@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/skills/threat-model-currency/skill.md

@@ -82,20 +82,20 @@ This skill produces a currency score and a specific update roadmap. Currency is
 
 ### Class 4: Prompt Injection as Enterprise RCE
 
-**2026 reality:** CVE-2025-53773 demonstrated prompt injection in a production developer tool (GitHub Copilot) achieving CVSS 9.6 RCE. This is not a research demo. It is a real CVE in a tool used by hundreds of millions of developers. Attack success rates against SOTA defenses exceed 85%.
+**2026 reality:** CVE-2025-53773 demonstrated prompt injection in a production developer tool (GitHub Copilot) coercing the agent into flipping `chat.tools.autoApprove: true` and converting subsequent tool calls into shell execution. CVSS 7.8 / AV:L (NVD-authoritative; the local-vector reflects developer-side IDE interaction, not network reach). This is not a research demo. It is a real CVE in a tool used by hundreds of millions of developers. Attack success rates against SOTA defenses exceed 85%.
 
 **Currency check questions:**
 - Does the threat model include prompt injection as an RCE vector (not just a chatbot annoyance)?
 - Is prompt injection included in application threat models for any system with an LLM component?
 - Are AI coding assistants in scope for the threat model?
 
-**If unchecked:** Prompt injection is classified as a "trust and safety" issue, not a security control failure. The CVSS 9.6 data says otherwise.
+**If unchecked:** Prompt injection is classified as a "trust and safety" issue, not a security control failure. The shipped CVE (CVSS 7.8 / AV:L) says otherwise.
 
 ---
 
 ### Class 5: MCP Supply Chain RCE
 
-**2026 reality:** CVE-2026-30615 (Windsurf) demonstrated zero-user-interaction RCE via the MCP tool ecosystem. 150M+ affected. Every major AI coding assistant has the same architectural attack surface.
+**2026 reality:** CVE-2026-30615 (Windsurf MCP) demonstrated local-vector RCE via the MCP tool ecosystem (CVSS 8.0 / AV:L — attacker controls HTML the client processes). 150M+ combined downloads across MCP-capable assistants. Every major AI coding assistant has the same architectural attack surface.
 
 **Currency check questions:**
 - Does the threat model include AI tool supply chain as an attack surface?
@@ -228,7 +228,7 @@ This skill produces a currency score and a specific update roadmap. Currency is
 Most organizational threat models in circulation today are 2022–2024 vintage. They were written before the operational reality of mid-2026:
 
