@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/skills/rag-pipeline-security/skill.md

@@ -159,7 +159,7 @@ This attack requires:
 - Behavioral monitoring: alert if the LLM references retrieved content in ways that suggest it's following instructions from that content rather than answering the user's query
 - Content sanitization: strip or flag instruction-pattern text from documents during chunking
 
-**ATLAS ref:** AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP)
+**ATLAS ref:** AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak)
 
 ---
 
@@ -200,11 +200,15 @@ Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.1.0, release
 |---|---|---|---|---|---|
 | AML.T0020 — Vector store / RAG knowledge base poisoning | Yes — public research demonstrations and ATLAS-documented production incidents of poisoned-document injection causing redirected retrieval and attacker-controlled outputs | No (technique class, not vendor CVE) | Yes — adversary use of LLMs to craft adversarial-instruction documents at scale (AML.T0016, PROMPTFLUX class) | No vendor patch — mitigation is architectural: signed ingestion, content scanning at ingest, provenance tracking, embedding-space integrity monitoring | Configuration / pipeline change; no version bump applies |
 | AML.T0043 — Embedding-manipulation exfiltration | Yes — published academic demonstrations of crafted queries landing near sensitive-document embeddings; observed in red-team engagements through 2025-2026 | No | Yes — automated query-crafting against an embedding model is itself an AI-accelerated capability | No vendor patch — mitigation is architectural: classification-aware vector namespaces, retrieval audit logging, output exfiltration scanning | Pipeline reconfiguration |
-| AML.T0051 (and AML.T0051.001 — Indirect Prompt Injection) | Yes — extensively demonstrated; CVE-2025-53773 (GitHub Copilot prompt injection RCE) is the direct-injection sibling case, RAG-indirect variant has equivalent demonstration evidence | No | Yes — AI tooling crafts injection payloads; AML.T0016 documents adversary AI capability development | No vendor patch — mitigation is architectural: treat retrieved content as untrusted data, system-prompt authority hierarchy, behavioral monitoring of LLM tool-use following retrieval | Configuration / system-prompt change |
+| AML.T0051 (and AML.T0051.001 — Indirect Prompt Injection) | Yes — extensively demonstrated; CVE-2025-53773 (GitHub Copilot YOLO-mode RCE, CVSS 7.8 / AV:L) is the direct-injection sibling case where prompt content in any agent-readable source coerces `chat.tools.autoApprove: true`; the RAG-indirect variant has equivalent demonstration evidence where the malicious instructions sit in retrieved corpus documents instead | No | Yes — AI tooling crafts injection payloads; AML.T0016 documents adversary AI capability development | No vendor patch for the architectural class — vendor-side patches (GitHub Copilot fix in 2025-08 Patch Tuesday; Visual Studio 2022 17.14.12) close the specific YOLO-mode path; mitigation for the broader RAG-indirect variant is architectural: treat retrieved content as untrusted data, system-prompt authority hierarchy, behavioral monitoring of LLM tool-use following retrieval | Configuration / system-prompt change |
 | AML.T0054 — RAG retrieval filter bypass via adversarial query crafting | Yes — public research demonstrations of post-similarity filter application enabling cross-namespace retrieval | No | Yes — query crafting is automatable and accelerated by LLM-assisted prompt synthesis | No vendor patch — mitigation is architectural: pre-similarity filter application, cryptographic namespace enforcement, never construct ACL decisions from query content | Pipeline reconfiguration |
 | T1565 — Data Manipulation (ATT&CK; cross-cuts RAG attack classes) | Yes — extensive public demonstration across the five RAG attack classes | No | Yes — AI accelerates content generation for poisoning at scale | No vendor patch — covered by ATLAS-mapped mitigations above | Pipeline-level controls |
 
-**Interpretation:** Because there is no vendor CVE to patch, RAG security posture is determined by the presence or absence of architectural controls (ingestion access control, classification-aware namespaces, pre-similarity filtering, output monitoring). The lack of CVE catalog coverage is itself a finding: enterprise vulnerability management programs scoped to CVE feeds will not surface RAG-specific risk.
+**Interpretation:** Because there is no vendor CVE to patch for the *architectural* RAG attack classes above, RAG security posture is determined by the presence or absence of architectural controls (ingestion access control, classification-aware namespaces, pre-similarity filtering, output monitoring). The lack of CVE catalog coverage is itself a finding: enterprise vulnerability management programs scoped to CVE feeds will not surface RAG-specific risk.
+
+### Adjacent CVE — LLM-Gateway Credential Compromise
+
+The *infrastructure* that fronts a RAG pipeline does have shipped CVEs. **CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation confirmed). LiteLLM is the open-source LLM-API gateway commonly deployed as the model-provider abstraction in front of a RAG retrieval-then-generation pipeline. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST to `/chat/completions` with a SQL-injection payload returned the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Operational consequence for RAG pipelines: a compromised LiteLLM gateway hands the adversary every downstream model-provider credential plus the per-tenant routing config — every retrieval / generation request after compromise routes through attacker-known credentials, which is the underlying credential layer for every architectural defence above. Any RAG threat model that treats "the LLM gateway is just a proxy" misses that the gateway is the credential boundary for the entire pipeline.
 
 ---
 

package/skills/researcher/skill.md

@@ -49,7 +49,7 @@ Most security teams in mid-2026 sit on a torrent of raw threat input: CISA KEV a
 The researcher skill sits between raw input and the specialized analytical skills. It is not itself analysis — it is dispatch. Concrete examples from the project's catalogs:
 
 - **CVE-2026-31431 (Copy Fail) drops.** Operator asks: "what should I do about CVE-2026-31431?" Researcher surfaces from `data/cve-catalog.json`: CISA KEV listed, AI-discovered, 732 bytes, deterministic (no race condition), blast radius = all Linux ≥ 4.14, live-patch available, RWEP 90, CVSS 7.8. Routes to `kernel-lpe-triage`. Flags that the standard 30-day SI-2 window is structurally inadequate — live-patch within 4 hours.
-- **CVE-2026-30615 (Windsurf MCP, zero-interaction RCE).** Operator asks: "new MCP CVE, where do I start?" Researcher cross-joins to ATLAS AML.T0010 (ML supply chain compromise) and AML.T0096 (LLM integration abuse), surfaces 150M+ affected downloads, routes primary to `mcp-agent-trust` and secondary to `ai-attack-surface`.
+- **CVE-2026-30615 (Windsurf MCP, local-vector RCE, CVSS 8.0 / AV:L / RWEP 35).** Operator asks: "new MCP CVE, where do I start?" Researcher cross-joins to ATLAS AML.T0010 (ML supply chain compromise) and AML.T0096 (LLM integration abuse), surfaces 150M+ combined downloads across MCP-capable assistants, routes primary to `mcp-agent-trust` and secondary to `ai-attack-surface`. Flags the v0.12.9 catalog correction: NVD-authoritative CVSS is 8.0 / AV:L (local-vector), not the initially-cataloged 9.8 / AV:N.
 - **SesameOp campaign report.** Operator asks: "we are seeing strange Azure OpenAI calls from a finance host — is this anything?" Researcher recognizes the AI-as-C2 pattern from `data/zeroday-lessons.json`, maps to AML.T0096, routes to `ai-c2-detection`.
 - **NIST 800-53 Rev. 6 draft published.** Operator asks: "does our gap analysis change?" Researcher routes to `skill-update-loop` for currency review, then to `framework-gap-analysis` for the specific control deltas.
 
@@ -84,10 +84,11 @@ This is a routing skill. The TTP coverage of any specific output equals the TTP
 | ATLAS / ATT&CK Class | Researcher Routes To |
 |---|---|
 | AML.T0010 (ML Supply Chain Compromise) | `mcp-agent-trust`, `ai-attack-surface` |
-| AML.T0017 (Develop Capabilities — AI-assisted) | `ai-attack-surface`, `kernel-lpe-triage`, `exploit-scoring` |
+| AML.T0016 (Obtain Capabilities: Develop Capabilities — AI-assisted) | `ai-attack-surface`, `kernel-lpe-triage`, `exploit-scoring` |
+| AML.T0017 (Discover ML Model Ontology) | `ai-attack-surface`, `mlops-security`, `api-security` |
 | AML.T0018 (Backdoor ML Model) | `ai-attack-surface` |
 | AML.T0020 (Poison Training Data) | `ai-attack-surface`, `rag-pipeline-security` |
-| AML.T0043 / AML.T0054 (Craft Adversarial Data) | `ai-attack-surface`, `rag-pipeline-security` |
+| AML.T0043 (Craft Adversarial Data) / AML.T0054 (LLM Jailbreak) | `ai-attack-surface`, `rag-pipeline-security` |
 | AML.T0051 (LLM Prompt Injection) | `ai-attack-surface`, `mcp-agent-trust` |
 | AML.T0096 (LLM Integration Abuse — C2) | `ai-c2-detection` |
 | ATT&CK T1068 / T1548.001 (Privilege Escalation) | `kernel-lpe-triage` |
@@ -303,6 +304,22 @@ The report fits on one page when rendered. Anything longer belongs in the downst
 
