove the threat — it shifts the burden onto com
 | Exception | Residual TTPs the exception must still address | Compensating coverage requirement |
 |---|---|---|
 | Exception 1 — Ephemeral Infrastructure Asset Inventory | T1525 (Implant Internal Image), T1610 (Deploy Container), T1611 (Escape to Host), T1078.004 (Valid Cloud Accounts) | Image scanning in CI, IaC drift detection, cloud-asset-inventory API alerts on resources not in IaC registry |
-| Exception 2 — AI Pipeline Change Management | AML.T0020 (Poison Training Data), AML.T0018 (Backdoor ML Model), AML.T0051 (LLM Prompt Injection — emergent behavior on model upgrade), AML.T0054 (Craft Adversarial Data — NLP) | Behavioral regression test suite, model version pinning, model fingerprinting on canonical prompts, provider changelog review |
+| Exception 2 — AI Pipeline Change Management | AML.T0020 (Poison Training Data), AML.T0018 (Backdoor ML Model), AML.T0051 (LLM Prompt Injection — emergent behavior on model upgrade), AML.T0054 (LLM Jailbreak) | Behavioral regression test suite, model version pinning, model fingerprinting on canonical prompts, provider changelog review |
 | Exception 3 — Zero Trust Architecture Network Segmentation | T1021 (Remote Services), T1570 (Lateral Tool Transfer), T1078 (Valid Accounts), T1199 (Trusted Relationship) | Workload identity (SPIFFE/SPIRE), per-request mTLS, device-posture verification, east-west behavioral analytics |
 | Exception 4 — Critical Systems No-Reboot Kernel Patching | T1068 (Exploitation for Privilege Escalation — Copy Fail class), T1548.001 (Setuid and Setgid), T1611 (Escape to Host) | Live kernel patch deployed and verified (`kpatch list` / `canonical-livepatch status`), eBPF/auditd exploitation-pattern rules, network-layer isolation if no live patch available, scheduled reboot window |
 
@@ -103,8 +103,8 @@ For each residual TTP an exception leaves in scope, the compensating control bun
 |---|---|---|---|---|---|---|---|---|
 | T1068 (Privilege Escalation — Copy Fail class) | CVE-2026-31431 | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes | Yes (kpatch/livepatch) | Live patch within 4 hours OR network isolation — anything weaker is non-defensible |
 | T1190 (Exploit Public-Facing Application — IPsec subsystem) | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited | eBPF kernel-text integrity monitoring + maintenance-window reboot SLA |
-| AML.T0051 (LLM Prompt Injection — emergent on model upgrade) | CVE-2025-53773 | 9.6 | High | No | Yes | Yes | N/A | Behavioral regression suite + system-prompt hardening + tool allowlist |
-| AML.T0010 (ML Supply Chain Compromise — MCP) | CVE-2026-30615 | 9.8 | Critical | No | Partial | No | N/A | MCP server allowlist + signed-manifest enforcement + per-server auth |
+| AML.T0051 (LLM Prompt Injection — emergent on model upgrade) | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 (AV:L) | 30 | No | Yes | Yes | Yes (SaaS push / IDE update) | Behavioral regression suite + system-prompt hardening + tool allowlist |
+| AML.T0010 (ML Supply Chain Compromise — MCP) | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 (AV:L) | 35 | No | Partial | No | Yes (IDE update) | MCP server allowlist + signed-manifest enforcement + per-server auth |
 | T1525 / T1610 (Implant Internal Image / Deploy Container) | Image-supply-chain class | Varies | High | N/A | Operational | Yes | N/A (image rebuild) | CI image scanning gate at CVSS ≥ 7.0, SBOM per image, image-registry signing |
 
 An exception that names a residual TTP without a compensating-control bundle of equal or greater RWEP-justified strength is theater. The compliance-theater skill's universal test (demand the bypassing TTP for any claimed compensating control) should be run against the bundle before the exception is approved.

package/skills/pqc-first/skill.md

@@ -137,7 +137,7 @@ This skill addresses a **future-state attack class** that is not yet represented
 |---|---|---|
 | MITRE ATT&CK T1557 (Adversary-in-the-Middle) | Partial — operational family | T1557 covers AitM credential capture and traffic interception. The capture half of HNDL falls into T1557 operationally; the later decrypt phase has no ATT&CK technique. |
 | MITRE ATT&CK T1040 (Network Sniffing) | Partial — capture phase | Covers passive traffic capture. Does not cover the strategic-archive intent of HNDL, where the captured data has no immediate use and is stored for future decryption. |
-| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap in ATT&CK v15. |
+| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v17 (2025-06-25). |
 | MITRE ATLAS | **MISSING (out of scope)** | ATLAS scope is ML/AI system attacks. CRQC cryptanalysis is not in ATLAS scope. |
 | CAPEC-114 (Authentication Abuse) | Indirect | Forged signatures via broken signature scheme would manifest as authentication abuse, but CAPEC does not enumerate "signature scheme broken by CRQC" as a precondition. |
 | CAPEC-475 (Signature Spoofing by Improper Validation) | Indirect | Same — the post-CRQC equivalent has no CAPEC entry. |