 - **AI-discovered LPEs.** Copy Fail (CVE-2026-31431) was found by an AI system in roughly one hour in a code path that had been in every major Linux distribution for nine years. A threat model that does not name "AI-assisted vulnerability discovery" as an attacker capability cannot reason about Copy Fail-class exposure.
-- **Zero-interaction MCP RCE.** CVE-2026-30615 (Windsurf) demonstrated that a malicious MCP server can drive an AI coding assistant to execute code in the developer's user context without any human action. 150M+ combined downloads of MCP-capable assistants share the same architectural surface. A threat model that lists "third-party software" but not "AI tool plugins" is no longer comprehensive.
+- **Local-vector MCP RCE.** CVE-2026-30615 (Windsurf, CVSS 8.0 / AV:L) demonstrated that a malicious MCP server can drive an AI coding assistant to execute code in the developer's user context once installed. 150M+ combined downloads of MCP-capable assistants share the same architectural surface. A threat model that lists "third-party software" but not "AI tool plugins" is no longer comprehensive.
 - **AI-API C2 (SesameOp).** Adversaries are using legitimate AI API endpoints (ATLAS AML.T0096) as covert command-and-control channels. Traffic is indistinguishable from legitimate usage at the network layer. A threat model whose C2 chapter still lists only DGAs, beaconing, and protocol anomalies has a documented blind spot.
 - **AI-accelerated weaponization.** 41% of 2025 zero-days involved AI-assisted reverse engineering on the attacker side. The window between disclosure and reliable exploitation has compressed from weeks to hours for a meaningful class of CVEs.
 - **AI-generated phishing as baseline.** 82.6% of phishing in 2025 contained AI-generated content. Threat models that treat AI-generated phishing as an "emerging" or "advanced" capability are scoring below the actual median attacker.
@@ -268,15 +268,15 @@ The 14-class checklist above *is* the TTP map. Each class is a coverage requirem
 | 1 — AI-discovered kernel LPE | T1068 (Exploitation for Privilege Escalation) | cve-catalog.json: CVE-2026-31431 | Threat model assumes human-speed exploit discovery |
 | 2 — Deterministic LPE | T1068 | cve-catalog.json: CVE-2026-31431 | IR plan treats LPE as probabilistic |
 | 3 — IPsec subsystem LPE | T1068 | cve-catalog.json: CVE-2026-43284 / CVE-2026-43500 | Network-segmentation claimed as compensating control for the attack surface itself |
-| 4 — Prompt injection RCE | AML.T0051 (LLM Prompt Injection), AML.T0054 (Craft Adversarial Data — NLP) | atlas-ttps.json + CVE-2025-53773 | Prompt injection treated as T&S, not security |
+| 4 — Prompt injection RCE | AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak) | atlas-ttps.json + CVE-2025-53773 | Prompt injection treated as T&S, not security |
 | 5 — MCP supply chain RCE | AML.T0010 (ML Supply Chain Compromise), T1190 (Exploit Public-Facing Application) | atlas-ttps.json + CVE-2026-30615 | AI plugin ecosystem out of supply-chain scope |
-| 6 — AI-assisted weaponization | AML.T0017 (Develop Capabilities) | atlas-ttps.json | Patch SLAs sized for 2019 attacker speed |
+| 6 — AI-assisted weaponization | AML.T0016 (Obtain Capabilities: Develop Capabilities) | atlas-ttps.json | Patch SLAs sized for 2019 attacker speed |
 | 7 — AI as covert C2 | AML.T0096 (LLM Integration Abuse — C2) | atlas-ttps.json | C2 detection architecture has total blind spot |
-| 8 — AI-generated malware evasion | AML.T0016 (Acquire Public ML Artifacts) | atlas-ttps.json | Detection stack signature-bound; PROMPTFLUX bypasses by design |
+| 8 — AI-generated malware evasion | AML.T0016 (Obtain Capabilities: Develop Capabilities — payload generation) | atlas-ttps.json | Detection stack signature-bound; PROMPTFLUX bypasses by design |
 | 9 — RAG exfiltration | AML.T0043 (Craft Adversarial Data) | atlas-ttps.json | Vector store treated as database, not as semantic exfil surface |
 | 10 — Model poisoning | AML.T0020 (Poison Training Data) | atlas-ttps.json | ML decision systems treated as standard software |
 | 11 — AI-speed reconnaissance | T1595 (Active Scanning), T1190 | ATT&CK | Rate-based detection thresholds calibrated for human-speed scans |
-| 12 — AI-generated phishing | AML.T0016 (Acquire Public ML Artifacts — misuse), T1566 (Phishing) | atlas-ttps.json + ATT&CK | Detection rules tuned for 2021 phishing |
+| 12 — AI-generated phishing | AML.T0016 (Obtain Capabilities: Develop Capabilities — payload crafting via public AI APIs), T1566 (Phishing) | atlas-ttps.json + ATT&CK | Detection rules tuned for 2021 phishing |
 | 13 — ATLAS coverage | All AML.T* in atlas-ttps.json | atlas-ttps.json `_meta.atlas_version` | SOC detection programs are ATT&CK-only |
 | 14 — Post-quantum adversary | T1557 (harvest-now-decrypt-later context) | global-frameworks.json (PQC standards) | Long-lived sensitive traffic captured today, decrypted later |
 
@@ -290,9 +290,9 @@ A threat model is "current" only if it accounts for every `data/cve-catalog.json
 
