@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/skills/kernel-lpe-triage/skill.md

@@ -41,8 +41,10 @@ cwe_refs:
 d3fend_refs:
   - D3-ASLR
   - D3-EAL
+  - D3-PA
   - D3-PHRA
   - D3-PSEP
+  - D3-SCP
 last_threat_review: "2026-05-13"
 ---
 
@@ -130,7 +132,7 @@ Note: ATLAS refs are intentionally empty in frontmatter — these are Linux kern
 
 | CVE | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live Patch | Reboot Required |
 |---|---|---|---|---|---|---|---|---|---|
-| CVE-2026-31431 (Copy Fail) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) | Yes |
+| CVE-2026-31431 (Copy Fail) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) | Yes |
 | CVE-2026-43284 (Dirty Frag ESP) | 7.8 | 38 | No | Yes | No | Suspected | Yes | No (kpatch RHEL-only) | Yes |
 | CVE-2026-43500 (Dirty Frag RxRPC) | 7.6 | 81 | No | Yes (chain component) | No | Suspected | Yes | Partial (kpatch) | Yes if no live patch |
 
@@ -234,7 +236,7 @@ Additional exposure: any IPsec-based network control becomes unreliable
 
 Run this check for any org claiming patch management compliance:
 
-> "Your patch management control (SI-2 / A.8.8 / PCI 6.3.3) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public 732-byte exploit script requiring no privileges. What is the actual time between CISA KEV listing (2026-03-15) and confirmed patch-or-mitigate? If it exceeds 72 hours without live patching as a deployed capability, the patch management control is theater for CISA KEV class vulnerabilities."
+> "Your patch management control (SI-2 / A.8.8 / PCI 6.3.3) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public 732-byte exploit script requiring no privileges. What is the actual time between CISA KEV listing (2026-05-01, federal due 2026-05-15) and confirmed patch-or-mitigate? If it exceeds 72 hours without live patching as a deployed capability, the patch management control is theater for CISA KEV class vulnerabilities."
 
 ### Step 6: Assess IPsec dependency
 
@@ -312,6 +314,23 @@ vm.unprivileged_userfaultfd = 0
 
 ---
 
+## Defensive Countermeasure Mapping
+
+Maps the kernel LPE findings above to MITRE D3FEND techniques with explicit defense-in-depth layer position, least-privilege scope, and zero-trust posture (per AGENTS.md Hard Rule #9). Source: `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Mapping | Defense-in-Depth Layer | Least-Privilege Scope | Zero-Trust Posture |
+|---|---|---|---|---|
+| **D3-PSEP** (Process Segment Execution Prevention) | Counters T1068 page-cache CoW write primitives (Copy Fail) and adjacent kernel write-where exploits by enforcing NX / W^X on user-mapped segments and rejecting writeable-and-executable kernel mappings. | Layer 1 (Harden — kernel build flags + runtime mitigations: SMEP, SMAP, KPTI, KRG). | Per-system — the entire kernel image is the principal scope. | Treat every userspace write to a kernel-shared mapping as untrusted until verified by an immutable mapping policy; auditd / eBPF rules emit a tamper signal on any anomalous write path. |
+| **D3-ASLR** (Address Space Layout Randomization) | Raises the cost of reliable kernel LPE exploitation by randomising kernel base and module load addresses; Copy Fail is deterministic without an info-leak primitive, so KASLR alone is not sufficient but is the first-floor mitigation against the broader class. | Layer 1 (Harden). | Per-boot — randomisation applies system-wide each boot. | Combine with `kernel.kptr_restrict=2` (already in the sysctl block above) so unprivileged processes cannot read kernel pointers that would defeat KASLR. |
+| **D3-EAL** (Executable Allowlisting) | Restricts which userspace executables can run on the host. A Copy Fail PoC is a 732-byte binary; allowlisting denies unauthorised execution of any binary not on the allowlist, raising the cost of post-exploit shell payloads even when the in-kernel write itself succeeds. | Layer 2 (Harden — execve gate). | Per-system / per-workload — fleet baselines (gold images) define the allowlist; SOC / EDR enforces it. | Verify the binary identity on every `execve`; reject on hash mismatch. AGENTS.md rule #9: in ephemeral / serverless contexts bake the allowlist into the function image at build-time. |
+| **D3-PHRA** (Process Hardware Resource Access) | Constrains hardware-resource access from userspace (page table writes via `/proc/self/mem`, `userfaultfd`, `process_vm_writev`) that the Copy Fail PoC relies on. The sysctl hardening above (`vm.unprivileged_userfaultfd=0`, `kernel.unprivileged_userns_clone=0`) is the D3-PHRA enforcement layer. | Layer 1 (Isolate — kernel-syscall surface). | Per-process — capability set + namespace + seccomp filter define the syscall allowlist. | Default-deny: an unprivileged process gets the minimum syscall surface and is denied `userfaultfd`, `unshare(CLONE_NEWUSER)`, and `process_vm_writev` unless explicitly required. |
+| **D3-SCP** (System Call Filtering) | Per-container / per-workload seccomp profile blocks the syscalls Copy Fail abuses (`userfaultfd`, `process_vm_writev`, `pwritev2`) without requiring kernel patch. For container-escape variants (T1611 — Copy Fail in a privileged container), this is the only viable runtime mitigation between KEV-listing and the next reboot window. | Layer 2 (Isolate — runtime syscall gate). | Per-container — runtime profile is the principal scope. | Define a default-deny seccomp baseline; the host kernel patch is necessary but seccomp is the per-workload extension that survives an unpatched kernel during the live-patch deployment window. |
+| **D3-PA** (Process Analysis) | Detects post-exploit anomalies — root shell spawned by previously-unprivileged process, suid-binary creation, capability escalation — that follow a Copy Fail-class write. The auditd and Falco / Tetragon rules in the Detection Rules section above are the D3-PA enforcement layer. | Layer 5 (Detect). | Per-host — SOC / EDR ingest the audit stream. | Continuously evaluate process lineage; alert on uid transitions, capability gains, or suid mounts that don't appear in the baseline. |
+
+**Defense-in-depth posture:** the live-patch is the closure; the five D3FEND techniques above are the layers that must remain active *during* the live-patch deployment window. A SOC claiming "we have EDR" is at one D3FEND layer (D3-PA) for a six-layer-deep finding — the harden / isolate / detect stack collapses to a detect-only posture, and a kernel-write primitive that succeeds before EDR fires is unrecoverable. Per AGENTS.md rule #9: in ephemeral / serverless contexts, D3-PSEP / D3-EAL / D3-SCP / D3-PHRA are configured at image build time; the host-kernel layer remains the CSP's responsibility for managed runtimes, with the consumer responsible for the guest-OS posture on IaaS workloads.
+
+---
+
 ## Hand-Off / Related Skills
 
 After producing the kernel LPE triage output, the operator should chain into the following skills. Each entry names a downstream or sibling skill and the specific reason to invoke it from this finding.

package/skills/mcp-agent-trust/skill.md

@@ -87,25 +87,31 @@ There is no mandatory:
 
 This means: a malicious or compromised MCP server can execute arbitrary code by simply returning adversarial instructions in tool responses, which the AI model then follows.
 
-### CVE-2026-30615 — Windsurf MCP Zero-Interaction RCE
+### CVE-2026-30615 — Windsurf MCP Local-Vector RCE
 
-**CVSS:** 9.8 | **RWEP:** 94/100
+**CVSS:** 8.0 (AV:L, NVD-authoritative; corrected from initial 9.8/AV:N) | **RWEP:** 35/100
 
-A vulnerability in the Windsurf MCP client that allows a malicious MCP server to achieve remote code execution without any user interaction. The user does not click anything, approve anything, or trigger any visible action. The AI assistant autonomously calls the malicious tool and the code executes.
+A vulnerability in the Windsurf MCP client that allows a malicious MCP server to drive code execution in the user's context by returning attacker-controlled HTML the client processes. The attack vector is local — the attacker must first land a malicious MCP server in the user's installed set (typosquatting, supply-chain compromise, or social engineering). Once installed, the AI assistant invokes the tool and follows the adversarial response without an additional user-action gate.
 
-**Affected:** Windsurf (all versions before patch), and by architectural similarity: Cursor, VS Code MCP extension, Claude Code, Gemini CLI (each has its own vulnerability profile; CVE-2026-30615 is specific to Windsurf's implementation but the attack surface is identical across clients).
+**Affected:** Windsurf (all versions before patch), and by architectural similarity: Cursor, VS Code MCP extension, Claude Code, Gemini CLI (each has its own vulnerability profile; CVE-2026-30615 is specific to Windsurf's implementation but the architectural attack surface is identical across clients).
 
-**Scale:** 150M+ combined downloads across affected AI coding assistants.
+**Scale:** 150M+ combined downloads across affected MCP-capable AI coding assistants.
 