 ---
 
+## Defensive Countermeasure Mapping
+
+The researcher skill is dispatch, not analysis — but every dispatched finding lands in a downstream skill where a defensive countermeasure must be selected. The mapping below names the D3FEND techniques the researcher recommends the downstream skill include in its output. Each entry pulls from `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Researcher Trigger | Defense-in-Depth Layer | Rationale |
+|---|---|---|---|
+| **D3-IOPR** (Input/Output Profiling Resource) | Input is a CVE / advisory describing AI-API surface, RAG retrieval, MCP tool response, or prompt-injection path. | Detect | Per-call inspection of model inputs and outputs is the foundational signal for prompt-injection class findings the researcher routes to `ai-attack-surface` or `rag-pipeline-security`. Without IOPR baseline, downstream skills have no source for their detection rules. |
+| **D3-NTA** (Network Traffic Analysis) | Input is an AI-API anomaly, SesameOp-class C2 narrative, or any AML.T0096 reference. | Detect | The egress baseline the dispatcher recommends `ai-c2-detection` build first. Per-identity model-API and MCP-server egress profiling is the prerequisite for every downstream AI-as-C2 finding. |
+| **D3-CAA** (Credential Access Auditing) | Input mentions an MCP server, OAuth-flow CVE, agent bearer-token reuse, or AML.T0010 supply chain. | Detect | The post-hoc evidence stream when the dispatcher routes to `mcp-agent-trust`, `identity-assurance`, or `supply-chain-integrity`. Without CAA, the downstream skill cannot reconstruct what a compromised credential touched. |
+| **D3-EHB** (Executable Hash-based Allowlist) | Input is a supply-chain CVE / advisory (npm worm, PyPI malware, model-registry compromise). | Harden | Hash-pinning is the canonical counter to the AML.T0010 / T1195.001 pattern across `supply-chain-integrity`, `mcp-agent-trust`, and `mlops-security`. The dispatcher names it so the downstream skill does not re-derive the harden layer from first principles. |
+| **D3-PA** (Process Analysis) | Input is a kernel LPE, container-escape, or post-exploitation narrative. | Detect | The auditd / eBPF / EDR layer that `kernel-lpe-triage`, `container-runtime-security`, and `incident-response-playbook` all depend on. RWEP-90 LPE inputs route here before live-patch consideration. |
+
+Defense-in-depth posture: the researcher's job is to recommend the **first** D3FEND layer the downstream skill should produce evidence against. Subsequent layers are the downstream skill's responsibility. Per AGENTS.md hard rule #4 (no orphaned controls), every D3FEND mapping above resolves to a real ATLAS or ATT&CK TTP enumerated in the TTP Mapping section.
+
+---
+
 ## Compliance Theater Check
 
 The compliance theater test for the researcher skill is itself a meta-test: does the operator's existing triage process treat all inputs at the same depth, anchored on CVSS bands?

package/skills/sector-energy/skill.md

@@ -148,7 +148,7 @@ Energy-sector TTPs span ATT&CK for ICS, ATT&CK Enterprise (for the IT side of th
 
 | Surface / CVE Class | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live-Patchable | OT-Aware Detection |
 |---|---|---|---|---|---|---|---|---|---|
-| Engineering / HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in energy brownfield | Partial — auditd / eBPF if deployable |
+| Engineering / HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in energy brownfield | Partial — auditd / eBPF if deployable |
 | Engineering / HMI Windows host LPE (Print Spooler / win32k family) | varies | varies | Several entries KEV-listed | Yes | Mixed | Confirmed | Yes for in-support; out-of-support engineering hosts exposed permanently | Hotpatch on supported builds only | EDR if OT-deployable; many OT EDR carve-outs |
 | Unitronics Vision-series PLC (CyberAv3ngers pattern) | varies — vendor advisories | high RWEP where internet-exposed | Yes (some) — see CISA ICSA-23-353-01 and successors | Yes — public PoCs since late 2023 | Mixed | Confirmed against US/EU/IL water utilities | Yes | No | ICS-aware IDS signatures available (Claroty CTD, Nozomi Guardian, Dragos, Tenable OT) |
 | Vendor-side energy-OT CVEs (Siemens SIPROTEC / SCALANCE, Rockwell ControlLogix / FactoryTalk, Schneider Electric Modicon / EcoStruxure, ABB RTU / SDM, GE Vernova Multilin / Mark VIe, Hitachi Energy MicroSCADA / RTU500, AVEVA / OSIsoft PI System) | varies | varies | Multiple KEV listings 2024–2026 | Mixed — vendor disclosure cadence | Increasing AI-assisted RE (2025 trend) | Targeted by Sandworm-aligned and Volt-Typhoon-aligned actors | Vendor-dependent; typical install lag 1–5 years | No — firmware updates require change windows | ICS-aware IDS signature lag varies |

package/skills/sector-federal-government/skill.md

@@ -140,7 +140,7 @@ Sourced from `data/cve-catalog.json`, `data/exploit-availability.json`, and CISA
 
 | Incident / Class | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated? | Patch / Mitigation | FedRAMP-Visible? | CMMC-Visible? | SSDF-Attestable? |
 |---|---|---|---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE — DIB development environments) | 9.8 | 35 (see `cve-catalog.json`) | Partial conceptual exploit | No (architectural class) | Rides on AI agent tool-call autonomy | Vendor IDE update + manifest signing + MCP server allowlisting | Limited — developer workstation tooling typically outside FedRAMP boundary | Partially — CMMC Level 2 CM (configuration management) and AC (access control) families touch developer workstations handling CUI; MCP-specific controls absent | SSDF practice PS.2 covers software dependency integrity but does not specify MCP manifest signing |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE — DIB development environments) | 8.0 | 35 (see `cve-catalog.json`) | Partial conceptual exploit | No (architectural class) | Rides on AI agent tool-call autonomy; AV:L (attacker-controlled HTML processed by the MCP client) | Vendor IDE update + manifest signing + MCP server allowlisting | Limited — developer workstation tooling typically outside FedRAMP boundary | Partially — CMMC Level 2 CM (configuration management) and AC (access control) families touch developer workstations handling CUI; MCP-specific controls absent | SSDF practice PS.2 covers software dependency integrity but does not specify MCP manifest signing |
 | Volt Typhoon pre-positioning (PRC nation-state, CISA/FBI/NSA joint advisories ongoing since May 2023) | N/A (campaign) | N/A | Yes — public IOC sets and TTP descriptions | Multiple component CVEs in KEV | Yes — AI-assisted lateral movement reported in adjacent campaigns | Living-off-the-land detection; rigorous identity ZT (M-22-09 pillar 1); network ZT (M-22-09 pillar 3); credential hygiene | Partially — FedRAMP ConMon detects only the cloud-tenant surface | Partially — CMMC AC + AU + IR families address detection but not pre-positioning specifically | No — SSDF is producer-side |
 | Salt Typhoon US telco intrusions (PRC nation-state, publicly disclosed late 2024) | N/A (campaign) | N/A | Yes — IOC sets and CISA/FBI joint advisories | Multiple component CVEs in KEV | Yes — large-scale exploitation of edge-device CVEs | Patch + replace EOL edge devices; lawful-intercept-interface hardening; segment carrier management plane | No — telco infrastructure outside FedRAMP scope | No — telco carriers outside CMMC scope | No |
 | SolarWinds Orion supply-chain compromise (CVE-2020-10148 + SUNBURST backdoor, historical reference) | 9.8 | not in current `data/cve-catalog.json` — pre-scope incident | Yes — fully post-disclosure | Yes (KEV at time of disclosure) | No — long-game manual TTP | Patch; rotate all credentials handled by affected Orion deployments; rebuild from clean state | Yes — FedRAMP-authorized SolarWinds Orion ATOs were impacted; ConMon did not detect the implanted update | Yes — DIB contractors using Orion were impacted; current 800-171 SI-3 / SI-4 controls would not have detected the implant | Partially — SLSA L3 + in-toto + reproducible builds would have detected the build-time tampering; SSDF self-attestation alone would not |

package/skills/sector-financial/skill.md

@@ -156,7 +156,7 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Ransomware against banking infrastructure | T1486 — Data Encrypted for Impact | ATT&CK Enterprise | LockBit-class, BlackBasta, ALPHV/BlackCat residuals 2024-2026; double-extortion + regulatory-threat-of-disclosure | NYDFS 500.17 ransom-payment notification (72h) + DORA major-incident reporting (Art. 19, 24h initial) + APRA CPS 234 para 26 (72h) — notification cadences harmonising slowly; ransom-payment legality fragmented (NYDFS reporting only, OFAC sanctions-screening, EU sanctions overlay) |
 | Data exfiltration including LLM-channel | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | LLM API egress (OpenAI, Anthropic, Google) as covert channel; AI-coding-assistant context leaks; KYC-document upload to consumer-grade AI | DLP controls in `data/dlp-controls.json` apply; SWIFT CSCF v2026 1.1 segregation assumption violated when AI-API egress crosses administrative jump zone |
 | AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.1.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.1.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
-| Fraud-detection model extraction | AML.T0017 — Discover AI Model Family | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
+| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
 | Hard-coded credentials in financial mobile / API clients | CWE-798 | CWE | Mobile-banking apps shipping API keys; partner-integration API tokens checked into Git; treasury-management-system local config | PSD2 RTS-SCA covers customer SCA, silent on partner-API credential hygiene; SWIFT CSCF 5.1/5.2 covers credential management for SWIFT users only |
 | Agent-initiated payment via prompt injection | (No native TTP — closest: T1078 + AML.T0051) | ATT&CK + ATLAS | LLM agent with payment-initiation tool-use receives injected instruction via email / document / web content; transaction executes under customer's authenticated session | RTS-SCA evidence chain is fully compliant; injected intent invisible. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. |
 | AI-generated SWIFT MT/MX message draft poisoning | (No native TTP — closest: T1565 + AML.T0051) | ATT&CK + ATLAS | LLM-assisted operator drafting tool produces subtly-wrong beneficiary BIC or amount; reviewer fatigue lets it pass 4-eyes principle | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. |
@@ -176,7 +176,7 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Agent-initiated payment via prompt injection | n/a (design class) | risk-modelled, not CVSS | n/a | Demonstrated in 2025 research and red-team engagements | n/a | Suspected in 2025-2026 advanced campaigns; under-reported due to SCA-compliant audit trail | Mitigation only — agent-scope tokens, out-of-band confirmation, AI-channel audit | n/a | LLM-aware fraud telemetry — almost never deployed |
 | Fraud-detection model extraction | n/a | risk-modelled | n/a | Research demonstrations | n/a | Suspected; difficult to detect | Mitigation only — query-rate-limiting, output perturbation, model-watermarking | n/a | Model-monitoring telemetry — vendor-fragmented |
 | SWIFT CSCF v2026 1.1 violations via AI-API egress | n/a | risk-modelled | n/a | Demonstrated in 2025 red-team | n/a | Suspected | Mitigation — DLP on jump-zone egress, AI-API explicit deny | n/a | DLP + egress telemetry |
-| HMI / treasury-workstation Linux LPE (Copy Fail CVE-2026-31431) where deployed | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch) on supported distros | EDR if deployable |
+| HMI / treasury-workstation Linux LPE (Copy Fail CVE-2026-31431) where deployed | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch) on supported distros | EDR if deployable |
 