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|
-| CVE-2026-31431 | Copy Fail | 7.8 | 90 | Yes (2026-03-15) | Yes — 732-byte deterministic | AI-discovered | Yes (kpatch / canonical-livepatch / kGraft) | Must name as named threat. Patch SLA must reflect KEV + deterministic class — live-patch within hours, not 30 days. |
-| CVE-2025-53773 | Copilot prompt-injection RCE | 9.6 | 42 | No | Yes — demonstrated | AI-weaponized | Yes (SaaS vendor patch) | Must include prompt injection as RCE vector if any developer uses Copilot. |
-| CVE-2026-30615 | Windsurf MCP zero-interaction RCE | 9.8 | 35 | No | Partial | No | Yes (IDE update) | Must include MCP supply chain if any developer uses any MCP-capable assistant. |
+| CVE-2026-31431 | Copy Fail | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte deterministic | AI-discovered | Yes (kpatch / canonical-livepatch / kGraft) | Must name as named threat. Patch SLA must reflect KEV + deterministic class — live-patch within hours, not 30 days. |
+| CVE-2025-53773 | Copilot YOLO-mode RCE | 7.8 | 30 | No | Yes — demonstrated | AI-weaponized | Yes (SaaS vendor patch / IDE update) | Must include prompt-injection-driven YOLO-mode escalation as RCE vector if any developer uses Copilot. |
+| CVE-2026-30615 | Windsurf MCP local-vector RCE | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Must include MCP supply chain if any developer uses any MCP-capable assistant. |
 | CVE-2026-43284 | Dirty Frag (ESP/IPsec) | 7.8 | 38 | No | Yes — chain component | No | No | Required if IPsec-based controls are claimed as compensating. |
 | CVE-2026-43500 | Dirty Frag (RxRPC) | 7.6 | 32 | No | Yes — chain component | No | No | Required when chained with CVE-2026-43284 in IR scenario planning. |
 

package/skills/threat-modeling-methodology/skill.md

@@ -59,7 +59,7 @@ This skill is opinionated about methodology selection. There is no single method
 
 Most "threat models" in circulation in mid-2026 are STRIDE diagrams of 2018–2022 vintage. Their failure modes are concrete and current:
 
-- **No AI agents as actors.** The actor inventory lists humans, services, and external systems. AI coding assistants, MCP servers, RAG retrievers, autonomous agents executing tool calls — none appear with their own trust boundaries. The Windsurf MCP RCE (CVE-2026-30615) and the Copilot prompt-injection RCE (CVE-2025-53773) are not representable in a model whose actor schema predates the threat.
+- **No AI agents as actors.** The actor inventory lists humans, services, and external systems. AI coding assistants, MCP servers, RAG retrievers, autonomous agents executing tool calls — none appear with their own trust boundaries. The Windsurf MCP local-vector RCE (CVE-2026-30615, CVSS 8.0 / AV:L) and the Copilot YOLO-mode RCE (CVE-2025-53773, CVSS 7.8 / AV:L) are not representable in a model whose actor schema predates the threat.
 - **No MCP supply-chain RCE class.** Trust boundaries between developer workstations and "tool plugins" do not exist in pre-2024 threat models. The supply-chain chapter lists npm, Docker, and OS packages — not AI tool plugins, which now have an equal or greater attack surface across 150M+ assistant installs.
 - **No AI-API as C2 channel.** The C2 chapter enumerates DGAs, beaconing, protocol anomalies. ATLAS AML.T0096 (LLM Integration Abuse — covert C2, SesameOp pattern) is not on the diagram. The model cannot reason about a documented technique that is operationally indistinguishable from legitimate AI usage at the network layer.
 - **Prompt injection mis-classified.** Pre-2024 STRIDE assigns prompt injection to "Tampering" or omits it entirely. Operationally it is an access-control bypass that achieves what spoofing achieves via the model's context window, with measured success rates above 85% against state-of-the-art defences.
@@ -118,7 +118,7 @@ Threat-modelling methodologies are *consumers* of the TTP catalog, not contribut
 | Methodology | Native input | TTP pull pattern | Gap if methodology used alone |
 |---|---|---|---|
 | STRIDE / STRIDE-per-element | Trust boundaries on a DFD | Per boundary: enumerate Spoof / Tamper / Repudiate / InfoDisclose / DoS / EoP; map each to ATT&CK or ATLAS TTPs from `data/atlas-ttps.json` | Privacy threats (linkability, identifiability) compressed into "InfoDisclose" lose specificity; LINDDUN required to surface them. |
-| STRIDE-ML (Microsoft, 2020) | DFD with ML training/inference/feedback elements | Per ML element: adversarial ML threats from ATLAS (AML.T0010 ML Supply Chain, AML.T0020 Poison Training Data, AML.T0043 Craft Adversarial Data, AML.T0051 LLM Prompt Injection, AML.T0054 NLP Craft Adversarial Data, AML.T0096 LLM Integration Abuse) | Agent-as-actor still missing; needs the actor-inventory amendment described in the Analysis Procedure. |
+| STRIDE-ML (Microsoft, 2020) | DFD with ML training/inference/feedback elements | Per ML element: adversarial ML threats from ATLAS (AML.T0010 ML Supply Chain, AML.T0020 Poison Training Data, AML.T0043 Craft Adversarial Data, AML.T0051 LLM Prompt Injection, AML.T0054 LLM Jailbreak, AML.T0096 LLM Integration Abuse) | Agent-as-actor still missing; needs the actor-inventory amendment described in the Analysis Procedure. |
 | PASTA | App-centric attack trees with business-impact rooting | Per app component: pull CVE-level threats from `data/cve-catalog.json` (e.g. CVE-2025-53773 prompt-injection RCE in app-integrated AI assistants) and ATLAS TTPs at the app boundary | Systemic AI risks crossing services (cross-agent prompt injection, shared embedding contamination) sit outside any one app. |
 | LINDDUN / LINDDUN-PRO | DFD plus privacy threat tree | Per data flow: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure-of-Information, Unawareness/Unintervenability, Non-compliance; cross-walk to GDPR Art. 5 / Art. 32 obligations | Technical threats (memory corruption, kernel LPE) not represented. |
 | Trike | Requirements model + implementation model | Per actor-action pair: authorised vs. unauthorised actions; pull ATT&CK TTPs that bridge the gap | Limited recent revision; weaker fit for AI-agent actors. |
@@ -140,7 +140,7 @@ Methodologies are catalog consumers, not catalog producers. The matrix shows the
 | Methodology | Consumes | KEV-bound? | PoC-bound? | AI-accelerated input? | Live-patch decisions in scope? |
 |---|---|---|---|---|---|
 | STRIDE | Generic threat categories per boundary | No — threat categories are pre-CVE | No | No | No (model is design-time) |
-| STRIDE-ML | STRIDE categories + ATLAS TTPs | Indirectly via CVEs mapped to TTPs | Yes (when a TTP has a public PoC, that strengthens the threat) | Yes (AML.T0017 Develop Capabilities — AI on attacker side) | No |
+| STRIDE-ML | STRIDE categories + ATLAS TTPs | Indirectly via CVEs mapped to TTPs | Yes (when a TTP has a public PoC, that strengthens the threat) | Yes (AML.T0016 Obtain Capabilities: Develop Capabilities — AI on attacker side) | No |
 | PASTA | App-centric attack trees consuming CVE-level primitives from `data/cve-catalog.json` | Yes (KEV entries elevate tree-branch priority) | Yes | Yes | Possible — PASTA stage VI (Vulnerability and Weakness Analysis) names live-patch as a control class |
 | LINDDUN | Privacy threat tree | No — privacy threats are policy-bound, not exploit-bound | No | No | No |
 | Trike | Authorised/unauthorised action gaps | Indirectly | Indirectly | No | No |