 **Attack path:**
 1. Attacker publishes malicious MCP server to npm or creates a typosquatting package
 2. Developer installs the package (or a legitimate package is compromised via supply chain)
 3. AI assistant starts, connects to MCP server, receives tool list
 4. At any future point: AI assistant calls a tool on the malicious server (possibly triggered by a prompt injection in a code comment, PR description, or documentation)
-5. MCP server returns a response containing adversarial instructions
+5. MCP server returns a response containing adversarial HTML / instructions the Windsurf client renders or relays back to the agent loop
 6. AI assistant follows the instructions — executes code, exfiltrates files, persists backdoor
 
-No user interaction required after installation.
+The attack vector is local (AV:L): no network-side exploitation; the attacker's content must reach the client through the installed MCP server.
+
+### CVE-2026-39884 — mcp-server-kubernetes Argument Injection
+
+**CVSS:** 8.3 (AV:N/AC:L/PR:L/UI:N) | Patched in mcp-server-kubernetes 3.5.0+
+
+A second-order example of the MCP trust failure pattern. Flux159's mcp-server-kubernetes (a popular MCP server granting AI assistants `kubectl` control) built kubectl command lines by `.split(' ')`-ing a string instead of using an argv array. The `port_forward` tool's `resourceName` parameter therefore allowed an attacker who controlled prompt content (RAG-poisoned docs, commit messages, retrieved tool responses) to inject space-delimited kubectl flags — e.g. `resourceName='pod-name --address=0.0.0.0'` binds the port-forward to all interfaces, `-n kube-system` redirects to an attacker-chosen namespace. Upstream gates exploitation on PR-injection / RAG-poisoning rather than direct network reach, but once a tainted resourceName reaches the tool, the MCP server is the abuse channel for cluster-scope kubectl. This is exactly the AML.T0010 + adversarial-tool-input pattern the trust-tier model in Step 5 below classifies — apply tool allowlisting (drop `port_forward` until 3.5.0+) and argv-array auditing to any MCP server that shells out to a CLI.
 
 ### Supply Chain Attack Surface
 
@@ -143,11 +149,11 @@ Every MCP server listed in popular registries (MCP Hub, npm `@modelcontextprotoc
 | ATLAS/ATT&CK ID | Technique | MCP Relevance | Gap |
 |---|---|---|---|
 | AML.T0010 | ML Supply Chain Compromise | Direct: malicious MCP server in public registry compromises AI assistant's tool execution | ATLAS covers this conceptually; no framework has a technical control |
-| AML.T0054 | Craft Adversarial Data — NLP | Indirect: adversarial prompt in tool response triggers AI to call next malicious action | No framework control |
+| AML.T0054 | LLM Jailbreak | Indirect: adversarial prompt in tool response bypasses guardrails and triggers AI to call next malicious action | No framework control |
 | AML.T0096 | LLM Integration Abuse | AI assistant is the integration point being abused — MCP tool calls are the mechanism | Not in ATT&CK; only in ATLAS v5.1.0 |
 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies | MCP server package as supply chain attack target | ATT&CK covers but enterprise controls don't reach developer MCP configs |
 | T1059 | Command and Script Interpreter | MCP server causes shell command execution via model-mediated tool call | Standard SI-3/EDR doesn't attribute this to the MCP server as origin |
-| T1190 | Exploit Public-Facing Application | CVE-2026-30615: MCP client vulnerability exploited by server | Standard vuln management covers client; MCP server trust is unaddressed |
+| T1190 | Exploit Public-Facing Application | CVE-2026-30615: MCP client vulnerability driven by a locally-installed malicious server (AV:L) | Standard vuln management covers client; MCP server trust is unaddressed |
 
 ---
 
@@ -157,7 +163,8 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 | Threat | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated Weaponization? | Patch Available? | Reboot / Version Bump Required? |
 |---|---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE) | 9.8 | 35 | Partial — conceptual exploit demonstrated; weaponization stage `partial` | No (architectural class; not in KEV catalog as of 2026-05) | No direct AI-assisted weaponization recorded; the attack vector itself rides on the AI agent's tool-call autonomy | Yes — vendor IDE update | IDE update / version bump required (no reboot); `live_patch_available: true` via vendor channel |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | Partial — conceptual exploit demonstrated; weaponization stage `partial` | No (architectural class; not in KEV catalog as of 2026-05) | No direct AI-assisted weaponization recorded; the attack vector itself rides on the AI agent's tool-call autonomy | Yes — vendor IDE update | IDE update / version bump required (no reboot); `live_patch_available: true` via vendor channel |
+| CVE-2026-39884 (Flux159 mcp-server-kubernetes argument injection) | 8.3 | n/a | Yes — GHSA-4xqg-gf5c-ghwq publishes the PoC (port_forward `resourceName='pod --address=0.0.0.0'`) | No | No direct AI-assisted weaponization; the bug is reached by tricking the assistant via prompt injection in retrieved docs / commit messages into passing a tainted resourceName | Yes — upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor); workaround: disable `port_forward` in MCP allowlist | Version bump on the MCP server side; no client reboot |
 | MCP supply chain compromise — typosquatting / dependency confusion (ATLAS AML.T0010) | N/A (technique, not vendor CVE) | N/A | Yes — public typosquatting incidents in `@modelcontextprotocol/*` namespace observed | No (technique class) | Yes — AI assistants accelerate writing of convincing malicious tool descriptions | Mitigation only: pin versions, verify npm provenance attestation, enforce allowlist | Re-install / pin to known-good version |
 | Adversarial tool response → indirect prompt injection (ATLAS AML.T0054 in MCP context) | N/A (technique, not vendor CVE) | N/A | Yes — public research demonstrations; weaponizable wherever output is unsanitized | No | Yes — adversarial instruction crafting is a documented AI-accelerated capability | Mitigation only: output sanitization, system-prompt authority hierarchy, tool allowlisting | Client configuration change; no version bump strictly required |
 | AML.T0096 — MCP tool call as covert C2 conduit | N/A (technique) | N/A | Yes — SesameOp-class techniques apply when an MCP tool call is the relay | No | Yes — see `data/atlas-ttps.json` AML.T0096 real-world instances | Mitigation only: process-level AI/MCP egress monitoring | Configuration / monitoring change |