 **Honest gap statement (per AGENTS.md rule #10).** Vendor-specific financial-sector CVEs (core-banking platform CVEs, payment-gateway CVEs, broker-dealer trading-platform CVEs, SWIFT Alliance Access CVEs) are not exhaustively inventoried in `data/cve-catalog.json`. The authoritative sources are: vendor advisories (Temenos, Finastra, FIS, Fiserv, Jack Henry, Murex, Calypso, Bloomberg, Refinitiv, SWIFT KB), CISA KEV for cross-sector exposure, and sector-specific intel feeds (FS-ISAC, FI-ISAC EU). Forward-watched.
 
@@ -240,7 +240,7 @@ For NY-regulated entities:
 ### Step 6 — Fraud-detection model adversarial-resilience audit
 
 - Pull current fraud-detection model architecture, training data refresh cadence, drift-monitoring posture.
-- Per AML.T0017 (Discover AI Model Family): test the institution's ability to detect model-probing — incremental test transactions, threshold-discovery patterns, chargeback-pattern fingerprinting. If detection is "manual review of false-positive rate trends only," the model is functionally undefended against probing.
+- Per AML.T0017 (Discover ML Model Ontology): test the institution's ability to detect model-probing — incremental test transactions, threshold-discovery patterns, chargeback-pattern fingerprinting. If detection is "manual review of false-positive rate trends only," the model is functionally undefended against probing.
 - Validate model retraining cadence: monthly or faster for high-velocity surfaces (card-not-present); quarterly is theater for any adversary-evolving surface (see Theater Test 4).
 - Cross-walk to OSFI E-23 (Enterprise-Wide Model Risk Management) and SR 11-7 equivalents.
 

package/skills/sector-healthcare/skill.md

@@ -117,12 +117,12 @@ Healthcare has been the most targeted sector for ransomware for three consecutiv
 | Bulk EHR / FHIR / data-warehouse exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | FHIR `$export` Bulk Data over-broad scopes; cloud data warehouse (Snowflake / BigQuery / Redshift) credential theft from clinician laptop; AWS S3 misconfiguration on de-identification staging buckets | HIPAA §164.312(c) integrity controls do not address bulk-API exfil semantics; HITRUST CSF 09.l information-transfer-policies treats bulk data flow at a policy layer. CWE-200 (Information Exposure), CWE-862 (Missing Authorization). |
 | PHI exfiltration via clinician prompt to consumer LLM | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | Clinician pastes patient note into ChatGPT / Claude / Gemini for differential diagnosis or letter drafting; ambient-doc tool retains and forwards transcript to vendor cloud outside BAA | No HIPAA control specifically names this channel; HHS-OCR Bulletin reasoning applies. Hand off to dlp-gap-analysis. CWE-200 (Information Exposure). |
 | Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v5.1.0 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
-| Model extraction / membership inference against clinical AI | AML.T0017 — Develop Capabilities: Adversarial ML Attack | ATLAS v5.1.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
+| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v5.1.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
 | Medical-device firmware tamper / exploit | T1190 (IT-side initial access to device-network) chained with vendor-specific device CVEs | ATT&CK Enterprise + ICS where applicable | Insulin pumps, cardiac monitors, infusion pumps (BD Alaris), sequencers (Illumina firmware), patient-monitoring (BD, Philips, GE Healthcare), bedside imaging | FDA 524B PMA/510(k) cyber obligations only apply to devices submitted after March 2023; brownfield fleet pre-dates it. EU MDR Annex I 17.2 silent on AI-augmented devices. Hand off to ot-ics-security for device-network treatment, and coordinated-vuln-disclosure for vendor reporting. |
 | FHIR / SMART on FHIR session token theft | T1078 chained with T1530 | ATT&CK Enterprise | Stolen JWT / OAuth2 bearer for SMART-on-FHIR launch; over-broad scopes (`*/*.read`, `patient/*.read`); refresh-token theft persists access; CWE-287 (improper authentication) and CWE-862 (missing authorization) | RFC-7519 JWT validation must enforce `iss`, `aud`, `exp`, signature algorithm, key rotation; RFC-9421 HTTP message signatures for FHIR API integrity in flight; HL7 FHIR R5 does not mandate either. |
 | EHR over-privileged break-glass / shared-account access | T1078.002 — Valid Accounts: Domain Accounts | ATT&CK Enterprise | Shared "Nurse" account on med-cart Windows; break-glass clinician account auditing gap; service account for EHR-integrated copilot with patient/* scope rather than encounter-bound | HIPAA §164.312(a)(2)(i) unique user identification is met technically by user-account-per-clinician but break-glass and AI-service-principals are commonly outside that boundary. NIST 800-53 AC-2 account management does not codify AI-service-principal scoping. |
 
-**Note on ATLAS coverage.** AML.T0051 (Prompt Injection) covers the direct, indirect, and jailbreak sub-techniques against clinical-decision-support copilots; AML.T0017 covers adversarial-ML capability development including model extraction and membership inference attacks relevant to clinical-AI training-data confidentiality.
+**Note on ATLAS coverage.** AML.T0051 (Prompt Injection) covers the direct, indirect, and jailbreak sub-techniques against clinical-decision-support copilots; AML.T0054 (LLM Jailbreak) covers guardrail-bypass crafting; AML.T0017 (Discover ML Model Ontology) covers adversary reconnaissance of the deployed model — system-prompt extraction, guardrail mapping, training-data signal probing — relevant to clinical-AI confidentiality; AML.T0016 (Obtain Capabilities: Develop Capabilities) covers the broader adversarial-ML weaponization pipeline.
 
 ---
 

package/skills/security-maturity-tiers/skill.md

@@ -458,11 +458,11 @@ Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus addi
 | MVP | Privilege escalation | T1068 (ATT&CK) | cve-catalog.json: CVE-2026-31431 | Live-patch + auditd userfaultfd / proc/self/mem rules |
 | MVP | LLM Prompt Injection | AML.T0051 | atlas-ttps.json | Don't execute AI-suggested commands without read; turn on prompt+response logging |
 | MVP | ML Supply Chain Compromise (MCP) | AML.T0010 | atlas-ttps.json | MCP server inventory + version pinning + tool allowlist |
-| MVP | Craft Adversarial Data — NLP | AML.T0054 | atlas-ttps.json | Same control as AML.T0051; the two are operationally adjacent |
+| MVP | LLM Jailbreak | AML.T0054 | atlas-ttps.json | Same control as AML.T0051; the two are operationally adjacent — adversarial-instruction injection bypasses guardrails |
 | Practical | Exploit Public-Facing Application | T1190 (ATT&CK) | cve-catalog.json (CVE-2025-53773 attack_refs) | External attack-surface management + AI-mediated T1190 coverage |
-| Practical | Develop Capabilities (AI-assisted weaponization) | AML.T0017 | atlas-ttps.json | RWEP-anchored monitoring; treat KEV+PoC as immediate live-patch trigger |
+| Practical | Discover ML Model Ontology | AML.T0017 | atlas-ttps.json | Inference-API rate + shape monitoring; reconstruct adversary's model-family map |
 | Practical | Poison Training Data | AML.T0020 | atlas-ttps.json | Training-pipeline integrity verification for any in-house ML used in decisions |
-| Practical | Acquire Public ML Artifacts (misuse) | AML.T0016 | atlas-ttps.json | Phishing detection updated for AI-generated content; behavioural signals primary |
+| Practical | Obtain Capabilities: Develop Capabilities (AI-assisted weaponization) | AML.T0016 | atlas-ttps.json | RWEP-anchored monitoring; treat KEV+PoC as immediate live-patch trigger; phishing detection updated for AI-generated content; behavioural signals primary |
 | Overkill | LLM Integration Abuse (C2) | AML.T0096 | atlas-ttps.json | AI-traffic content inspection + SesameOp-pattern detection with behavioural baseline |
 | Overkill | Backdoor ML Model | AML.T0018 | atlas-ttps.json | Model integrity verification (behavioural regression tests, model signing) |
 | Overkill | Craft Adversarial Data (RAG/general) | AML.T0043 | atlas-ttps.json | Vector-store access controls + retrieval-anomaly monitoring |
@@ -477,12 +477,12 @@ Tiered to the current `data/cve-catalog.json`, using RWEP (`lib/scoring.js`) as
 