package/skills/webapp-security/skill.md

@@ -174,7 +174,7 @@ The procedure threads three foundational design principles end-to-end. They are
 
 1. **Inventory routes + auth requirements + data sensitivity.** Enumerate every HTTP route (or GraphQL operation, gRPC method). For each: required role, request schema, response schema, data classification, AI-codegen provenance flag (was this handler suggested by an assistant?).
 2. **Map each route to CWE-Top-25-class risk.** Score by CWE class × data sensitivity × external reachability. Apply the RWEP model — CVSS alone fails per AGENTS.md Hard Rule #3.
-3. **Audit AI-generated code separately from human-written code.** Require commit-time provenance markers (git trailer, commit-message tag, or co-author metadata) identifying AI-assisted commits. Re-review AI-suggested handlers on every AI-codegen-CVE wave (e.g. CVE-2025-53773 → re-review every Copilot-suggested handler in the affected window). If provenance is not captured, the org cannot answer "what code do we need to re-review?" — this is a compliance-theater indicator.
+3. **Audit AI-generated code separately from human-written code.** Require commit-time provenance markers (git trailer, commit-message tag, or co-author metadata) identifying AI-assisted commits. Re-review AI-suggested handlers on every AI-codegen-CVE wave (e.g. CVE-2025-53773, CVSS 7.8 / AV:L — re-review every Copilot agent-mode-generated handler in the affected window, with priority on those that read external content into the agent context). If provenance is not captured, the org cannot answer "what code do we need to re-review?" — this is a compliance-theater indicator.
 4. **SAST + DAST coverage measurement.** Report: % of routes covered by SAST sinks, % covered by DAST in staging, findings-to-fix ratio over trailing 90 days. A SAST programme that finds and does not fix is theater (AGENTS.md DR-1 / Hard Rule #8).
 5. **IAST in staging.** Instrumented runtime testing covers what SAST cannot (intent-dependent authorisation, runtime config). Required for any app handling regulated data (PII, PCI, PHI).
 6. **Fuzz parser surfaces.** Hand off to `fuzz-testing-strategy` for any parser, deserialiser, or media-handler reachable from a public route. Fuzz corpus seeded from production traffic samples (sanitised).