package/skills/mlops-security/skill.md

@@ -76,6 +76,7 @@ The defining realities for mid-2026:
 - **Training-data poisoning is documented operational practice, not academic exercise.** Hugging Face has executed periodic model and dataset takedowns through 2024-2026 for embedded backdoor weights and poisoned training corpora; the Mithril repository takedown in 2024 (embedded backdoor in distributed model weights) is the canonical public reference. Academic demonstrations of small-fraction targeted poisoning (BadNets, TrojanNN, BackdoorBench) show that <1% of training samples can achieve targeted misclassification at >90% attack success — this is the AML.T0020 class made concrete.
 - **Model weights are native binary artifacts that execute on load.** PyTorch `.pt` checkpoints in code-executing serialization (Python object-graph serialization) are CWE-502 deserialization vectors; periodic CVEs against PyTorch and TensorFlow demonstrate arbitrary code execution via crafted checkpoints (TorchServe deserialization issues, TensorFlow `SavedModel` deserialization, ONNX shape-inference parsers). GGUF format gaps are still maturing — parsing logic for quantized LLM weights has produced multiple memory-safety findings in 2025-2026. Hash-pinning a malicious blob does not prevent execution; only signature verification against a pinned publishing key (Sigstore keyless or OpenSSF model-signing) plus a non-executing format (safetensors) closes the class. See `supply-chain-integrity` for the artifact-layer treatment; this skill addresses the MLOps-pipeline integration.
 - **Deployment-pipeline compromise is a transitive supply chain.** The chain runs AI-codegen IDE (Copilot, Cursor, Claude Code) → notebook (Jupyter, Colab, Databricks) → training-run orchestrator (Kubeflow, Vertex, SageMaker) → model registry (MLflow Registry, SageMaker Model Registry, Vertex Model Registry, Hugging Face Hub) → deployment pipeline (KServe, SageMaker endpoint, Vertex endpoint, Azure ML online endpoint) → inference service. Each step is a handoff where provenance can be lost. AML.T0010 (ML Supply Chain Compromise) sub-techniques AML.T0010.001 (ML framework), AML.T0010.002 (model repository), and AML.T0010.003 (MCP server) are now all realized attack classes.
+- **MAL-2026-3083 (Elementary-Data PyPI worm, 2026-04-24) is the operational case for the data-observability subclass of MLOps supply chain.** A GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml` — `${{ github.event.comment.body }}` interpolated directly into a `run:` shell script — let any commenter on any open PR forge a release. The attacker pushed an orphan commit (`b1e4b1f3aad0d489ab0e9208031c67402bbb8480`, still readable on GitHub) and the workflow built and published `elementary-data==0.23.3` to PyPI with an install-time `.pth` payload that exfiltrated env vars and credentials to a `skyhanni.cloud` subdomain. Window of live exposure: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z (~8 hours). 1.1M monthly downloads in scope — anyone pip-installing elementary-data during the window inside a dbt analytics pipeline got hit. Cross-references: SNYK-PYTHON-ELEMENTARYDATA-16316110, kam193 campaign id `pypi/2026-04-compr-elementary-data`. Implication for MLOps: data-observability tooling sits *inside* the training-data lineage path — a poisoned elementary-data release that ran during a feature-engineering pipeline puts attacker code in front of every training dataset the pipeline ingested. Mitigation: per-package install audit-log review for `.pth`-file installation, `pip install --require-hashes`, `safety check` / `pip-audit` against the OSSF Malicious Packages dataset (which is where MAL-2026-3083's primary key resolves).
 - **Drift detection often only watches accuracy on labeled holdout sets, missing semantic-drift caused by silent input distribution shift or active adversarial probing.** Most production drift dashboards (Evidently, Arize, Fiddler, WhyLabs) instrument data-quality and accuracy regression but stop short of adversarial-input detection or output anomaly profiling. AML.T0043 (Craft Adversarial Data) is the class missed.
 - **Experiment-tracking systems are credential goldmines.** MLflow tracking servers, Weights & Biases workspaces, and Vertex Experiments routinely contain API keys, dataset access tokens, and customer-data sample rows in run artifacts. Public CVEs against MLflow (path-traversal, SSRF, authentication bypass — CVE-2023-43472 class and follow-ons through 2024-2025) demonstrate this is not theoretical. Model registries without RBAC are de-facto unauthenticated.
 - **The feedback loop is a poisoning vector.** Production models that retrain on human feedback, click-through data, or LLM-as-judge labels close the loop adversaries already exploit: AML.T0043 (Craft Adversarial Data) → feedback collection → retrain → poisoned model in production. The defense is provenance on every retrain plus statistical detection of feedback distribution shift.
@@ -118,7 +119,7 @@ Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.1.0, released 2025-11
 | AML.T0018 | Manipulate AI Model (sub-techniques: Poison Training Data, Trojan Model via direct weight manipulation, Federated Learning Poisoning) | Training pipeline and post-training tampering — adversary modifies weights either through poisoned training data persisted into weights or through direct binary edit of an unsigned checkpoint | No framework requires model-weight signature verification at registry write and at deployment read; CWE-502 deserialization risk on `.pt` / `SavedModel` is unmapped to compliance control |
 | AML.T0020 | Poison Training Data (sub-techniques: Inject at Scale, Craft Targeted, RAG Knowledge Base Poisoning) | Data ingestion → feature store → training. Adversary contaminates training corpus to embed targeted misbehavior. Sub-technique AML.T0020.002 is RAG-side (see `rag-pipeline-security`); AML.T0020.000 / 001 are MLOps-side. | No framework requires training-data lineage attestation, source signing, or poisoning-detection scanning at ingestion. EU AI Act Art. 10 requires data-governance documentation but not cryptographic attestation. |
 | AML.T0043 | Craft Adversarial Data (White-Box, Black-Box, Physical) | Inference serving and feedback loop — adversary crafts inputs to either cause misclassification at inference time or to poison the feedback corpus when feedback is logged for retraining | No framework requires adversarial-robustness testing for deployed models or adversarial-input detection at the serving layer; AI RMF MEASURE-2.5 recommends but does not require |
-| AML.T0017 | Discover ML Model Family / Ontology (Probe, Extract System Prompt, Map Filters) | Model registry exposure — adversary maps deployed model family, extracts metadata, infers training corpus, harvests prompts and guardrails | No framework requires model-registry RBAC at the granularity needed (per-project read scoping, signed registry queries, audit of model-extraction-pattern queries) |
+| AML.T0017 | Discover ML Model Ontology (Probe, Extract System Prompt, Map Filters) | Model registry exposure — adversary maps deployed model family, extracts metadata, infers training corpus, harvests prompts and guardrails | No framework requires model-registry RBAC at the granularity needed (per-project read scoping, signed registry queries, audit of model-extraction-pattern queries) |
 | T1195.001 | Supply Chain Compromise: Software Dependencies and Development Tools | Training pipeline dependency chain — Python wheels, CUDA drivers, ML framework versions, notebook kernels | SCA detects known-vulnerable; XZ-class novel compromise is not detectable without SLSA L3 + reproducible builds for the training environment |
 | T1565 | Data Manipulation (Stored, Transmitted, Runtime) | Cross-cuts every MLOps stage — manipulation of stored training data, transmitted features to inference, or runtime model state | SI-7 maps to traditional file/firmware integrity; extending to feature-store payload integrity and embedding-space integrity is not in current control |
 

package/skills/ot-ics-security/skill.md

@@ -114,7 +114,7 @@ ATT&CK for ICS is a separate matrix from Enterprise. Many IT-rooted SOCs do not
 
 | Surface / CVE Class | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live-Patchable | OT-Aware Detection |
 |---|---|---|---|---|---|---|---|---|---|
-| IT/OT bridge — HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in OT brownfield | Partial — auditd/eBPF rules apply if deployable on HMI host |
+| IT/OT bridge — HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in OT brownfield | Partial — auditd/eBPF rules apply if deployable on HMI host |
 | IT/OT bridge — HMI Windows host LPE (Print Spooler / win32k family) | varies | varies | Some entries KEV-listed | Yes | Mixed | Confirmed | Yes for in-support; out-of-support HMIs are exposed permanently | No — Windows live-patch is limited to Hotpatch on supported builds | EDR if deployable; many OT EDR carve-outs |
 | Vendor-side OT CVEs (Siemens, Rockwell, Schneider, ABB, GE Vernova) | varies | varies | Several KEV listings 2024–2026 | Mixed — vendor disclosures only sometimes accompanied by PoC | Increasing AI-assisted RE | Targeted exploitation by Sandworm-aligned and Volt-Typhoon-aligned actors | Vendor-dependent — typical lag 60–180 days; deploy lag 1–5 years | No — firmware updates require change windows | ICS-aware IDS (Claroty, Nozomi, Dragos, Tenable OT) detection signature lag varies |
 | AI-HMI prompt injection (no CVE-class yet) | n/a | risk-modelled, not CVSS | n/a | Demonstrated in research and 2025 incident-response engagements | n/a (vector is the AI conduit itself) | Suspected in 2025 advanced campaigns | Mitigation only — design-time controls on the AI integration | n/a | Requires LLM-aware telemetry — almost never present |

package/skills/policy-exception-gen/skill.md

@@ -87,7 +87,7 @@ A granted exception does not remove the threat — it shifts the burden onto com
 | Exception | Residual TTPs the exception must still address | Compensating coverage requirement |
 |---|---|---|
 | Exception 1 — Ephemeral Infrastructure Asset Inventory | T1525 (Implant Internal Image), T1610 (Deploy Container), T1611 (Escape to Host), T1078.004 (Valid Cloud Accounts) | Image scanning in CI, IaC drift detection, cloud-asset-inventory API alerts on resources not in IaC registry |
-| Exception 2 — AI Pipeline Change Management | AML.T0020 (Poison Training Data), AML.T0018 (Backdoor ML Model), AML.T0051 (LLM Prompt Injection — emergent behavior on model upgrade), AML.T0054 (Craft Adversarial Data — NLP) | Behavioral regression test suite, model version pinning, model fingerprinting on canonical prompts, provider changelog review |
+| Exception 2 — AI Pipeline Change Management | AML.T0020 (Poison Training Data), AML.T0018 (Backdoor ML Model), AML.T0051 (LLM Prompt Injection — emergent behavior on model upgrade), AML.T0054 (LLM Jailbreak) | Behavioral regression test suite, model version pinning, model fingerprinting on canonical prompts, provider changelog review |
 | Exception 3 — Zero Trust Architecture Network Segmentation | T1021 (Remote Services), T1570 (Lateral Tool Transfer), T1078 (Valid Accounts), T1199 (Trusted Relationship) | Workload identity (SPIFFE/SPIRE), per-request mTLS, device-posture verification, east-west behavioral analytics |
 | Exception 4 — Critical Systems No-Reboot Kernel Patching | T1068 (Exploitation for Privilege Escalation — Copy Fail class), T1548.001 (Setuid and Setgid), T1611 (Escape to Host) | Live kernel patch deployed and verified (`kpatch list` / `canonical-livepatch status`), eBPF/auditd exploitation-pattern rules, network-layer isolation if no live patch available, scheduled reboot window |
 
@@ -103,8 +103,8 @@ For each residual TTP an exception leaves in scope, the compensating control bun
 |---|---|---|---|---|---|---|---|---|
 | T1068 (Privilege Escalation — Copy Fail class) | CVE-2026-31431 | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes | Yes (kpatch/livepatch) | Live patch within 4 hours OR network isolation — anything weaker is non-defensible |
 | T1190 (Exploit Public-Facing Application — IPsec subsystem) | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited | eBPF kernel-text integrity monitoring + maintenance-window reboot SLA |
-| AML.T0051 (LLM Prompt Injection — emergent on model upgrade) | CVE-2025-53773 | 9.6 | High | No | Yes | Yes | N/A | Behavioral regression suite + system-prompt hardening + tool allowlist |
-| AML.T0010 (ML Supply Chain Compromise — MCP) | CVE-2026-30615 | 9.8 | Critical | No | Partial | No | N/A | MCP server allowlist + signed-manifest enforcement + per-server auth |
+| AML.T0051 (LLM Prompt Injection — emergent on model upgrade) | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 (AV:L) | 30 | No | Yes | Yes | Yes (SaaS push / IDE update) | Behavioral regression suite + system-prompt hardening + tool allowlist |
+| AML.T0010 (ML Supply Chain Compromise — MCP) | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 (AV:L) | 35 | No | Partial | No | Yes (IDE update) | MCP server allowlist + signed-manifest enforcement + per-server auth |
 | T1525 / T1610 (Implant Internal Image / Deploy Container) | Image-supply-chain class | Varies | High | N/A | Operational | Yes | N/A (image rebuild) | CI image scanning gate at CVSS ≥ 7.0, SBOM per image, image-registry signing |
 