 | Tier | Coverage requirement | CVEs in scope as of 2026-05-01 | Available exploits | Required protective state |
 |---|---|---|---|---|
-| MVP | RWEP >= 70 | CVE-2026-31431 (Copy Fail, RWEP 90, CVSS 7.8) | Public 732-byte deterministic PoC; KEV-listed 2026-03-15; AI-discovered; live-patch available (kpatch / canonical-livepatch / kGraft) | Live-patched within hours of KEV listing OR fully patched + rebooted OR network-isolated with documented reboot date |
-| Practical | RWEP >= 40 | CVE-2026-31431 (90), CVE-2025-53773 (Copilot prompt-injection RCE, 42, CVSS 9.6) | Copy Fail as above; CVE-2025-53773 has demonstrated PoC, AI-weaponized, SaaS-patchable | All MVP coverage plus: prompt-injection classifier in front of any LLM processing external content; phishing simulation using AI-generated content; org-wide AI-coding-assistant version management |
-| Overkill | All catalog entries regardless of RWEP | CVE-2026-31431 (90), CVE-2025-53773 (42), CVE-2026-43284 (Dirty Frag ESP/IPsec, 38, CVSS 7.8), CVE-2026-30615 (Windsurf MCP zero-interaction RCE, 35, CVSS 9.8), CVE-2026-43500 (Dirty Frag RxRPC, 32, CVSS 7.6) | Public PoC for all; Dirty Frag pair has no live patch (kpatch RHEL-only); Windsurf is supply-chain class; chained Dirty Frag requires kernel-version fingerprinting | All Practical coverage plus: kernel hardening (unprivileged_userns_clone=0, unprivileged_userfaultfd=0, kptr_restrict=2); seccomp profiles on all containers; eBPF runtime detection; immutable infrastructure for the workloads that tolerate it; sandboxed MCP execution; per-invocation capability tokens for AI agents |
+| MVP | RWEP >= 70 | CVE-2026-31431 (Copy Fail, RWEP 90, CVSS 7.8) | Public 732-byte deterministic PoC; KEV-listed 2026-05-01 (federal due 2026-05-15); AI-discovered; live-patch available (kpatch / canonical-livepatch / kGraft) | Live-patched within hours of KEV listing OR fully patched + rebooted OR network-isolated with documented reboot date |
+| Practical | RWEP >= 30 | CVE-2026-31431 (90), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Copy Fail as above; CVE-2026-30615 + CVE-2025-53773 both AV:L local-vector, demonstrated PoC, vendor-patchable; AI-coding-assistant scope | All MVP coverage plus: prompt-injection classifier in front of any LLM processing external content; phishing simulation using AI-generated content; org-wide AI-coding-assistant version management; MCP server allowlisting with signed manifests |
+| Overkill | All catalog entries regardless of RWEP | CVE-2026-31431 (90), CVE-2026-43284 (Dirty Frag ESP/IPsec, 38, CVSS 7.8), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2026-43500 (Dirty Frag RxRPC, 32, CVSS 7.6), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Public PoC for all; Dirty Frag pair has no live patch (kpatch RHEL-only); Windsurf is local-vector supply-chain class; chained Dirty Frag requires kernel-version fingerprinting | All Practical coverage plus: kernel hardening (unprivileged_userns_clone=0, unprivileged_userfaultfd=0, kptr_restrict=2); seccomp profiles on all containers; eBPF runtime detection; immutable infrastructure for the workloads that tolerate it; sandboxed MCP execution; per-invocation capability tokens for AI agents |
 
 Refresh trigger: re-run `node lib/scoring.js` and rebuild this matrix whenever `data/cve-catalog.json` is updated. Per AGENTS.md hard rule #6 the zero-day learning loop also feeds back into the tier mapping when a new CVE is added.
 
-Note on CVSS divergence: every CVE in this catalog has a CVSS in the 7.6–9.8 range — CVSS alone would conflate them and prioritise CVE-2026-30615 (9.8) over CVE-2026-31431 (7.8). RWEP correctly ranks Copy Fail (90) above Windsurf (35) because KEV listing, deterministic exploitability, AI discovery, and broad blast radius dominate. The MVP tier protects against the right thing first.
+Note on CVSS divergence: every CVE in this catalog has a CVSS in the 7.6–8.0 range — CVSS alone would prioritise the highest-band CVE without distinguishing the AI-discovered KEV-listed deterministic LPE (Copy Fail) from the local-vector MCP supply-chain class (Windsurf). RWEP correctly ranks Copy Fail (90) above Windsurf (35) because KEV listing, deterministic exploitability, AI discovery, and broad blast radius dominate. The MVP tier protects against the right thing first.
 
 ---

package/skills/skill-update-loop/skill.md

@@ -54,7 +54,7 @@ The threat context this skill defends against is not a specific adversary techni
 Real-world manifestations in mid-2026:
 
 - ATLAS v5.1.0 (November 2025) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
-- CVE-2026-31431 (Copy Fail) joined CISA KEV in 2026-03-15. Any skill whose `last_threat_review` predates that date and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
+- CVE-2026-31431 (Copy Fail) joined CISA KEV on 2026-05-01 with a 2026-05-15 federal due date. Any skill whose `last_threat_review` predates that listing and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
 - NIST SP 800-63B updated PBKDF2 iteration guidance to ≥ 600,000 in 2022; many compliance attestations still cite the 2017 numbers. A skill that does not track that lag perpetuates the theater.
 - IETF RFC 9116 (security.txt) and the CSAF 2.0 transition both have hard cutover signals that change how `coordinated-vuln-disclosure` should advise.
 
@@ -69,7 +69,7 @@ This skill defends against drift; the TTPs that EXPLOIT a drifted skill are:
 | Tactic | TTP | What drift enables |
 |---|---|---|
 | Defense Evasion | T1562.001 (Disable or Modify Tools) | Stale skill recommends only the controls the current adversary class already evades |
-| Resource Development | AML.T0016 (Develop Capabilities) | Attacker capability outpaces the catalog the skill cites |
+| Resource Development | AML.T0016 (Obtain Capabilities: Develop Capabilities) | Attacker capability outpaces the catalog the skill cites |
 | Initial Access | AML.T0010 (Supply Chain Compromise) | New attack class (e.g. MCP plugin compromise) isn't yet a skill |
 | Defense Evasion | T1027 (Obfuscated Files or Information) | Detection rules in a skill are for an older obfuscation generation |
 | Impact | AML.T0048 (Erode ML Model Integrity) | Drift in the threat-context section means the operator's mental model is wrong by months |
@@ -481,7 +481,7 @@ This skill does not have a single exploited target — its "exploit surface" is
 | MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.1.0 (November 2025) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
 | NVD CVE 2.0 API | Authoritative CVE metadata, CVSS vectors, references | Real-time on new CVE in covered domain | services.nvd.nist.gov/rest/json/cves/2.0 | `data/cve-catalog.json` |
 | NIST FIPS publication tracker | PQC and crypto-standard finalizations | Per-publication (event-driven) | csrc.nist.gov/publications | pqc-first `forward_watch` + manifest `last_threat_review` |
-| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v15) | Skill `attack_refs` fields |
+| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v17, 2025-06-25) | Skill `attack_refs` fields |
 | GitHub Security Advisories / OSV | CVEs for AI assistants, MCP clients/servers, supply-chain JS/Python packages | Real-time on covered repos | osv.dev, github.com/advisories | `data/cve-catalog.json` |
 | Framework publisher feeds | NIST SP revisions, ISO amendments, NIS2 implementing acts, EU Official Journal, ENISA, NCSC, ASD | RSS / changelog per publisher | csrc.nist.gov, iso.org, eur-lex.europa.eu | `data/framework-control-gaps.json`, `data/global-frameworks.json` |
 | Kernel CNA / distro advisories | Kernel LPE, container-escape, page-cache CVEs | Per advisory | kernel.org, RHEL/Ubuntu/Debian security advisories | `data/cve-catalog.json`, kernel-lpe-triage |
@@ -499,3 +499,19 @@ This skill does not have a single exploited target — its "exploit surface" is
 > "Concrete test: pull the most recent MITRE ATLAS minor-version release date from atlas.mitre.org. Now pull the `last_threat_review` from every skill's frontmatter (or the equivalent currency timestamp in your own threat-intel documents). If any covered-domain document's `last_threat_review` predates the most recent ATLAS minor-version release by more than 30 days with no documented decision to defer, the currency claim fails. The control is being measured by the existence of the subscription rather than the freshness of the derived analysis."
 