package/skills/zeroday-gap-learn/skill.md

@@ -95,8 +95,10 @@ Status of the learning-loop entry for each CVE currently in `data/cve-catalog.js
 | CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes (AI-discovered ~1h) | 90 | Complete — pre-run lesson encoded below; new control requirements CISA-KEV-RESPONSE-SLA, LIVE-PATCH-CAPABILITY, KERNEL-EXPLOITATION-DETECTION generated |
 | CVE-2026-43284 (Dirty Frag — ESP/IPsec) | No | Yes (chain) | No | 38 | Complete — pre-run lesson encoded; new control requirements CRYPTO-SUBSYSTEM-INTEGRITY, PRE-PATCH-DISCLOSURE-RESPONSE generated |
 | CVE-2026-43500 (Dirty Frag — RxRPC) | No | Yes (chain) | No | 32 | Complete — covered jointly with CVE-2026-43284 (chain partner) |
-| CVE-2025-53773 (Copilot prompt-injection RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | 42 | Complete — pre-run lesson encoded; new control requirements AI-TOOL-ACTION-AUTHORIZATION, AI-TOOL-INPUT-SANITIZATION, PROMPT-INJECTION-MONITORING generated |
-| CVE-2026-30615 (Windsurf MCP RCE) | No | Partial | No (supply-chain) | 35 | Complete — pre-run lesson encoded; new control requirements MCP-SERVER-SIGNING, MCP-TOOL-ALLOWLIST, MCP-SUPPLY-CHAIN-AUDIT generated |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | 30 | Complete — pre-run lesson encoded; new control requirements AI-TOOL-ACTION-AUTHORIZATION, AI-TOOL-INPUT-SANITIZATION, PROMPT-INJECTION-MONITORING generated |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No (supply-chain) | 35 | Complete — pre-run lesson encoded; new control requirements MCP-SERVER-SIGNING, MCP-TOOL-ALLOWLIST, MCP-SUPPLY-CHAIN-AUDIT generated |
+| CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) | Pending | Yes (worm in-wild) | No (engineering-grade chain) | n/a | Pre-run exemplar lesson encoded below (chained CI/CD primitives — Pwn Request + pnpm-store poisoning + OIDC theft); new control requirements PR-WORKFLOW-PRIVILEGE-CAP, ACTIONS-CACHE-INTEGRITY, OIDC-PUBLISH-AUDIT generated |
+| MAL-2026-3083 (Elementary-Data PyPI worm — forged release via GitHub Actions script-injection) | No (OSSF Malicious Packages dataset; CISA KEV catalogues vendor CVEs only) | Yes (orphan commit + exfil domain confirmed in-wild during 8h window) | No (manual chain) | n/a | Pre-run exemplar lesson encoded below; control requirements GHACTIONS-EVENT-INTERPOLATION-BAN, INSTALL-HOOK-AUDIT, OSSF-MALPACKAGES-INGEST generated |
 
 Per AGENTS.md DR-8: every new entry added to `data/cve-catalog.json` must produce a corresponding entry here and in `data/zeroday-lessons.json` before the catalog change ships. Any CVE in the catalog without a complete lesson entry is a pre-ship-checklist failure.
 
@@ -196,9 +198,9 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 ---
 
-### Lesson: CVE-2025-53773 (GitHub Copilot Prompt Injection RCE)
+### Lesson: CVE-2025-53773 (GitHub Copilot YOLO-Mode RCE)
 
-**Attack vector:** Hidden prompt injection in GitHub Copilot PR descriptions. Developer reviews PR with Copilot → injected instructions execute in developer session → RCE. CVSS 9.6.
+**Attack vector:** Hidden prompt injection in any agent-readable content (source comments, README, PR descriptions, retrieved docs, MCP tool responses) coerces Copilot agent mode to write `"chat.tools.autoApprove": true` to `.vscode/settings.json`. Every subsequent shell tool call then auto-approves; the demo runs `calc.exe` / `Calculator.app` via the auto-approved `run_in_terminal` tool. CVSS 7.8 / AV:L (local-vector — developer-side IDE interaction; the NVD-authoritative score was corrected from initial 9.6 / AV:N). Affected: Visual Studio 2022 17.14.0–17.14.11 (fixed 17.14.12); GitHub Copilot Chat extension predating the 2025-08 Patch Tuesday fix.
 