 An exception that names a residual TTP without a compensating-control bundle of equal or greater RWEP-justified strength is theater. The compliance-theater skill's universal test (demand the bypassing TTP for any claimed compensating control) should be run against the bundle before the exception is approved.

package/skills/pqc-first/skill.md

@@ -137,7 +137,7 @@ This skill addresses a **future-state attack class** that is not yet represented
 |---|---|---|
 | MITRE ATT&CK T1557 (Adversary-in-the-Middle) | Partial — operational family | T1557 covers AitM credential capture and traffic interception. The capture half of HNDL falls into T1557 operationally; the later decrypt phase has no ATT&CK technique. |
 | MITRE ATT&CK T1040 (Network Sniffing) | Partial — capture phase | Covers passive traffic capture. Does not cover the strategic-archive intent of HNDL, where the captured data has no immediate use and is stored for future decryption. |
-| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap in ATT&CK v15. |
+| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v17 (2025-06-25). |
 | MITRE ATLAS | **MISSING (out of scope)** | ATLAS scope is ML/AI system attacks. CRQC cryptanalysis is not in ATLAS scope. |
 | CAPEC-114 (Authentication Abuse) | Indirect | Forged signatures via broken signature scheme would manifest as authentication abuse, but CAPEC does not enumerate "signature scheme broken by CRQC" as a precondition. |
 | CAPEC-475 (Signature Spoofing by Improper Validation) | Indirect | Same — the post-CRQC equivalent has no CAPEC entry. |

package/skills/rag-pipeline-security/skill.md

@@ -159,7 +159,7 @@ This attack requires:
 - Behavioral monitoring: alert if the LLM references retrieved content in ways that suggest it's following instructions from that content rather than answering the user's query
 - Content sanitization: strip or flag instruction-pattern text from documents during chunking
 
-**ATLAS ref:** AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP)
+**ATLAS ref:** AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak)
 
 ---
 
@@ -200,11 +200,15 @@ Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.1.0, release
 |---|---|---|---|---|---|
 | AML.T0020 — Vector store / RAG knowledge base poisoning | Yes — public research demonstrations and ATLAS-documented production incidents of poisoned-document injection causing redirected retrieval and attacker-controlled outputs | No (technique class, not vendor CVE) | Yes — adversary use of LLMs to craft adversarial-instruction documents at scale (AML.T0016, PROMPTFLUX class) | No vendor patch — mitigation is architectural: signed ingestion, content scanning at ingest, provenance tracking, embedding-space integrity monitoring | Configuration / pipeline change; no version bump applies |
 | AML.T0043 — Embedding-manipulation exfiltration | Yes — published academic demonstrations of crafted queries landing near sensitive-document embeddings; observed in red-team engagements through 2025-2026 | No | Yes — automated query-crafting against an embedding model is itself an AI-accelerated capability | No vendor patch — mitigation is architectural: classification-aware vector namespaces, retrieval audit logging, output exfiltration scanning | Pipeline reconfiguration |
-| AML.T0051 (and AML.T0051.001 — Indirect Prompt Injection) | Yes — extensively demonstrated; CVE-2025-53773 (GitHub Copilot prompt injection RCE) is the direct-injection sibling case, RAG-indirect variant has equivalent demonstration evidence | No | Yes — AI tooling crafts injection payloads; AML.T0016 documents adversary AI capability development | No vendor patch — mitigation is architectural: treat retrieved content as untrusted data, system-prompt authority hierarchy, behavioral monitoring of LLM tool-use following retrieval | Configuration / system-prompt change |
+| AML.T0051 (and AML.T0051.001 — Indirect Prompt Injection) | Yes — extensively demonstrated; CVE-2025-53773 (GitHub Copilot YOLO-mode RCE, CVSS 7.8 / AV:L) is the direct-injection sibling case where prompt content in any agent-readable source coerces `chat.tools.autoApprove: true`; the RAG-indirect variant has equivalent demonstration evidence where the malicious instructions sit in retrieved corpus documents instead | No | Yes — AI tooling crafts injection payloads; AML.T0016 documents adversary AI capability development | No vendor patch for the architectural class — vendor-side patches (GitHub Copilot fix in 2025-08 Patch Tuesday; Visual Studio 2022 17.14.12) close the specific YOLO-mode path; mitigation for the broader RAG-indirect variant is architectural: treat retrieved content as untrusted data, system-prompt authority hierarchy, behavioral monitoring of LLM tool-use following retrieval | Configuration / system-prompt change |
 | AML.T0054 — RAG retrieval filter bypass via adversarial query crafting | Yes — public research demonstrations of post-similarity filter application enabling cross-namespace retrieval | No | Yes — query crafting is automatable and accelerated by LLM-assisted prompt synthesis | No vendor patch — mitigation is architectural: pre-similarity filter application, cryptographic namespace enforcement, never construct ACL decisions from query content | Pipeline reconfiguration |
 | T1565 — Data Manipulation (ATT&CK; cross-cuts RAG attack classes) | Yes — extensive public demonstration across the five RAG attack classes | No | Yes — AI accelerates content generation for poisoning at scale | No vendor patch — covered by ATLAS-mapped mitigations above | Pipeline-level controls |
 
-**Interpretation:** Because there is no vendor CVE to patch, RAG security posture is determined by the presence or absence of architectural controls (ingestion access control, classification-aware namespaces, pre-similarity filtering, output monitoring). The lack of CVE catalog coverage is itself a finding: enterprise vulnerability management programs scoped to CVE feeds will not surface RAG-specific risk.
+**Interpretation:** Because there is no vendor CVE to patch for the *architectural* RAG attack classes above, RAG security posture is determined by the presence or absence of architectural controls (ingestion access control, classification-aware namespaces, pre-similarity filtering, output monitoring). The lack of CVE catalog coverage is itself a finding: enterprise vulnerability management programs scoped to CVE feeds will not surface RAG-specific risk.
+
+### Adjacent CVE — LLM-Gateway Credential Compromise
+
+The *infrastructure* that fronts a RAG pipeline does have shipped CVEs. **CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, federal due 2026-05-29; in-wild exploitation confirmed). LiteLLM is the open-source LLM-API gateway commonly deployed as the model-provider abstraction in front of a RAG retrieval-then-generation pipeline. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a curl-able POST to `/chat/completions` with a SQL-injection payload returned the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Operational consequence for RAG pipelines: a compromised LiteLLM gateway hands the adversary every downstream model-provider credential plus the per-tenant routing config — every retrieval / generation request after compromise routes through attacker-known credentials, which is the underlying credential layer for every architectural defence above. Any RAG threat model that treats "the LLM gateway is just a proxy" misses that the gateway is the credential boundary for the entire pipeline.
 
 ---
 

package/skills/researcher/skill.md

@@ -49,7 +49,7 @@ Most security teams in mid-2026 sit on a torrent of raw threat input: CISA KEV a
 The researcher skill sits between raw input and the specialized analytical skills. It is not itself analysis — it is dispatch. Concrete examples from the project's catalogs:
 
 - **CVE-2026-31431 (Copy Fail) drops.** Operator asks: "what should I do about CVE-2026-31431?" Researcher surfaces from `data/cve-catalog.json`: CISA KEV listed, AI-discovered, 732 bytes, deterministic (no race condition), blast radius = all Linux ≥ 4.14, live-patch available, RWEP 90, CVSS 7.8. Routes to `kernel-lpe-triage`. Flags that the standard 30-day SI-2 window is structurally inadequate — live-patch within 4 hours.
-- **CVE-2026-30615 (Windsurf MCP, zero-interaction RCE).** Operator asks: "new MCP CVE, where do I start?" Researcher cross-joins to ATLAS AML.T0010 (ML supply chain compromise) and AML.T0096 (LLM integration abuse), surfaces 150M+ affected downloads, routes primary to `mcp-agent-trust` and secondary to `ai-attack-surface`.
+- **CVE-2026-30615 (Windsurf MCP, local-vector RCE, CVSS 8.0 / AV:L / RWEP 35).** Operator asks: "new MCP CVE, where do I start?" Researcher cross-joins to ATLAS AML.T0010 (ML supply chain compromise) and AML.T0096 (LLM integration abuse), surfaces 150M+ combined downloads across MCP-capable assistants, routes primary to `mcp-agent-trust` and secondary to `ai-attack-surface`. Flags the v0.12.9 catalog correction: NVD-authoritative CVSS is 8.0 / AV:L (local-vector), not the initially-cataloged 9.8 / AV:N.
 - **SesameOp campaign report.** Operator asks: "we are seeing strange Azure OpenAI calls from a finance host — is this anything?" Researcher recognizes the AI-as-C2 pattern from `data/zeroday-lessons.json`, maps to AML.T0096, routes to `ai-c2-detection`.
 - **NIST 800-53 Rev. 6 draft published.** Operator asks: "does our gap analysis change?" Researcher routes to `skill-update-loop` for currency review, then to `framework-gap-analysis` for the specific control deltas.
 