 > "Second concrete test: pull the most recent CISA KEV additions in the last 30 days that affect technologies the organization runs. For each, identify the document (skill, runbook, policy) where the new KEV entry should have triggered a re-review. If the re-review either did not occur or occurred without updating the document's stated `last_threat_review`, the loopback is non-functional and the threat-intel program is theater regardless of how many feeds are consumed."
+
+---
+
+## Defensive Countermeasure Mapping
+
+The drift attack against skill currency is structural, not technical — there is no in-flight exploit to detect. The D3FEND mapping below describes the layered defences that keep the update-loop itself non-bypassable. Source: `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Mapping | Defense-in-Depth Layer | Least-Privilege Scope | Zero-Trust Posture |
+|---|---|---|---|---|
+| **D3-CA** (Certificate Analysis) | The skill currency proof is the Ed25519 signature over each skill body keyed off `keys/public.pem`. D3-CA is the analysis of that signature chain — verify-on-shipped-tarball (predeploy gate #14) is the operational form. A drifted skill body whose signature fails verification cannot be loaded as ground truth. | Layer 1 (Harden — package boundary). | Per-skill — each skill body is signed individually; integrity is per-file, not per-bundle. | Verify every load; reject on hash mismatch. The signing key is the trust root the operator anchors. |
+| **D3-EHB** (Executable Hash-based Allowlist) | Manifest-snapshot integrity. The `manifest-snapshot.json` records the canonical hash of every shipped skill; the predeploy gate compares the live `manifest.json` against the snapshot. Drift in skill content that is *not* reflected in the snapshot (i.e. unreviewed) fails the snapshot-refresh gate. | Layer 1 (Harden — release surface). | Per-release — the snapshot is the canonical inventory for the release. | Default-deny additions / removals; every snapshot change is an intentional review event. |
+| **D3-FAPA** (File Access Pattern Analysis) | The `last_threat_review` timestamp on each skill is the auditable signal that the update loop walked the skill since the most recent threat-intel trigger. The triggers table above (CISA KEV adds, ATLAS minor-version, NIST drafts) is the input; `last_threat_review` is the output evidence. A skill whose body cites a newly-listed CVE but whose timestamp pre-dates the listing is a FAPA-flagged anomaly. | Layer 4 (Detect — currency audit). | Per-skill — the loop runs per-skill, not per-bundle. | Continuously evaluate; alert (CI fail) on any skill whose timestamp is older than its triggering source's published date. |
+| **D3-IOPR** (Input/Output Profiling Resource) | Lint-skills body / frontmatter parsing is the profiling step: every skill body is parsed against the canonical section template (Threat Context, TTP Mapping, Framework Lag Declaration, Exploit Availability Matrix, Analysis Procedure, Output Format, Compliance Theater Check, DCM). A drifted skill that drops a required section is caught at lint time. | Layer 2 (Harden — schema). | Per-skill — schema is per-skill body. | Default-deny missing sections; the v0.13.0 lint upgrade makes DCM a hard-fail. |
+| **D3-PA** (Process Analysis) | The watchlist / dispatch / scan log every load and signature-check event so a forensic reader can reconstruct which skill version produced which finding. Without a per-invocation evidence stream, a stale skill body whose timestamp says "current" cannot be detected after the fact. | Layer 5 (Detect — runtime). | Per-invocation — every CLI invocation emits a structured log entry. | Treat every invocation as untrusted until the signature chain is verified at load time; persist the verification result alongside the finding. |
+
+**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Per AGENTS.md hard rule #8 (pinned ATLAS / ATT&CK version), every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.1.0 is not interchangeable with one taken against a later release.

package/skills/supply-chain-integrity/skill.md

@@ -76,7 +76,7 @@ The supply chain has expanded far beyond "a vulnerable dependency in npm or PyPI
 The defining incidents driving this expansion:
 
 - **CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm, 2026-05-11)** — 84 malicious versions across 42 `@tanstack/*` packages were published in a six-minute window (19:20-19:26 UTC); `@tanstack/react-router` alone ships ~12M weekly downloads. **First documented npm package shipping VALID SLSA provenance while being malicious.** Provenance proves which pipeline built the artifact; it does not prove that the pipeline behaved as intended. The attack chain was three primitives, none sufficient alone: (1) `pull_request_target` on TanStack's `bundle-size.yml` ran fork-PR code with base-repo permissions (classic *Pwn Request*); (2) that run wrote poison into the `actions/cache` pnpm-store under key `Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')}` that the publish workflow later restored; (3) on the next `main` push, `release.yml` (with `id-token: write` for legit npm publishing) restored the poisoned cache, attacker code read `/proc/<runner.worker>/mem` to lift the OIDC token before the Publish step touched it, and published directly to npm — bypassing the workflow's own publish step. The payload (2.3 MB obfuscated) does credential harvesting from 100+ paths and installs persistence via `.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, plus macOS LaunchAgents / Linux systemd-user units. A destructive wipe fires on token revocation. Implication for this skill: SLSA L3 is necessary-but-insufficient against cache-poisoning attacks within the build; the new minimum is workflow trust-boundary isolation (no `pull_request_target` co-resident with `id-token: write`, distinct cache namespaces per trigger class) plus consumer-side fresh-publish cooldowns (`.npmrc before=72h` or `minimumReleaseAge=4320`).
-- **CVE-2026-30615 (Windsurf MCP zero-interaction RCE)** — a developer tool, distributed without enforced manifest signing or provenance attestation, executed attacker-controlled code with zero user interaction. The vulnerability class is reachable across the AI coding-assistant ecosystem (150M+ combined downloads). See the `mcp-agent-trust` skill for the trust-boundary analysis; this skill addresses the supply-chain artifact-integrity layer.
+- **CVE-2026-30615 (Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L)** — a developer tool, distributed without enforced manifest signing or provenance attestation, drives attacker-controlled code execution in the assistant's context via attacker-controlled HTML the MCP client processes. The vulnerability class is reachable across the AI coding-assistant ecosystem (150M+ combined downloads). See the `mcp-agent-trust` skill for the trust-boundary analysis; this skill addresses the supply-chain artifact-integrity layer.
 - **AI-generated code is opaque-provenance code.** GitHub Copilot, Cursor, Claude Code, Windsurf, Codex, and Gemini CLI emit code that is committed without attestation of which model produced it, against what context, with what training cutoff. SBOM completeness claims that omit AI-generated code are theater — the SBOM lists `npm:lodash@4.17.21` but not "function `parseUrl` was emitted by Copilot from a docstring that contained an indirect prompt injection."
 - **Model weights are native binary artifacts that execute on load.** PyTorch `.pt` checkpoints in code-executing serialization formats distributed via Hugging Face / GitHub LFS are CWE-502 deserialization vectors. Hash-pinning a malicious blob does not prevent execution; only signature verification against a pinned publishing key (Sigstore keyless or OpenSSF model-signing) plus a non-executing format (safetensors) closes the class.
 - **Typosquat campaigns target the MCP, Hugging Face, npm `@modelcontextprotocol/*`, and PyPI ML namespaces.** The MITRE ATLAS technique AML.T0010 (ML Supply Chain Compromise) is the umbrella class; AML.T0018 (compromised model weight) is the specific artifact.

package/skills/threat-model-currency/skill.md

@@ -82,20 +82,20 @@ This skill produces a currency score and a specific update roadmap. Currency is
 
 ### Class 4: Prompt Injection as Enterprise RCE
 
-**2026 reality:** CVE-2025-53773 demonstrated prompt injection in a production developer tool (GitHub Copilot) achieving CVSS 9.6 RCE. This is not a research demo. It is a real CVE in a tool used by hundreds of millions of developers. Attack success rates against SOTA defenses exceed 85%.
+**2026 reality:** CVE-2025-53773 demonstrated prompt injection in a production developer tool (GitHub Copilot) coercing the agent into flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution. CVSS 7.8 / AV:L (NVD-authoritative; the local-vector reflects developer-side IDE interaction, not network reach). This is not a research demo. It is a real CVE in a tool used by hundreds of millions of developers. Attack success rates against SOTA defenses exceed 85%.
 
 **Currency check questions:**
 - Does the threat model include prompt injection as an RCE vector (not just a chatbot annoyance)?
 - Is prompt injection included in application threat models for any system with an LLM component?
 - Are AI coding assistants in scope for the threat model?
 
-**If unchecked:** Prompt injection is classified as a "trust and safety" issue, not a security control failure. The CVSS 9.6 data says otherwise.
+**If unchecked:** Prompt injection is classified as a "trust and safety" issue, not a security control failure. The shipped CVE (CVSS 7.8 / AV:L) says otherwise.
 
 ---
 
 ### Class 5: MCP Supply Chain RCE
 
-**2026 reality:** CVE-2026-30615 (Windsurf) demonstrated zero-user-interaction RCE via the MCP tool ecosystem. 150M+ affected. Every major AI coding assistant has the same architectural attack surface.
+**2026 reality:** CVE-2026-30615 (Windsurf MCP) demonstrated local-vector RCE via the MCP tool ecosystem (CVSS 8.0 / AV:L — attacker controls HTML the client processes). 150M+ combined downloads across MCP-capable assistants. Every major AI coding assistant has the same architectural attack surface.
 