 **What control should have prevented this:**
 - Access control for AI tool actions: the developer's GitHub session was correctly authenticated. The RCE happened because the AI tool executed adversarial instructions with the developer's authorization context.
@@ -212,13 +214,13 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 3. **PROMPT-INJECTION-MONITORING**: Log all AI tool actions, including the content of prompts that triggered those actions. Alert on AI actions that deviate from the user's stated intent or that weren't preceded by an explicit user request.
 
-**Framework coverage:** Missing entirely in all major frameworks. CVSS 9.6 with active exploitation demonstrated and no framework control category for this attack class.
+**Framework coverage:** Missing entirely in all major frameworks. Even after the CVSS correction to 7.8 / AV:L (which reflects the local-vector reality, not severity), there is no framework control category for "prompt-injection-driven autoApprove escalation" — the bottleneck on the *attack* is a settings-file write that IS detectable as an IOC, but no framework currently mandates monitoring it.
 
 ---
 
-### Lesson: CVE-2026-30615 (Windsurf MCP Zero-Interaction RCE)
+### Lesson: CVE-2026-30615 (Windsurf MCP Local-Vector RCE)
 
-**Attack vector:** Malicious MCP server achieves RCE without user interaction. AI coding assistant autonomously calls malicious tool, code executes. 150M+ affected.
+**Attack vector:** Malicious MCP server drives RCE in the AI assistant's user context once installed. The attack vector is local (AV:L) — the attacker must control HTML content the Windsurf MCP client processes; supply-chain prerequisite (typosquatting, dependency confusion, or compromise of a legitimate server) puts the malicious server in front of the client. CVSS 8.0 (NVD-authoritative; corrected from initial 9.8 / AV:N). 150M+ combined downloads of MCP-capable AI coding assistants share the architectural surface.
 