@@ -84,10 +84,11 @@ This is a routing skill. The TTP coverage of any specific output equals the TTP
 | ATLAS / ATT&CK Class | Researcher Routes To |
 |---|---|
 | AML.T0010 (ML Supply Chain Compromise) | `mcp-agent-trust`, `ai-attack-surface` |
-| AML.T0017 (Develop Capabilities — AI-assisted) | `ai-attack-surface`, `kernel-lpe-triage`, `exploit-scoring` |
+| AML.T0016 (Obtain Capabilities: Develop Capabilities — AI-assisted) | `ai-attack-surface`, `kernel-lpe-triage`, `exploit-scoring` |
+| AML.T0017 (Discover ML Model Ontology) | `ai-attack-surface`, `mlops-security`, `api-security` |
 | AML.T0018 (Backdoor ML Model) | `ai-attack-surface` |
 | AML.T0020 (Poison Training Data) | `ai-attack-surface`, `rag-pipeline-security` |
-| AML.T0043 / AML.T0054 (Craft Adversarial Data) | `ai-attack-surface`, `rag-pipeline-security` |
+| AML.T0043 (Craft Adversarial Data) / AML.T0054 (LLM Jailbreak) | `ai-attack-surface`, `rag-pipeline-security` |
 | AML.T0051 (LLM Prompt Injection) | `ai-attack-surface`, `mcp-agent-trust` |
 | AML.T0096 (LLM Integration Abuse — C2) | `ai-c2-detection` |
 | ATT&CK T1068 / T1548.001 (Privilege Escalation) | `kernel-lpe-triage` |
@@ -303,6 +304,22 @@ The report fits on one page when rendered. Anything longer belongs in the downst
 
 ---
 
+## Defensive Countermeasure Mapping
+
+The researcher skill is dispatch, not analysis — but every dispatched finding lands in a downstream skill where a defensive countermeasure must be selected. The mapping below names the D3FEND techniques the researcher recommends the downstream skill include in its output. Each entry pulls from `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Researcher Trigger | Defense-in-Depth Layer | Rationale |
+|---|---|---|---|
+| **D3-IOPR** (Input/Output Profiling Resource) | Input is a CVE / advisory describing AI-API surface, RAG retrieval, MCP tool response, or prompt-injection path. | Detect | Per-call inspection of model inputs and outputs is the foundational signal for prompt-injection class findings the researcher routes to `ai-attack-surface` or `rag-pipeline-security`. Without IOPR baseline, downstream skills have no source for their detection rules. |
+| **D3-NTA** (Network Traffic Analysis) | Input is an AI-API anomaly, SesameOp-class C2 narrative, or any AML.T0096 reference. | Detect | The egress baseline the dispatcher recommends `ai-c2-detection` build first. Per-identity model-API and MCP-server egress profiling is the prerequisite for every downstream AI-as-C2 finding. |
+| **D3-CAA** (Credential Access Auditing) | Input mentions an MCP server, OAuth-flow CVE, agent bearer-token reuse, or AML.T0010 supply chain. | Detect | The post-hoc evidence stream when the dispatcher routes to `mcp-agent-trust`, `identity-assurance`, or `supply-chain-integrity`. Without CAA, the downstream skill cannot reconstruct what a compromised credential touched. |
+| **D3-EHB** (Executable Hash-based Allowlist) | Input is a supply-chain CVE / advisory (npm worm, PyPI malware, model-registry compromise). | Harden | Hash-pinning is the canonical counter to the AML.T0010 / T1195.001 pattern across `supply-chain-integrity`, `mcp-agent-trust`, and `mlops-security`. The dispatcher names it so the downstream skill does not re-derive the harden layer from first principles. |
+| **D3-PA** (Process Analysis) | Input is a kernel LPE, container-escape, or post-exploitation narrative. | Detect | The auditd / eBPF / EDR layer that `kernel-lpe-triage`, `container-runtime-security`, and `incident-response-playbook` all depend on. RWEP-90 LPE inputs route here before live-patch consideration. |
+
+Defense-in-depth posture: the researcher's job is to recommend the **first** D3FEND layer the downstream skill should produce evidence against. Subsequent layers are the downstream skill's responsibility. Per AGENTS.md hard rule #4 (no orphaned controls), every D3FEND mapping above resolves to a real ATLAS or ATT&CK TTP enumerated in the TTP Mapping section.
+
+---
+
 ## Compliance Theater Check
 
 The compliance theater test for the researcher skill is itself a meta-test: does the operator's existing triage process treat all inputs at the same depth, anchored on CVSS bands?

package/skills/sector-energy/skill.md

@@ -148,7 +148,7 @@ Energy-sector TTPs span ATT&CK for ICS, ATT&CK Enterprise (for the IT side of th
 
 | Surface / CVE Class | CVSS | RWEP | CISA KEV | PoC Public | AI-Discovered | Active Exploitation | Patch Available | Live-Patchable | OT-Aware Detection |
 |---|---|---|---|---|---|---|---|---|---|
-| Engineering / HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in energy brownfield | Partial — auditd / eBPF if deployable |
+| Engineering / HMI Linux host hit by Copy Fail (CVE-2026-31431) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) on supported distros; rare in energy brownfield | Partial — auditd / eBPF if deployable |
 | Engineering / HMI Windows host LPE (Print Spooler / win32k family) | varies | varies | Several entries KEV-listed | Yes | Mixed | Confirmed | Yes for in-support; out-of-support engineering hosts exposed permanently | Hotpatch on supported builds only | EDR if OT-deployable; many OT EDR carve-outs |
 | Unitronics Vision-series PLC (CyberAv3ngers pattern) | varies — vendor advisories | high RWEP where internet-exposed | Yes (some) — see CISA ICSA-23-353-01 and successors | Yes — public PoCs since late 2023 | Mixed | Confirmed against US/EU/IL water utilities | Yes | No | ICS-aware IDS signatures available (Claroty CTD, Nozomi Guardian, Dragos, Tenable OT) |
 | Vendor-side energy-OT CVEs (Siemens SIPROTEC / SCALANCE, Rockwell ControlLogix / FactoryTalk, Schneider Electric Modicon / EcoStruxure, ABB RTU / SDM, GE Vernova Multilin / Mark VIe, Hitachi Energy MicroSCADA / RTU500, AVEVA / OSIsoft PI System) | varies | varies | Multiple KEV listings 2024–2026 | Mixed — vendor disclosure cadence | Increasing AI-assisted RE (2025 trend) | Targeted by Sandworm-aligned and Volt-Typhoon-aligned actors | Vendor-dependent; typical install lag 1–5 years | No — firmware updates require change windows | ICS-aware IDS signature lag varies |

package/skills/sector-federal-government/skill.md

@@ -140,7 +140,7 @@ Sourced from `data/cve-catalog.json`, `data/exploit-availability.json`, and CISA
 
 | Incident / Class | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated? | Patch / Mitigation | FedRAMP-Visible? | CMMC-Visible? | SSDF-Attestable? |
 |---|---|---|---|---|---|---|---|---|---|
-| CVE-2026-30615 (Windsurf MCP zero-interaction RCE — DIB development environments) | 9.8 | 35 (see `cve-catalog.json`) | Partial conceptual exploit | No (architectural class) | Rides on AI agent tool-call autonomy | Vendor IDE update + manifest signing + MCP server allowlisting | Limited — developer workstation tooling typically outside FedRAMP boundary | Partially — CMMC Level 2 CM (configuration management) and AC (access control) families touch developer workstations handling CUI; MCP-specific controls absent | SSDF practice PS.2 covers software dependency integrity but does not specify MCP manifest signing |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE — DIB development environments) | 8.0 | 35 (see `cve-catalog.json`) | Partial conceptual exploit | No (architectural class) | Rides on AI agent tool-call autonomy; AV:L (attacker-controlled HTML processed by the MCP client) | Vendor IDE update + manifest signing + MCP server allowlisting | Limited — developer workstation tooling typically outside FedRAMP boundary | Partially — CMMC Level 2 CM (configuration management) and AC (access control) families touch developer workstations handling CUI; MCP-specific controls absent | SSDF practice PS.2 covers software dependency integrity but does not specify MCP manifest signing |
 | Volt Typhoon pre-positioning (PRC nation-state, CISA/FBI/NSA joint advisories ongoing since May 2023) | N/A (campaign) | N/A | Yes — public IOC sets and TTP descriptions | Multiple component CVEs in KEV | Yes — AI-assisted lateral movement reported in adjacent campaigns | Living-off-the-land detection; rigorous identity ZT (M-22-09 pillar 1); network ZT (M-22-09 pillar 3); credential hygiene | Partially — FedRAMP ConMon detects only the cloud-tenant surface | Partially — CMMC AC + AU + IR families address detection but not pre-positioning specifically | No — SSDF is producer-side |
 | Salt Typhoon US telco intrusions (PRC nation-state, publicly disclosed late 2024) | N/A (campaign) | N/A | Yes — IOC sets and CISA/FBI joint advisories | Multiple component CVEs in KEV | Yes — large-scale exploitation of edge-device CVEs | Patch + replace EOL edge devices; lawful-intercept-interface hardening; segment carrier management plane | No — telco infrastructure outside FedRAMP scope | No — telco carriers outside CMMC scope | No |
 | SolarWinds Orion supply-chain compromise (CVE-2020-10148 + SUNBURST backdoor, historical reference) | 9.8 | not in current `data/cve-catalog.json` — pre-scope incident | Yes — fully post-disclosure | Yes (KEV at time of disclosure) | No — long-game manual TTP | Patch; rotate all credentials handled by affected Orion deployments; rebuild from clean state | Yes — FedRAMP-authorized SolarWinds Orion ATOs were impacted; ConMon did not detect the implanted update | Yes — DIB contractors using Orion were impacted; current 800-171 SI-3 / SI-4 controls would not have detected the implant | Partially — SLSA L3 + in-toto + reproducible builds would have detected the build-time tampering; SSDF self-attestation alone would not |