 **Currency check questions:**
 - Does the threat model include AI tool supply chain as an attack surface?
@@ -228,7 +228,7 @@ This skill produces a currency score and a specific update roadmap. Currency is
 Most organizational threat models in circulation today are 2022–2024 vintage. They were written before the operational reality of mid-2026:
 
 - **AI-discovered LPEs.** Copy Fail (CVE-2026-31431) was found by an AI system in roughly one hour in a code path that had been in every major Linux distribution for nine years. A threat model that does not name "AI-assisted vulnerability discovery" as an attacker capability cannot reason about Copy Fail-class exposure.
-- **Zero-interaction MCP RCE.** CVE-2026-30615 (Windsurf) demonstrated that a malicious MCP server can drive an AI coding assistant to execute code in the developer's user context without any human action. 150M+ combined downloads of MCP-capable assistants share the same architectural surface. A threat model that lists "third-party software" but not "AI tool plugins" is no longer comprehensive.
+- **Local-vector MCP RCE.** CVE-2026-30615 (Windsurf, CVSS 8.0 / AV:L) demonstrated that a malicious MCP server can drive an AI coding assistant to execute code in the developer's user context once installed. 150M+ combined downloads of MCP-capable assistants share the same architectural surface. A threat model that lists "third-party software" but not "AI tool plugins" is no longer comprehensive.
 - **AI-API C2 (SesameOp).** Adversaries are using legitimate AI API endpoints (ATLAS AML.T0096) as covert command-and-control channels. Traffic is indistinguishable from legitimate usage at the network layer. A threat model whose C2 chapter still lists only DGAs, beaconing, and protocol anomalies has a documented blind spot.
 - **AI-accelerated weaponization.** 41% of 2025 zero-days involved AI-assisted reverse engineering on the attacker side. The window between disclosure and reliable exploitation has compressed from weeks to hours for a meaningful class of CVEs.
 - **AI-generated phishing as baseline.** 82.6% of phishing in 2025 contained AI-generated content. Threat models that treat AI-generated phishing as an "emerging" or "advanced" capability are scoring below the actual median attacker.
@@ -268,15 +268,15 @@ The 14-class checklist above *is* the TTP map. Each class is a coverage requirem
 | 1 — AI-discovered kernel LPE | T1068 (Exploitation for Privilege Escalation) | cve-catalog.json: CVE-2026-31431 | Threat model assumes human-speed exploit discovery |
 | 2 — Deterministic LPE | T1068 | cve-catalog.json: CVE-2026-31431 | IR plan treats LPE as probabilistic |
 | 3 — IPsec subsystem LPE | T1068 | cve-catalog.json: CVE-2026-43284 / CVE-2026-43500 | Network-segmentation claimed as compensating control for the attack surface itself |
-| 4 — Prompt injection RCE | AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP) | atlas-ttps.json + CVE-2025-53773 | Prompt injection treated as T&S, not security |
+| 4 — Prompt injection RCE | AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak) | atlas-ttps.json + CVE-2025-53773 | Prompt injection treated as T&S, not security |
 | 5 — MCP supply chain RCE | AML.T0010 (ML Supply Chain Compromise), T1190 (Exploit Public-Facing Application) | atlas-ttps.json + CVE-2026-30615 | AI plugin ecosystem out of supply-chain scope |
-| 6 — AI-assisted weaponization | AML.T0017 (Develop Capabilities) | atlas-ttps.json | Patch SLAs sized for 2019 attacker speed |
+| 6 — AI-assisted weaponization | AML.T0016 (Obtain Capabilities: Develop Capabilities) | atlas-ttps.json | Patch SLAs sized for 2019 attacker speed |
 | 7 — AI as covert C2 | AML.T0096 (LLM Integration Abuse — C2) | atlas-ttps.json | C2 detection architecture has total blind spot |
-| 8 — AI-generated malware evasion | AML.T0016 (Acquire Public ML Artifacts) | atlas-ttps.json | Detection stack signature-bound; PROMPTFLUX bypasses by design |
+| 8 — AI-generated malware evasion | AML.T0016 (Obtain Capabilities: Develop Capabilities — payload generation) | atlas-ttps.json | Detection stack signature-bound; PROMPTFLUX bypasses by design |
 | 9 — RAG exfiltration | AML.T0043 (Craft Adversarial Data) | atlas-ttps.json | Vector store treated as database, not as semantic exfil surface |
 | 10 — Model poisoning | AML.T0020 (Poison Training Data) | atlas-ttps.json | ML decision systems treated as standard software |
 | 11 — AI-speed reconnaissance | T1595 (Active Scanning), T1190 | ATT&CK | Rate-based detection thresholds calibrated for human-speed scans |
-| 12 — AI-generated phishing | AML.T0016 (Acquire Public ML Artifacts — misuse), T1566 (Phishing) | atlas-ttps.json + ATT&CK | Detection rules tuned for 2021 phishing |
+| 12 — AI-generated phishing | AML.T0016 (Obtain Capabilities: Develop Capabilities — payload crafting via public AI APIs), T1566 (Phishing) | atlas-ttps.json + ATT&CK | Detection rules tuned for 2021 phishing |
 | 13 — ATLAS coverage | All AML.T* in atlas-ttps.json | atlas-ttps.json `_meta.atlas_version` | SOC detection programs are ATT&CK-only |
 | 14 — Post-quantum adversary | T1557 (harvest-now-decrypt-later context) | global-frameworks.json (PQC standards) | Long-lived sensitive traffic captured today, decrypted later |
 
@@ -290,9 +290,9 @@ A threat model is "current" only if it accounts for every `data/cve-catalog.json
 
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|
-| CVE-2026-31431 | Copy Fail | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte deterministic | AI-discovered | Yes (kpatch / canonical-livepatch / kGraft) | Must name as named threat. Patch SLA must reflect KEV + deterministic class — live-patch within hours, not 30 days. |
-| CVE-2025-53773 | Copilot prompt-injection RCE | 9.6 | 42 | No | Yes — demonstrated | AI-weaponized | Yes (SaaS vendor patch) | Must include prompt injection as RCE vector if any developer uses Copilot. |
-| CVE-2026-30615 | Windsurf MCP zero-interaction RCE | 9.8 | 35 | No | Partial | No | Yes (IDE update) | Must include MCP supply chain if any developer uses any MCP-capable assistant. |
+| CVE-2026-31431 | Copy Fail | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte deterministic | AI-discovered | Yes (kpatch / canonical-livepatch / kGraft) | Must name as named threat. Patch SLA must reflect KEV + deterministic class — live-patch within hours, not 30 days. |
+| CVE-2025-53773 | Copilot YOLO-mode RCE | 7.8 | 30 | No | Yes — demonstrated | AI-weaponized | Yes (SaaS vendor patch / IDE update) | Must include prompt-injection-driven YOLO-mode escalation as RCE vector if any developer uses Copilot. |
+| CVE-2026-30615 | Windsurf MCP local-vector RCE | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Must include MCP supply chain if any developer uses any MCP-capable assistant. |
 | CVE-2026-43284 | Dirty Frag (ESP/IPsec) | 7.8 | 38 | No | Yes — chain component | No | No | Required if IPsec-based controls are claimed as compensating. |
 | CVE-2026-43500 | Dirty Frag (RxRPC) | 7.6 | 32 | No | Yes — chain component | No | No | Required when chained with CVE-2026-43284 in IR scenario planning. |
 

package/skills/threat-modeling-methodology/skill.md

@@ -59,7 +59,7 @@ This skill is opinionated about methodology selection. There is no single method
 
 Most "threat models" in circulation in mid-2026 are STRIDE diagrams of 2018–2022 vintage. Their failure modes are concrete and current:
 
-- **No AI agents as actors.** The actor inventory lists humans, services, and external systems. AI coding assistants, MCP servers, RAG retrievers, autonomous agents executing tool calls — none appear with their own trust boundaries. The Windsurf MCP RCE (CVE-2026-30615) and the Copilot prompt-injection RCE (CVE-2025-53773) are not representable in a model whose actor schema predates the threat.
+- **No AI agents as actors.** The actor inventory lists humans, services, and external systems. AI coding assistants, MCP servers, RAG retrievers, autonomous agents executing tool calls — none appear with their own trust boundaries. The Windsurf MCP local-vector RCE (CVE-2026-30615, CVSS 8.0 / AV:L) and the Copilot YOLO-mode RCE (CVE-2025-53773, CVSS 7.8 / AV:L) are not representable in a model whose actor schema predates the threat.
 - **No MCP supply-chain RCE class.** Trust boundaries between developer workstations and "tool plugins" do not exist in pre-2024 threat models. The supply-chain chapter lists npm, Docker, and OS packages — not AI tool plugins, which now have an equal or greater attack surface across 150M+ assistant installs.
 - **No AI-API as C2 channel.** The C2 chapter enumerates DGAs, beaconing, protocol anomalies. ATLAS AML.T0096 (LLM Integration Abuse — covert C2, SesameOp pattern) is not on the diagram. The model cannot reason about a documented technique that is operationally indistinguishable from legitimate AI usage at the network layer.
 - **Prompt injection mis-classified.** Pre-2024 STRIDE assigns prompt injection to "Tampering" or omits it entirely. Operationally it is an access-control bypass that achieves what spoofing achieves via the model's context window, with measured success rates above 85% against state-of-the-art defences.
@@ -118,7 +118,7 @@ Threat-modelling methodologies are *consumers* of the TTP catalog, not contribut
 | Methodology | Native input | TTP pull pattern | Gap if methodology used alone |
 |---|---|---|---|
 | STRIDE / STRIDE-per-element | Trust boundaries on a DFD | Per boundary: enumerate Spoof / Tamper / Repudiate / InfoDisclose / DoS / EoP; map each to ATT&CK or ATLAS TTPs from `data/atlas-ttps.json` | Privacy threats (linkability, identifiability) compressed into "InfoDisclose" lose specificity; LINDDUN required to surface them. |
-| STRIDE-ML (Microsoft, 2020) | DFD with ML training/inference/feedback elements | Per ML element: adversarial ML threats from ATLAS (AML.T0010 ML Supply Chain, AML.T0020 Poison Training Data, AML.T0043 Craft Adversarial Data, AML.T0051 LLM Prompt Injection, AML.T0054 NLP Craft Adversarial Data, AML.T0096 LLM Integration Abuse) | Agent-as-actor still missing; needs the actor-inventory amendment described in the Analysis Procedure. |
+| STRIDE-ML (Microsoft, 2020) | DFD with ML training/inference/feedback elements | Per ML element: adversarial ML threats from ATLAS (AML.T0010 ML Supply Chain, AML.T0020 Poison Training Data, AML.T0043 Craft Adversarial Data, AML.T0051 LLM Prompt Injection, AML.T0054 LLM Jailbreak, AML.T0096 LLM Integration Abuse) | Agent-as-actor still missing; needs the actor-inventory amendment described in the Analysis Procedure. |
 | PASTA | App-centric attack trees with business-impact rooting | Per app component: pull CVE-level threats from `data/cve-catalog.json` (e.g. CVE-2025-53773 prompt-injection RCE in app-integrated AI assistants) and ATLAS TTPs at the app boundary | Systemic AI risks crossing services (cross-agent prompt injection, shared embedding contamination) sit outside any one app. |
 | LINDDUN / LINDDUN-PRO | DFD plus privacy threat tree | Per data flow: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure-of-Information, Unawareness/Unintervenability, Non-compliance; cross-walk to GDPR Art. 5 / Art. 32 obligations | Technical threats (memory corruption, kernel LPE) not represented. |
 | Trike | Requirements model + implementation model | Per actor-action pair: authorised vs. unauthorised actions; pull ATT&CK TTPs that bridge the gap | Limited recent revision; weaker fit for AI-agent actors. |
@@ -140,7 +140,7 @@ Methodologies are catalog consumers, not catalog producers. The matrix shows the
 | Methodology | Consumes | KEV-bound? | PoC-bound? | AI-accelerated input? | Live-patch decisions in scope? |
 |---|---|---|---|---|---|
 | STRIDE | Generic threat categories per boundary | No — threat categories are pre-CVE | No | No | No (model is design-time) |
-| STRIDE-ML | STRIDE categories + ATLAS TTPs | Indirectly via CVEs mapped to TTPs | Yes (when a TTP has a public PoC, that strengthens the threat) | Yes (AML.T0017 Develop Capabilities — AI on attacker side) | No |
+| STRIDE-ML | STRIDE categories + ATLAS TTPs | Indirectly via CVEs mapped to TTPs | Yes (when a TTP has a public PoC, that strengthens the threat) | Yes (AML.T0016 Obtain Capabilities: Develop Capabilities — AI on attacker side) | No |
 | PASTA | App-centric attack trees consuming CVE-level primitives from `data/cve-catalog.json` | Yes (KEV entries elevate tree-branch priority) | Yes | Yes | Possible — PASTA stage VI (Vulnerability and Weakness Analysis) names live-patch as a control class |
 | LINDDUN | Privacy threat tree | No — privacy threats are policy-bound, not exploit-bound | No | No | No |
 | Trike | Authorised/unauthorised action gaps | Indirectly | Indirectly | No | No |