 **New control requirements generated:**
 
@@ -248,6 +250,48 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 ---
 
+### Lesson: CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm)
+
+**Attack vector:** Engineering-grade three-primitive chain against the TanStack monorepo, disclosed 2026-05-11. (1) `pull_request_target` on `bundle-size.yml` runs fork-PR code with base-repo permissions (classic Pwn Request). (2) That run poisons the `actions/cache` pnpm-store under the key `Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')}` that `release.yml` later restores. (3) On the next main push, `release.yml` (which has `id-token: write` for npm publish) restores the poisoned cache and the worm captures the OIDC token. 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. ~150M weekly downloads in scope. CVSS 9.6; CISA KEV pending. Attribution: TeamPCP. No AI-assisted exploit-development attribution for this specific instance, but the chain shape is exactly what AML.T0016-class capability-development produces at AI cadence — chained CI/CD primitives that no individual component owner recognises as exploitable.
+
+**What control should have prevented this:**
+- Workflow-privilege isolation: `pull_request_target` should never run fork-PR code with base-repo permissions in the same job as cache writes. The chain is broken if the bundle-size workflow runs with `permissions: contents: read` and writes to a separate cache key.
+- Cache integrity: `actions/cache` keyed by `hashFiles('**/pnpm-lock.yaml')` is attacker-influenceable when the same key is restored by a privileged downstream workflow. Restore-only-on-verified-publisher caches or per-job cache namespacing breaks the link.
+- OIDC token scoping: the publish job's `id-token: write` should be bound to a job that does *not* restore externally-influenced caches. Token scope minimisation per AGENTS.md DR-1 (no orphaned-privilege workflows).
+
+**New control requirements generated:**
+
+1. **PR-WORKFLOW-PRIVILEGE-CAP**: Any workflow triggered by `pull_request_target`, `pull_request` from forks, or `issue_comment` MUST declare `permissions: contents: read` at the top level and MUST NOT write to `actions/cache` keys that any other workflow restores. Static analysis at PR merge time.
+2. **ACTIONS-CACHE-INTEGRITY**: Cache keys used by publish-capable workflows MUST be namespaced per-job and MUST NOT include `${{ hashFiles(...) }}` expressions that fork PRs can influence. Where shared caches are unavoidable, restore-then-verify against an out-of-band integrity record before use.
+3. **OIDC-PUBLISH-AUDIT**: Every npm / container registry / cloud-provider OIDC token issuance from CI must be audit-logged with the job's full permission set, the workflow file SHA, and the cache keys it restored. Anomalies (cache restored from a key written by a different workflow) must alert.
+
+**Exposure scoring:**
+- Any consumer that ran `npm install` / `pnpm install` between 2026-05-11 19:20Z and 2026-05-11 ~21:00Z (yank propagation window) with a `@tanstack/*` package in their dependency tree is suspect. Lockfile resolution time-stamp is the join key.
+- Coverage failure: no major framework requires CI workflow-privilege static analysis. Supply-chain controls (SA-12, A.5.19) address vendor SaaS not GitHub Actions workflow files.
+
+---
+
+### Lesson: MAL-2026-3083 (Elementary-Data PyPI Worm — Forged Release via GitHub Actions Script Injection)
+
+**Attack vector:** Disclosed 2026-04-24, OSSF Malicious Packages primary key (no CVE assigned as of 2026-05-13; OSV-native MAL-2026-3083, Snyk cross-reference SNYK-PYTHON-ELEMENTARYDATA-16316110, kam193 campaign id `pypi/2026-04-compr-elementary-data`). Attacker abused a GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml`: the workflow interpolated `${{ github.event.comment.body }}` directly into a `run:` shell script. Commenting on any open PR was sufficient to execute attacker-controlled shell with the elevated `GITHUB_TOKEN`. Attacker forged orphan commit `b1e4b1f3aad0d489ab0e9208031c67402bbb8480` (still readable on GitHub) and the workflow built and published `elementary-data==0.23.3` to PyPI with an install-time `.pth`-file payload. Window of live exposure: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z (~8 hours). 1.1M monthly downloads in scope. CVSS 9.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exfiltration domain (`skyhanni.cloud` subdomain) was active throughout the window.
+
+**What control should have prevented this:**
+- GitHub Actions hygiene: never interpolate `${{ github.event.* }}` into a `run:` script — use the value as an environment variable instead so the shell tokeniser treats it as data. Static-analysis tools (`zizmor`, `Octoscan`) flag this class.
+- Install-hook auditing: `.pth` files run at every `import` of any package in the same site-packages directory. The MAL-2026-3083 payload is invisible to `pip install --dry-run` but visible in the wheel's `RECORD` file. `pip install --require-hashes` plus consumer-side `pip-audit --strict` against the OSSF Malicious Packages dataset would have caught the malicious version.
+- Ingest-time intel: OSSF Malicious Packages publishes within minutes of detection. A consumer pipeline that ingests OSSF + Snyk + npm advisory feeds with sub-hour latency closes the window in proportion to the attacker's, not in proportion to vendor advisory cadence.
+
+**New control requirements generated:**
+
+1. **GHACTIONS-EVENT-INTERPOLATION-BAN**: Static-analysis gate on every CI pipeline: reject any workflow that interpolates `${{ github.event.* }}` (or `github.head_ref`, `inputs.*` from untrusted sources) directly into `run:` shell. Required tooling: `zizmor` / `Octoscan` / `actionlint` with the script-injection rule enabled. Hard fail on PR merge.
+2. **INSTALL-HOOK-AUDIT**: Pre-install scan of every wheel / sdist for install-time hooks (`.pth` files, `setup.py` execution, `pyproject.toml` build hooks). Any package adding a `.pth` file that imports network code at module-load time gets quarantined for review. Tooling: `pip-audit` plus a custom `.pth`-file diff rule.
+3. **OSSF-MALPACKAGES-INGEST**: Subscribe to the OSSF Malicious Packages OSV feed with sub-hour latency and apply it as a hard-block at the dependency resolver. Any organisation whose dependency pipeline is anchored to NVD CVE feeds alone misses MAL-2026-3083 entirely — there is no CVE ID, just an OSSF / Snyk / kam193 advisory. This control closes the AGENTS.md DR-1 (no stale threat intel) loop for the OSV-native malicious-package class.
+
+**Exposure scoring:**
+- Anyone who `pip install`-ed `elementary-data` between 2026-04-24 22:20Z and 2026-04-25 ~06:30Z inside a dbt analytics pipeline (or any virtualenv where `elementary-data==0.23.3` resolved) was hit. The install-hook fires at the *next* import in the affected venv, which can be hours-to-days after the install.
+- Coverage failure: NVD CVE feed coverage is structurally zero (no CVE issued); SOC playbooks that filter on "is there a CVE ID?" miss the entire OSV-native class. OSSF Malicious Packages + Snyk Advisor + kam193 campaign feeds are the operational intel layer.
+
+---
+
 ## Analysis Procedure for New Zero-Days
 