package/skills/sector-financial/skill.md

@@ -156,7 +156,7 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Ransomware against banking infrastructure | T1486 — Data Encrypted for Impact | ATT&CK Enterprise | LockBit-class, BlackBasta, ALPHV/BlackCat residuals 2024-2026; double-extortion + regulatory-threat-of-disclosure | NYDFS 500.17 ransom-payment notification (72h) + DORA major-incident reporting (Art. 19, 24h initial) + APRA CPS 234 para 26 (72h) — notification cadences harmonising slowly; ransom-payment legality fragmented (NYDFS reporting only, OFAC sanctions-screening, EU sanctions overlay) |
 | Data exfiltration including LLM-channel | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | LLM API egress (OpenAI, Anthropic, Google) as covert channel; AI-coding-assistant context leaks; KYC-document upload to consumer-grade AI | DLP controls in `data/dlp-controls.json` apply; SWIFT CSCF v2026 1.1 segregation assumption violated when AI-API egress crosses administrative jump zone |
 | AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.1.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.1.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
-| Fraud-detection model extraction | AML.T0017 — Discover AI Model Family | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
+| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
 | Hard-coded credentials in financial mobile / API clients | CWE-798 | CWE | Mobile-banking apps shipping API keys; partner-integration API tokens checked into Git; treasury-management-system local config | PSD2 RTS-SCA covers customer SCA, silent on partner-API credential hygiene; SWIFT CSCF 5.1/5.2 covers credential management for SWIFT users only |
 | Agent-initiated payment via prompt injection | (No native TTP — closest: T1078 + AML.T0051) | ATT&CK + ATLAS | LLM agent with payment-initiation tool-use receives injected instruction via email / document / web content; transaction executes under customer's authenticated session | RTS-SCA evidence chain is fully compliant; injected intent invisible. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. |
 | AI-generated SWIFT MT/MX message draft poisoning | (No native TTP — closest: T1565 + AML.T0051) | ATT&CK + ATLAS | LLM-assisted operator drafting tool produces subtly-wrong beneficiary BIC or amount; reviewer fatigue lets it pass 4-eyes principle | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. |
@@ -176,7 +176,7 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Agent-initiated payment via prompt injection | n/a (design class) | risk-modelled, not CVSS | n/a | Demonstrated in 2025 research and red-team engagements | n/a | Suspected in 2025-2026 advanced campaigns; under-reported due to SCA-compliant audit trail | Mitigation only — agent-scope tokens, out-of-band confirmation, AI-channel audit | n/a | LLM-aware fraud telemetry — almost never deployed |
 | Fraud-detection model extraction | n/a | risk-modelled | n/a | Research demonstrations | n/a | Suspected; difficult to detect | Mitigation only — query-rate-limiting, output perturbation, model-watermarking | n/a | Model-monitoring telemetry — vendor-fragmented |
 | SWIFT CSCF v2026 1.1 violations via AI-API egress | n/a | risk-modelled | n/a | Demonstrated in 2025 red-team | n/a | Suspected | Mitigation — DLP on jump-zone egress, AI-API explicit deny | n/a | DLP + egress telemetry |
-| HMI / treasury-workstation Linux LPE (Copy Fail CVE-2026-31431) where deployed | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch) on supported distros | EDR if deployable |
+| HMI / treasury-workstation Linux LPE (Copy Fail CVE-2026-31431) where deployed | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch) on supported distros | EDR if deployable |
 
 **Honest gap statement (per AGENTS.md rule #10).** Vendor-specific financial-sector CVEs (core-banking platform CVEs, payment-gateway CVEs, broker-dealer trading-platform CVEs, SWIFT Alliance Access CVEs) are not exhaustively inventoried in `data/cve-catalog.json`. The authoritative sources are: vendor advisories (Temenos, Finastra, FIS, Fiserv, Jack Henry, Murex, Calypso, Bloomberg, Refinitiv, SWIFT KB), CISA KEV for cross-sector exposure, and sector-specific intel feeds (FS-ISAC, FI-ISAC EU). Forward-watched.
 
@@ -240,7 +240,7 @@ For NY-regulated entities:
 ### Step 6 — Fraud-detection model adversarial-resilience audit
 
 - Pull current fraud-detection model architecture, training data refresh cadence, drift-monitoring posture.
-- Per AML.T0017 (Discover AI Model Family): test the institution's ability to detect model-probing — incremental test transactions, threshold-discovery patterns, chargeback-pattern fingerprinting. If detection is "manual review of false-positive rate trends only," the model is functionally undefended against probing.
+- Per AML.T0017 (Discover ML Model Ontology): test the institution's ability to detect model-probing — incremental test transactions, threshold-discovery patterns, chargeback-pattern fingerprinting. If detection is "manual review of false-positive rate trends only," the model is functionally undefended against probing.
 - Validate model retraining cadence: monthly or faster for high-velocity surfaces (card-not-present); quarterly is theater for any adversary-evolving surface (see Theater Test 4).
 - Cross-walk to OSFI E-23 (Enterprise-Wide Model Risk Management) and SR 11-7 equivalents.
 

package/skills/sector-healthcare/skill.md

@@ -117,12 +117,12 @@ Healthcare has been the most targeted sector for ransomware for three consecutiv
 | Bulk EHR / FHIR / data-warehouse exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | FHIR `$export` Bulk Data over-broad scopes; cloud data warehouse (Snowflake / BigQuery / Redshift) credential theft from clinician laptop; AWS S3 misconfiguration on de-identification staging buckets | HIPAA §164.312(c) integrity controls do not address bulk-API exfil semantics; HITRUST CSF 09.l information-transfer-policies treats bulk data flow at a policy layer. CWE-200 (Information Exposure), CWE-862 (Missing Authorization). |
 | PHI exfiltration via clinician prompt to consumer LLM | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | Clinician pastes patient note into ChatGPT / Claude / Gemini for differential diagnosis or letter drafting; ambient-doc tool retains and forwards transcript to vendor cloud outside BAA | No HIPAA control specifically names this channel; HHS-OCR Bulletin reasoning applies. Hand off to dlp-gap-analysis. CWE-200 (Information Exposure). |
 | Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v5.1.0 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
-| Model extraction / membership inference against clinical AI | AML.T0017 — Develop Capabilities: Adversarial ML Attack | ATLAS v5.1.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
+| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v5.1.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
 | Medical-device firmware tamper / exploit | T1190 (IT-side initial access to device-network) chained with vendor-specific device CVEs | ATT&CK Enterprise + ICS where applicable | Insulin pumps, cardiac monitors, infusion pumps (BD Alaris), sequencers (Illumina firmware), patient-monitoring (BD, Philips, GE Healthcare), bedside imaging | FDA 524B PMA/510(k) cyber obligations only apply to devices submitted after March 2023; brownfield fleet pre-dates it. EU MDR Annex I 17.2 silent on AI-augmented devices. Hand off to ot-ics-security for device-network treatment, and coordinated-vuln-disclosure for vendor reporting. |
 | FHIR / SMART on FHIR session token theft | T1078 chained with T1530 | ATT&CK Enterprise | Stolen JWT / OAuth2 bearer for SMART-on-FHIR launch; over-broad scopes (`*/*.read`, `patient/*.read`); refresh-token theft persists access; CWE-287 (improper authentication) and CWE-862 (missing authorization) | RFC-7519 JWT validation must enforce `iss`, `aud`, `exp`, signature algorithm, key rotation; RFC-9421 HTTP message signatures for FHIR API integrity in flight; HL7 FHIR R5 does not mandate either. |
 | EHR over-privileged break-glass / shared-account access | T1078.002 — Valid Accounts: Domain Accounts | ATT&CK Enterprise | Shared "Nurse" account on med-cart Windows; break-glass clinician account auditing gap; service account for EHR-integrated copilot with patient/* scope rather than encounter-bound | HIPAA §164.312(a)(2)(i) unique user identification is met technically by user-account-per-clinician but break-glass and AI-service-principals are commonly outside that boundary. NIST 800-53 AC-2 account management does not codify AI-service-principal scoping. |
 
-**Note on ATLAS coverage.** AML.T0051 (Prompt Injection) covers the direct, indirect, and jailbreak sub-techniques against clinical-decision-support copilots; AML.T0017 covers adversarial-ML capability development including model extraction and membership inference attacks relevant to clinical-AI training-data confidentiality.
+**Note on ATLAS coverage.** AML.T0051 (Prompt Injection) covers the direct, indirect, and jailbreak sub-techniques against clinical-decision-support copilots; AML.T0054 (LLM Jailbreak) covers guardrail-bypass crafting; AML.T0017 (Discover ML Model Ontology) covers adversary reconnaissance of the deployed model — system-prompt extraction, guardrail mapping, training-data signal probing — relevant to clinical-AI confidentiality; AML.T0016 (Obtain Capabilities: Develop Capabilities) covers the broader adversarial-ML weaponization pipeline.
 