package/skills/webapp-security/skill.md

@@ -174,7 +174,7 @@ The procedure threads three foundational design principles end-to-end. They are
 
 1. **Inventory routes + auth requirements + data sensitivity.** Enumerate every HTTP route (or GraphQL operation, gRPC method). For each: required role, request schema, response schema, data classification, AI-codegen provenance flag (was this handler suggested by an assistant?).
 2. **Map each route to CWE-Top-25-class risk.** Score by CWE class × data sensitivity × external reachability. Apply the RWEP model — CVSS alone fails per AGENTS.md Hard Rule #3.
-3. **Audit AI-generated code separately from human-written code.** Require commit-time provenance markers (git trailer, commit-message tag, or co-author metadata) identifying AI-assisted commits. Re-review AI-suggested handlers on every AI-codegen-CVE wave (e.g. CVE-2025-53773 → re-review every Copilot-suggested handler in the affected window). If provenance is not captured, the org cannot answer "what code do we need to re-review?" — this is a compliance-theater indicator.
+3. **Audit AI-generated code separately from human-written code.** Require commit-time provenance markers (git trailer, commit-message tag, or co-author metadata) identifying AI-assisted commits. Re-review AI-suggested handlers on every AI-codegen-CVE wave (e.g. CVE-2025-53773, CVSS 7.8 / AV:L — re-review every Copilot agent-mode-generated handler in the affected window, with priority on those that read external content into the agent context). If provenance is not captured, the org cannot answer "what code do we need to re-review?" — this is a compliance-theater indicator.
 4. **SAST + DAST coverage measurement.** Report: % of routes covered by SAST sinks, % covered by DAST in staging, findings-to-fix ratio over trailing 90 days. A SAST programme that finds and does not fix is theater (AGENTS.md DR-1 / Hard Rule #8).
 5. **IAST in staging.** Instrumented runtime testing covers what SAST cannot (intent-dependent authorisation, runtime config). Required for any app handling regulated data (PII, PCI, PHI).
 6. **Fuzz parser surfaces.** Hand off to `fuzz-testing-strategy` for any parser, deserialiser, or media-handler reachable from a public route. Fuzz corpus seeded from production traffic samples (sanitised).

package/skills/zeroday-gap-learn/skill.md

@@ -95,8 +95,10 @@ Status of the learning-loop entry for each CVE currently in `data/cve-catalog.js
 | CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes (AI-discovered ~1h) | 90 | Complete — pre-run lesson encoded below; new control requirements CISA-KEV-RESPONSE-SLA, LIVE-PATCH-CAPABILITY, KERNEL-EXPLOITATION-DETECTION generated |
 | CVE-2026-43284 (Dirty Frag — ESP/IPsec) | No | Yes (chain) | No | 38 | Complete — pre-run lesson encoded; new control requirements CRYPTO-SUBSYSTEM-INTEGRITY, PRE-PATCH-DISCLOSURE-RESPONSE generated |
 | CVE-2026-43500 (Dirty Frag — RxRPC) | No | Yes (chain) | No | 32 | Complete — covered jointly with CVE-2026-43284 (chain partner) |
-| CVE-2025-53773 (Copilot prompt-injection RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | 42 | Complete — pre-run lesson encoded; new control requirements AI-TOOL-ACTION-AUTHORIZATION, AI-TOOL-INPUT-SANITIZATION, PROMPT-INJECTION-MONITORING generated |
-| CVE-2026-30615 (Windsurf MCP RCE) | No | Partial | No (supply-chain) | 35 | Complete — pre-run lesson encoded; new control requirements MCP-SERVER-SIGNING, MCP-TOOL-ALLOWLIST, MCP-SUPPLY-CHAIN-AUDIT generated |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | 30 | Complete — pre-run lesson encoded; new control requirements AI-TOOL-ACTION-AUTHORIZATION, AI-TOOL-INPUT-SANITIZATION, PROMPT-INJECTION-MONITORING generated |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No (supply-chain) | 35 | Complete — pre-run lesson encoded; new control requirements MCP-SERVER-SIGNING, MCP-TOOL-ALLOWLIST, MCP-SUPPLY-CHAIN-AUDIT generated |
+| CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) | Pending | Yes (worm in-wild) | No (engineering-grade chain) | n/a | Pre-run exemplar lesson encoded below (chained CI/CD primitives — Pwn Request + pnpm-store poisoning + OIDC theft); new control requirements PR-WORKFLOW-PRIVILEGE-CAP, ACTIONS-CACHE-INTEGRITY, OIDC-PUBLISH-AUDIT generated |
+| MAL-2026-3083 (Elementary-Data PyPI worm — forged release via GitHub Actions script-injection) | No (OSSF Malicious Packages dataset; CISA KEV catalogues vendor CVEs only) | Yes (orphan commit + exfil domain confirmed in-wild during 8h window) | No (manual chain) | n/a | Pre-run exemplar lesson encoded below; control requirements GHACTIONS-EVENT-INTERPOLATION-BAN, INSTALL-HOOK-AUDIT, OSSF-MALPACKAGES-INGEST generated |
 
 Per AGENTS.md DR-8: every new entry added to `data/cve-catalog.json` must produce a corresponding entry here and in `data/zeroday-lessons.json` before the catalog change ships. Any CVE in the catalog without a complete lesson entry is a pre-ship-checklist failure.
 
@@ -196,9 +198,9 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 ---
 
-### Lesson: CVE-2025-53773 (GitHub Copilot Prompt Injection RCE)
+### Lesson: CVE-2025-53773 (GitHub Copilot YOLO-Mode RCE)
 
-**Attack vector:** Hidden prompt injection in GitHub Copilot PR descriptions. Developer reviews PR with Copilot → injected instructions execute in developer session → RCE. CVSS 9.6.
+**Attack vector:** Hidden prompt injection in any agent-readable content (source comments, README, PR descriptions, retrieved docs, MCP tool responses) coerces Copilot agent mode to write `"chat.tools.autoApprove": true` to `.vscode/settings.json`. Every subsequent shell tool call then auto-approves; the demo runs `calc.exe` / `Calculator.app` via the auto-approved `run_in_terminal` tool. CVSS 7.8 / AV:L (local-vector — developer-side IDE interaction; the NVD-authoritative score was corrected from initial 9.6 / AV:N). Affected: Visual Studio 2022 17.14.0–17.14.11 (fixed 17.14.12); GitHub Copilot Chat extension predating the 2025-08 Patch Tuesday fix.
 
 **What control should have prevented this:**
 - Access control for AI tool actions: the developer's GitHub session was correctly authenticated. The RCE happened because the AI tool executed adversarial instructions with the developer's authorization context.
@@ -212,13 +214,13 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 3. **PROMPT-INJECTION-MONITORING**: Log all AI tool actions, including the content of prompts that triggered those actions. Alert on AI actions that deviate from the user's stated intent or that weren't preceded by an explicit user request.
 