 When a user provides a new CVE or vulnerability description:

package/vendor/blamejs/_PROVENANCE.json

@@ -34,7 +34,7 @@
     },
     "worker-pool.js": {
       "vendored_path": "vendor/blamejs/worker-pool.js",
-      "vendored_sha256": "57d8f5c3bca23cd4ef2a16adf4107bc60c4da3fbc9bb861580edc76ed9a2d132",
+      "vendored_sha256": "fa9814c2d18db221a2dc552cf2a5047467d87a2590cbc9d64b8a0a340e545b55",
       "upstream_path": "lib/worker-pool.js",
       "upstream_sha256_at_pin": "262f99e9cc3d4a8f4eba9ad3e28401e8a1f47f78040afa63c9b17eb998437171",
       "stripped": [
@@ -48,6 +48,9 @@
         "create(scriptPath, opts) -> { run, drain, terminate, stats }",
         "bounded size + maxQueueDepth + taskTimeoutMs",
         "worker recycle on uncaught error / timeout / exit"
+      ],
+      "exceptd_deltas": [
+        "scriptPath validator rejects Windows UNC + extended-path prefixes (\\\\?\\, \\\\.\\, \\\\<server>\\) — defense-in-depth against worker-spawn from network shares on win32 platforms"
       ]
     }
   }

package/vendor/blamejs/worker-pool.js

@@ -87,6 +87,20 @@ function _validateScriptPath(scriptPath) {
     throw _err("workerpool/bad-script-path",
       "workerPool.create: scriptPath must be a filesystem path, not an eval/data URL");
   }
+  // On Windows path.isAbsolute() accepts UNC + extended-length + device
+  // namespace forms (e.g. `\\server\share`, `\\?\UNC\server\share`,
+  // `\\?\C:\path`, `\\.\PhysicalDrive0`). The worker pool only supports
+  // local-filesystem scripts; reject these prefixes so a hostile or
+  // mistyped path can't get a Worker thread to follow a network share or
+  // device namespace.
+  if (process.platform === "win32") {
+    // \\.\, \\?\, \\?\UNC\, or any other \\<server>\<share> form.
+    if (/^\\\\[.?]\\/.test(scriptPath) || /^\\\\\?\\UNC\\/i.test(scriptPath) || /^\\\\[^\\?.]/.test(scriptPath)) {
+      throw _err("workerpool/bad-script-path",
+        "workerPool.create: scriptPath must not use UNC / extended-length / device namespace prefixes on win32; got " +
+        JSON.stringify(scriptPath));
+    }
+  }
 }
 
 function _emitAudit(_action, _outcome, _metadata) {
@@ -94,6 +108,30 @@ function _emitAudit(_action, _outcome, _metadata) {
   // Preserved as a function so the rest of the file matches upstream shape.
 }
 
+/**
+ * Create a worker pool.
+ *
+ * Lifecycle. Worker threads spawned by the pool hold the parent's event
+ * loop open until they are explicitly terminated. Pool timers are NOT
+ * unref'd (intentional: timeouts must fire even when no other work is
+ * pending). Consumers MUST call `terminate()` when the pool is no longer
+ * needed, or wrap their usage in a try/finally:
+ *
+ *   const pool = workerPool.create(scriptPath);
+ *   try {
+ *     await pool.run(message);
+ *   } finally {
+ *     await pool.terminate();
+ *   }
+ *
+ * Failing to call terminate() causes the host process to hang after main()
+ * returns. The pool does not auto-recycle on idle, and no GC reachability
+ * heuristic will reclaim a live Worker thread.
+ *
+ * @param {string} scriptPath Absolute filesystem path to the worker script.
+ * @param {{ size?: number, onExit?: Function, maxQueueDepth?: number, taskTimeoutMs?: number }} [opts]
+ * @returns {{ run: Function, drain: Function, terminate: Function, stats: Function }}
+ */
 function create(scriptPath, opts) {
   opts = opts || {};
   _validateOptsWhitelist(opts, ["size", "onExit", "maxQueueDepth", "taskTimeoutMs"], "workerPool.create");