 ---
 

package/skills/security-maturity-tiers/skill.md

@@ -458,11 +458,11 @@ Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus addi
 | MVP | Privilege escalation | T1068 (ATT&CK) | cve-catalog.json: CVE-2026-31431 | Live-patch + auditd userfaultfd / proc/self/mem rules |
 | MVP | LLM Prompt Injection | AML.T0051 | atlas-ttps.json | Don't execute AI-suggested commands without read; turn on prompt+response logging |
 | MVP | ML Supply Chain Compromise (MCP) | AML.T0010 | atlas-ttps.json | MCP server inventory + version pinning + tool allowlist |
-| MVP | Craft Adversarial Data — NLP | AML.T0054 | atlas-ttps.json | Same control as AML.T0051; the two are operationally adjacent |
+| MVP | LLM Jailbreak | AML.T0054 | atlas-ttps.json | Same control as AML.T0051; the two are operationally adjacent — adversarial-instruction injection bypasses guardrails |
 | Practical | Exploit Public-Facing Application | T1190 (ATT&CK) | cve-catalog.json (CVE-2025-53773 attack_refs) | External attack-surface management + AI-mediated T1190 coverage |
-| Practical | Develop Capabilities (AI-assisted weaponization) | AML.T0017 | atlas-ttps.json | RWEP-anchored monitoring; treat KEV+PoC as immediate live-patch trigger |
+| Practical | Discover ML Model Ontology | AML.T0017 | atlas-ttps.json | Inference-API rate + shape monitoring; reconstruct adversary's model-family map |
 | Practical | Poison Training Data | AML.T0020 | atlas-ttps.json | Training-pipeline integrity verification for any in-house ML used in decisions |
-| Practical | Acquire Public ML Artifacts (misuse) | AML.T0016 | atlas-ttps.json | Phishing detection updated for AI-generated content; behavioural signals primary |
+| Practical | Obtain Capabilities: Develop Capabilities (AI-assisted weaponization) | AML.T0016 | atlas-ttps.json | RWEP-anchored monitoring; treat KEV+PoC as immediate live-patch trigger; phishing detection updated for AI-generated content; behavioural signals primary |
 | Overkill | LLM Integration Abuse (C2) | AML.T0096 | atlas-ttps.json | AI-traffic content inspection + SesameOp-pattern detection with behavioural baseline |
 | Overkill | Backdoor ML Model | AML.T0018 | atlas-ttps.json | Model integrity verification (behavioural regression tests, model signing) |
 | Overkill | Craft Adversarial Data (RAG/general) | AML.T0043 | atlas-ttps.json | Vector-store access controls + retrieval-anomaly monitoring |
@@ -477,12 +477,12 @@ Tiered to the current `data/cve-catalog.json`, using RWEP (`lib/scoring.js`) as
 
 | Tier | Coverage requirement | CVEs in scope as of 2026-05-01 | Available exploits | Required protective state |
 |---|---|---|---|---|
-| MVP | RWEP >= 70 | CVE-2026-31431 (Copy Fail, RWEP 90, CVSS 7.8) | Public 732-byte deterministic PoC; KEV-listed 2026-03-15; AI-discovered; live-patch available (kpatch / canonical-livepatch / kGraft) | Live-patched within hours of KEV listing OR fully patched + rebooted OR network-isolated with documented reboot date |
-| Practical | RWEP >= 40 | CVE-2026-31431 (90), CVE-2025-53773 (Copilot prompt-injection RCE, 42, CVSS 9.6) | Copy Fail as above; CVE-2025-53773 has demonstrated PoC, AI-weaponized, SaaS-patchable | All MVP coverage plus: prompt-injection classifier in front of any LLM processing external content; phishing simulation using AI-generated content; org-wide AI-coding-assistant version management |
-| Overkill | All catalog entries regardless of RWEP | CVE-2026-31431 (90), CVE-2025-53773 (42), CVE-2026-43284 (Dirty Frag ESP/IPsec, 38, CVSS 7.8), CVE-2026-30615 (Windsurf MCP zero-interaction RCE, 35, CVSS 9.8), CVE-2026-43500 (Dirty Frag RxRPC, 32, CVSS 7.6) | Public PoC for all; Dirty Frag pair has no live patch (kpatch RHEL-only); Windsurf is supply-chain class; chained Dirty Frag requires kernel-version fingerprinting | All Practical coverage plus: kernel hardening (unprivileged_userns_clone=0, unprivileged_userfaultfd=0, kptr_restrict=2); seccomp profiles on all containers; eBPF runtime detection; immutable infrastructure for the workloads that tolerate it; sandboxed MCP execution; per-invocation capability tokens for AI agents |
+| MVP | RWEP >= 70 | CVE-2026-31431 (Copy Fail, RWEP 90, CVSS 7.8) | Public 732-byte deterministic PoC; KEV-listed 2026-05-01 (federal due 2026-05-15); AI-discovered; live-patch available (kpatch / canonical-livepatch / kGraft) | Live-patched within hours of KEV listing OR fully patched + rebooted OR network-isolated with documented reboot date |
+| Practical | RWEP >= 30 | CVE-2026-31431 (90), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Copy Fail as above; CVE-2026-30615 + CVE-2025-53773 both AV:L local-vector, demonstrated PoC, vendor-patchable; AI-coding-assistant scope | All MVP coverage plus: prompt-injection classifier in front of any LLM processing external content; phishing simulation using AI-generated content; org-wide AI-coding-assistant version management; MCP server allowlisting with signed manifests |
+| Overkill | All catalog entries regardless of RWEP | CVE-2026-31431 (90), CVE-2026-43284 (Dirty Frag ESP/IPsec, 38, CVSS 7.8), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2026-43500 (Dirty Frag RxRPC, 32, CVSS 7.6), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Public PoC for all; Dirty Frag pair has no live patch (kpatch RHEL-only); Windsurf is local-vector supply-chain class; chained Dirty Frag requires kernel-version fingerprinting | All Practical coverage plus: kernel hardening (unprivileged_userns_clone=0, unprivileged_userfaultfd=0, kptr_restrict=2); seccomp profiles on all containers; eBPF runtime detection; immutable infrastructure for the workloads that tolerate it; sandboxed MCP execution; per-invocation capability tokens for AI agents |
 
 Refresh trigger: re-run `node lib/scoring.js` and rebuild this matrix whenever `data/cve-catalog.json` is updated. Per AGENTS.md hard rule #6 the zero-day learning loop also feeds back into the tier mapping when a new CVE is added.
 
-Note on CVSS divergence: every CVE in this catalog has a CVSS in the 7.6–9.8 range — CVSS alone would conflate them and prioritise CVE-2026-30615 (9.8) over CVE-2026-31431 (7.8). RWEP correctly ranks Copy Fail (90) above Windsurf (35) because KEV listing, deterministic exploitability, AI discovery, and broad blast radius dominate. The MVP tier protects against the right thing first.
+Note on CVSS divergence: every CVE in this catalog has a CVSS in the 7.6–8.0 range — CVSS alone would prioritise the highest-band CVE without distinguishing the AI-discovered KEV-listed deterministic LPE (Copy Fail) from the local-vector MCP supply-chain class (Windsurf). RWEP correctly ranks Copy Fail (90) above Windsurf (35) because KEV listing, deterministic exploitability, AI discovery, and broad blast radius dominate. The MVP tier protects against the right thing first.
 
 ---

package/skills/skill-update-loop/skill.md

@@ -54,7 +54,7 @@ The threat context this skill defends against is not a specific adversary techni
 Real-world manifestations in mid-2026:
 
 - ATLAS v5.1.0 (November 2025) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
-- CVE-2026-31431 (Copy Fail) joined CISA KEV in 2026-03-15. Any skill whose `last_threat_review` predates that date and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
+- CVE-2026-31431 (Copy Fail) joined CISA KEV on 2026-05-01 with a 2026-05-15 federal due date. Any skill whose `last_threat_review` predates that listing and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
 - NIST SP 800-63B updated PBKDF2 iteration guidance to ≥ 600,000 in 2022; many compliance attestations still cite the 2017 numbers. A skill that does not track that lag perpetuates the theater.
 - IETF RFC 9116 (security.txt) and the CSAF 2.0 transition both have hard cutover signals that change how `coordinated-vuln-disclosure` should advise.
 