-**Framework coverage:** Missing entirely in all major frameworks. CVSS 9.6 with active exploitation demonstrated and no framework control category for this attack class.
+**Framework coverage:** Missing entirely in all major frameworks. Even after the CVSS correction to 7.8 / AV:L (which reflects the local-vector reality, not severity), there is no framework control category for "prompt-injection-driven autoApprove escalation" — the bottleneck on the *attack* is a settings-file write that IS detectable as an IOC, but no framework currently mandates monitoring it.
 
 ---
 
-### Lesson: CVE-2026-30615 (Windsurf MCP Zero-Interaction RCE)
+### Lesson: CVE-2026-30615 (Windsurf MCP Local-Vector RCE)
 
-**Attack vector:** Malicious MCP server achieves RCE without user interaction. AI coding assistant autonomously calls malicious tool, code executes. 150M+ affected.
+**Attack vector:** Malicious MCP server drives RCE in the AI assistant's user context once installed. The attack vector is local (AV:L) — the attacker must control HTML content the Windsurf MCP client processes; supply-chain prerequisite (typosquatting, dependency confusion, or compromise of a legitimate server) puts the malicious server in front of the client. CVSS 8.0 (NVD-authoritative; corrected from initial 9.8 / AV:N). 150M+ combined downloads of MCP-capable AI coding assistants share the architectural surface.
 
 **New control requirements generated:**
 
@@ -248,6 +250,48 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 ---
 
+### Lesson: CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm)
+
+**Attack vector:** Engineering-grade three-primitive chain against the TanStack monorepo, disclosed 2026-05-11. (1) `pull_request_target` on `bundle-size.yml` runs fork-PR code with base-repo permissions (classic Pwn Request). (2) That run poisons the `actions/cache` pnpm-store under the key `Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')}` that `release.yml` later restores. (3) On the next main push, `release.yml` (which has `id-token: write` for npm publish) restores the poisoned cache and the worm captures the OIDC token. 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. ~150M weekly downloads in scope. CVSS 9.6; CISA KEV pending. Attribution: TeamPCP. No AI-assisted exploit-development attribution for this specific instance, but the chain shape is exactly what AML.T0016-class capability-development produces at AI cadence — chained CI/CD primitives that no individual component owner recognises as exploitable.
+
+**What control should have prevented this:**
+- Workflow-privilege isolation: `pull_request_target` should never run fork-PR code with base-repo permissions in the same job as cache writes. The chain is broken if the bundle-size workflow runs with `permissions: contents: read` and writes to a separate cache key.
+- Cache integrity: `actions/cache` keyed by `hashFiles('**/pnpm-lock.yaml')` is attacker-influenceable when the same key is restored by a privileged downstream workflow. Restore-only-on-verified-publisher caches or per-job cache namespacing breaks the link.
+- OIDC token scoping: the publish job's `id-token: write` should be bound to a job that does *not* restore externally-influenced caches. Token scope minimisation per AGENTS.md DR-1 (no orphaned-privilege workflows).
+
+**New control requirements generated:**
+
+1. **PR-WORKFLOW-PRIVILEGE-CAP**: Any workflow triggered by `pull_request_target`, `pull_request` from forks, or `issue_comment` MUST declare `permissions: contents: read` at the top level and MUST NOT write to `actions/cache` keys that any other workflow restores. Static analysis at PR merge time.
+2. **ACTIONS-CACHE-INTEGRITY**: Cache keys used by publish-capable workflows MUST be namespaced per-job and MUST NOT include `${{ hashFiles(...) }}` expressions that fork PRs can influence. Where shared caches are unavoidable, restore-then-verify against an out-of-band integrity record before use.
+3. **OIDC-PUBLISH-AUDIT**: Every npm / container registry / cloud-provider OIDC token issuance from CI must be audit-logged with the job's full permission set, the workflow file SHA, and the cache keys it restored. Anomalies (cache restored from a key written by a different workflow) must alert.
+
+**Exposure scoring:**
+- Any consumer that ran `npm install` / `pnpm install` between 2026-05-11 19:20Z and 2026-05-11 ~21:00Z (yank propagation window) with a `@tanstack/*` package in their dependency tree is suspect. Lockfile resolution time-stamp is the join key.
+- Coverage failure: no major framework requires CI workflow-privilege static analysis. Supply-chain controls (SA-12, A.5.19) address vendor SaaS not GitHub Actions workflow files.
+
+---
+
+### Lesson: MAL-2026-3083 (Elementary-Data PyPI Worm — Forged Release via GitHub Actions Script Injection)
+
+**Attack vector:** Disclosed 2026-04-24, OSSF Malicious Packages primary key (no CVE assigned as of 2026-05-13; OSV-native MAL-2026-3083, Snyk cross-reference SNYK-PYTHON-ELEMENTARYDATA-16316110, kam193 campaign id `pypi/2026-04-compr-elementary-data`). Attacker abused a GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml`: the workflow interpolated `${{ github.event.comment.body }}` directly into a `run:` shell script. Commenting on any open PR was sufficient to execute attacker-controlled shell with the elevated `GITHUB_TOKEN`. Attacker forged orphan commit `b1e4b1f3aad0d489ab0e9208031c67402bbb8480` (still readable on GitHub) and the workflow built and published `elementary-data==0.23.3` to PyPI with an install-time `.pth`-file payload. Window of live exposure: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z (~8 hours). 1.1M monthly downloads in scope. CVSS 9.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exfiltration domain (`skyhanni.cloud` subdomain) was active throughout the window.
+
+**What control should have prevented this:**
+- GitHub Actions hygiene: never interpolate `${{ github.event.* }}` into a `run:` script — use the value as an environment variable instead so the shell tokeniser treats it as data. Static-analysis tools (`zizmor`, `Octoscan`) flag this class.
+- Install-hook auditing: `.pth` files run at every `import` of any package in the same site-packages directory. The MAL-2026-3083 payload is invisible to `pip install --dry-run` but visible in the wheel's `RECORD` file. `pip install --require-hashes` plus consumer-side `pip-audit --strict` against the OSSF Malicious Packages dataset would have caught the malicious version.
+- Ingest-time intel: OSSF Malicious Packages publishes within minutes of detection. A consumer pipeline that ingests OSSF + Snyk + npm advisory feeds with sub-hour latency closes the window in proportion to the attacker's, not in proportion to vendor advisory cadence.
+
+**New control requirements generated:**
+
+1. **GHACTIONS-EVENT-INTERPOLATION-BAN**: Static-analysis gate on every CI pipeline: reject any workflow that interpolates `${{ github.event.* }}` (or `github.head_ref`, `inputs.*` from untrusted sources) directly into `run:` shell. Required tooling: `zizmor` / `Octoscan` / `actionlint` with the script-injection rule enabled. Hard fail on PR merge.
+2. **INSTALL-HOOK-AUDIT**: Pre-install scan of every wheel / sdist for install-time hooks (`.pth` files, `setup.py` execution, `pyproject.toml` build hooks). Any package adding a `.pth` file that imports network code at module-load time gets quarantined for review. Tooling: `pip-audit` plus a custom `.pth`-file diff rule.
+3. **OSSF-MALPACKAGES-INGEST**: Subscribe to the OSSF Malicious Packages OSV feed with sub-hour latency and apply it as a hard-block at the dependency resolver. Any organisation whose dependency pipeline is anchored to NVD CVE feeds alone misses MAL-2026-3083 entirely — there is no CVE ID, just an OSSF / Snyk / kam193 advisory. This control closes the AGENTS.md DR-1 (no stale threat intel) loop for the OSV-native malicious-package class.
+
+**Exposure scoring:**
+- Anyone who `pip install`-ed `elementary-data` between 2026-04-24 22:20Z and 2026-04-25 ~06:30Z inside a dbt analytics pipeline (or any virtualenv where `elementary-data==0.23.3` resolved) was hit. The install-hook fires at the *next* import in the affected venv, which can be hours-to-days after the install.
+- Coverage failure: NVD CVE feed coverage is structurally zero (no CVE issued); SOC playbooks that filter on "is there a CVE ID?" miss the entire OSV-native class. OSSF Malicious Packages + Snyk Advisor + kam193 campaign feeds are the operational intel layer.
+
+---
+
 ## Analysis Procedure for New Zero-Days
 
 When a user provides a new CVE or vulnerability description:

package/vendor/blamejs/_PROVENANCE.json

@@ -34,7 +34,7 @@
     },
     "worker-pool.js": {
       "vendored_path": "vendor/blamejs/worker-pool.js",
-      "vendored_sha256": "57d8f5c3bca23cd4ef2a16adf4107bc60c4da3fbc9bb861580edc76ed9a2d132",
+      "vendored_sha256": "fa9814c2d18db221a2dc552cf2a5047467d87a2590cbc9d64b8a0a340e545b55",
       "upstream_path": "lib/worker-pool.js",
       "upstream_sha256_at_pin": "262f99e9cc3d4a8f4eba9ad3e28401e8a1f47f78040afa63c9b17eb998437171",
       "stripped": [
@@ -48,6 +48,9 @@
         "create(scriptPath, opts) -> { run, drain, terminate, stats }",
         "bounded size + maxQueueDepth + taskTimeoutMs",
         "worker recycle on uncaught error / timeout / exit"
+      ],
+      "exceptd_deltas": [
+        "scriptPath validator rejects Windows UNC + extended-path prefixes (\\\\?\\, \\\\.\\, \\\\<server>\\) — defense-in-depth against worker-spawn from network shares on win32 platforms"
       ]
     }
   }