@@ -69,7 +69,7 @@ This skill defends against drift; the TTPs that EXPLOIT a drifted skill are:
 | Tactic | TTP | What drift enables |
 |---|---|---|
 | Defense Evasion | T1562.001 (Disable or Modify Tools) | Stale skill recommends only the controls the current adversary class already evades |
-| Resource Development | AML.T0016 (Develop Capabilities) | Attacker capability outpaces the catalog the skill cites |
+| Resource Development | AML.T0016 (Obtain Capabilities: Develop Capabilities) | Attacker capability outpaces the catalog the skill cites |
 | Initial Access | AML.T0010 (Supply Chain Compromise) | New attack class (e.g. MCP plugin compromise) isn't yet a skill |
 | Defense Evasion | T1027 (Obfuscated Files or Information) | Detection rules in a skill are for an older obfuscation generation |
 | Impact | AML.T0048 (Erode ML Model Integrity) | Drift in the threat-context section means the operator's mental model is wrong by months |
@@ -481,7 +481,7 @@ This skill does not have a single exploited target — its "exploit surface" is
 | MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.1.0 (November 2025) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
 | NVD CVE 2.0 API | Authoritative CVE metadata, CVSS vectors, references | Real-time on new CVE in covered domain | services.nvd.nist.gov/rest/json/cves/2.0 | `data/cve-catalog.json` |
 | NIST FIPS publication tracker | PQC and crypto-standard finalizations | Per-publication (event-driven) | csrc.nist.gov/publications | pqc-first `forward_watch` + manifest `last_threat_review` |
-| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v15) | Skill `attack_refs` fields |
+| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v17, 2025-06-25) | Skill `attack_refs` fields |
 | GitHub Security Advisories / OSV | CVEs for AI assistants, MCP clients/servers, supply-chain JS/Python packages | Real-time on covered repos | osv.dev, github.com/advisories | `data/cve-catalog.json` |
 | Framework publisher feeds | NIST SP revisions, ISO amendments, NIS2 implementing acts, EU Official Journal, ENISA, NCSC, ASD | RSS / changelog per publisher | csrc.nist.gov, iso.org, eur-lex.europa.eu | `data/framework-control-gaps.json`, `data/global-frameworks.json` |
 | Kernel CNA / distro advisories | Kernel LPE, container-escape, page-cache CVEs | Per advisory | kernel.org, RHEL/Ubuntu/Debian security advisories | `data/cve-catalog.json`, kernel-lpe-triage |
@@ -499,3 +499,19 @@ This skill does not have a single exploited target — its "exploit surface" is
 > "Concrete test: pull the most recent MITRE ATLAS minor-version release date from atlas.mitre.org. Now pull the `last_threat_review` from every skill's frontmatter (or the equivalent currency timestamp in your own threat-intel documents). If any covered-domain document's `last_threat_review` predates the most recent ATLAS minor-version release by more than 30 days with no documented decision to defer, the currency claim fails. The control is being measured by the existence of the subscription rather than the freshness of the derived analysis."
 
 > "Second concrete test: pull the most recent CISA KEV additions in the last 30 days that affect technologies the organization runs. For each, identify the document (skill, runbook, policy) where the new KEV entry should have triggered a re-review. If the re-review either did not occur or occurred without updating the document's stated `last_threat_review`, the loopback is non-functional and the threat-intel program is theater regardless of how many feeds are consumed."
+
+---
+
+## Defensive Countermeasure Mapping
+
+The drift attack against skill currency is structural, not technical — there is no in-flight exploit to detect. The D3FEND mapping below describes the layered defences that keep the update-loop itself non-bypassable. Source: `data/d3fend-catalog.json`.
+
+| D3FEND Technique | Mapping | Defense-in-Depth Layer | Least-Privilege Scope | Zero-Trust Posture |
+|---|---|---|---|---|
+| **D3-CA** (Certificate Analysis) | The skill currency proof is the Ed25519 signature over each skill body keyed off `keys/public.pem`. D3-CA is the analysis of that signature chain — verify-on-shipped-tarball (predeploy gate #14) is the operational form. A drifted skill body whose signature fails verification cannot be loaded as ground truth. | Layer 1 (Harden — package boundary). | Per-skill — each skill body is signed individually; integrity is per-file, not per-bundle. | Verify every load; reject on hash mismatch. The signing key is the trust root the operator anchors. |
+| **D3-EHB** (Executable Hash-based Allowlist) | Manifest-snapshot integrity. The `manifest-snapshot.json` records the canonical hash of every shipped skill; the predeploy gate compares the live `manifest.json` against the snapshot. Drift in skill content that is *not* reflected in the snapshot (i.e. unreviewed) fails the snapshot-refresh gate. | Layer 1 (Harden — release surface). | Per-release — the snapshot is the canonical inventory for the release. | Default-deny additions / removals; every snapshot change is an intentional review event. |
+| **D3-FAPA** (File Access Pattern Analysis) | The `last_threat_review` timestamp on each skill is the auditable signal that the update loop walked the skill since the most recent threat-intel trigger. The triggers table above (CISA KEV adds, ATLAS minor-version, NIST drafts) is the input; `last_threat_review` is the output evidence. A skill whose body cites a newly-listed CVE but whose timestamp pre-dates the listing is a FAPA-flagged anomaly. | Layer 4 (Detect — currency audit). | Per-skill — the loop runs per-skill, not per-bundle. | Continuously evaluate; alert (CI fail) on any skill whose timestamp is older than its triggering source's published date. |
+| **D3-IOPR** (Input/Output Profiling Resource) | Lint-skills body / frontmatter parsing is the profiling step: every skill body is parsed against the canonical section template (Threat Context, TTP Mapping, Framework Lag Declaration, Exploit Availability Matrix, Analysis Procedure, Output Format, Compliance Theater Check, DCM). A drifted skill that drops a required section is caught at lint time. | Layer 2 (Harden — schema). | Per-skill — schema is per-skill body. | Default-deny missing sections; the v0.13.0 lint upgrade makes DCM a hard-fail. |
+| **D3-PA** (Process Analysis) | The watchlist / dispatch / scan log every load and signature-check event so a forensic reader can reconstruct which skill version produced which finding. Without a per-invocation evidence stream, a stale skill body whose timestamp says "current" cannot be detected after the fact. | Layer 5 (Detect — runtime). | Per-invocation — every CLI invocation emits a structured log entry. | Treat every invocation as untrusted until the signature chain is verified at load time; persist the verification result alongside the finding. |
+
+**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Per AGENTS.md hard rule #8 (pinned ATLAS / ATT&CK version), every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.1.0 is not interchangeable with one taken against a later release.

package/skills/supply-chain-integrity/skill.md

@@ -76,7 +76,7 @@ The supply chain has expanded far beyond "a vulnerable dependency in npm or PyPI
 The defining incidents driving this expansion:
 
 - **CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm, 2026-05-11)** — 84 malicious versions across 42 `@tanstack/*` packages were published in a six-minute window (19:20-19:26 UTC); `@tanstack/react-router` alone ships ~12M weekly downloads. **First documented npm package shipping VALID SLSA provenance while being malicious.** Provenance proves which pipeline built the artifact; it does not prove that the pipeline behaved as intended. The attack chain was three primitives, none sufficient alone: (1) `pull_request_target` on TanStack's `bundle-size.yml` ran fork-PR code with base-repo permissions (classic *Pwn Request*); (2) that run wrote poison into the `actions/cache` pnpm-store under key `Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')}` that the publish workflow later restored; (3) on the next `main` push, `release.yml` (with `id-token: write` for legit npm publishing) restored the poisoned cache, attacker code read `/proc/<runner.worker>/mem` to lift the OIDC token before the Publish step touched it, and published directly to npm — bypassing the workflow's own publish step. The payload (2.3 MB obfuscated) does credential harvesting from 100+ paths and installs persistence via `.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, plus macOS LaunchAgents / Linux systemd-user units. A destructive wipe fires on token revocation. Implication for this skill: SLSA L3 is necessary-but-insufficient against cache-poisoning attacks within the build; the new minimum is workflow trust-boundary isolation (no `pull_request_target` co-resident with `id-token: write`, distinct cache namespaces per trigger class) plus consumer-side fresh-publish cooldowns (`.npmrc before=72h` or `minimumReleaseAge=4320`).
-- **CVE-2026-30615 (Windsurf MCP zero-interaction RCE)** — a developer tool, distributed without enforced manifest signing or provenance attestation, executed attacker-controlled code with zero user interaction. The vulnerability class is reachable across the AI coding-assistant ecosystem (150M+ combined downloads). See the `mcp-agent-trust` skill for the trust-boundary analysis; this skill addresses the supply-chain artifact-integrity layer.
+- **CVE-2026-30615 (Windsurf MCP local-vector RCE, CVSS 8.0 / AV:L)** — a developer tool, distributed without enforced manifest signing or provenance attestation, drives attacker-controlled code execution in the assistant's context via attacker-controlled HTML the MCP client processes. The vulnerability class is reachable across the AI coding-assistant ecosystem (150M+ combined downloads). See the `mcp-agent-trust` skill for the trust-boundary analysis; this skill addresses the supply-chain artifact-integrity layer.
 - **AI-generated code is opaque-provenance code.** GitHub Copilot, Cursor, Claude Code, Windsurf, Codex, and Gemini CLI emit code that is committed without attestation of which model produced it, against what context, with what training cutoff. SBOM completeness claims that omit AI-generated code are theater — the SBOM lists `npm:lodash@4.17.21` but not "function `parseUrl` was emitted by Copilot from a docstring that contained an indirect prompt injection."
 - **Model weights are native binary artifacts that execute on load.** PyTorch `.pt` checkpoints in code-executing serialization formats distributed via Hugging Face / GitHub LFS are CWE-502 deserialization vectors. Hash-pinning a malicious blob does not prevent execution; only signature verification against a pinned publishing key (Sigstore keyless or OpenSSF model-signing) plus a non-executing format (safetensors) closes the class.
 - **Typosquat campaigns target the MCP, Hugging Face, npm `@modelcontextprotocol/*`, and PyPI ML namespaces.** The MITRE ATLAS technique AML.T0010 (ML Supply Chain Compromise) is the umbrella class; AML.T0018 (compromised model weight) is the specific artifact.