@blamejs/exceptd-skills 0.12.2 → 0.12.6

package/data/cve-catalog.json

@@ -144,7 +144,38 @@
         "published_date": "2026-03-15"
       }
     ],
-    "last_updated": "2026-05-11"
+    "iocs": {
+      "payload_artifacts": [
+        "/etc/passwd containing more than one line with uid field == 0 (Dirty COW / Dirty Pipe / Copy Fail family canonical post-exploit outcome)",
+        "/etc/shadow modified without corresponding /var/log/auth.log useradd / usermod / passwd entry by uid 0",
+        "Setuid-root binary in /usr/bin, /usr/sbin, /bin, /sbin whose sha256 differs from distro package-manager (`rpm -Va`, `debsums -c`, `dpkg --verify`) — Copy Fail's page-cache write primitive can target any read-only page-cache-resident file; setuid binaries are highest-value post-LPE persistence targets"
+      ],
+      "runtime_syscall": [
+        "splice(2) syscall by uid >= 1000 with source fd opened O_RDONLY against a file the caller has no write permission on, target fd a pipe (Dirty Pipe primitive; same shape as Copy Fail page-cache CoW)",
+        "write(2) to a pipe immediately preceded by splice(2) from a read-only file, with payload containing 'root:' or '/bin/sh' or shell metacharacters",
+        "userfaultfd(2) syscall from an unprivileged process when vm.unprivileged_userfaultfd != 0, paired with MAP_PRIVATE mapping of a setuid file",
+        "ptrace(PTRACE_POKEDATA) or write(2) against /proc/self/mem or /proc/<pid>/mem in write mode from a non-root process"
+      ],
+      "kernel_trace": [
+        "ftrace tracepoint splice_write or iter_file_splice_write firing with destination inode the caller lacks S_IWUSR on",
+        "eBPF kprobe on copy_page_to_iter / copy_page_from_iter with caller_uid != 0 and target page in a file lacking caller write permission",
+        "auditd rule 'arch=b64 -S splice -F success=1 -F auid>=1000 -k splice_unpriv' firing on hosts where splice is not part of expected workload",
+        "dmesg BUG: or WARN_ON originating from mm/filemap.c, mm/memory.c, fs/splice.c, or mm/gup.c within 60s of an unprivileged-process privilege transition"
+      ],
+      "behavioral": [
+        "Process whose /proc/<pid>/status transitions Uid: 1000 1000 1000 1000 -> Uid: 0 0 0 0 without an intervening execve of a setuid binary (DirtyCred-class signal)",
+        "Root-uid shell (bash, sh, dash, zsh) whose PPid resolves to a non-setuid, non-root parent (python, ruby, node, user-owned /tmp or /home binary)",
+        "Anonymous RWX region (rwxp 00000000) appearing in /proc/<pid>/maps of a process that did not previously have one and is not a known JIT runtime",
+        "Unprivileged process holding open file descriptor to /proc/self/mem or /proc/<other_pid>/mem in write mode"
+      ],
+      "livepatch_gap": [
+        "Kernel version in affected_versions range AND /sys/kernel/livepatch/*/cve-ids does NOT contain CVE-2026-31431 — treat as EXPOSED regardless of generic livepatch-active flag",
+        "RHEL: kpatch-livepatch-*-CVE-2026-31431 RPM installed but not in `kpatch list` Loaded patch modules section (package-installed-without-load silent exposure)",
+        "Ubuntu: `canonical-livepatch status --verbose` 'fixes:' list does not include CVE-2026-31431 while kernel in affected range"
+      ],
+      "forensic_note": "Copy Fail is deterministic, 732-byte, single-stage, memory-only. Disk-forensic indicators (shell history, dropped binaries, persistence files) are unreliable — competent operators leave no on-disk trace. The runtime_syscall + kernel_trace + behavioral entries are the load-bearing detection surface. Disk indicators are limited to the exploit OUTCOMES (/etc/passwd mutation, suid drift), not the exploit ARTIFACTS."
+    },
+    "last_updated": "2026-05-13"
   },
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
@@ -243,7 +274,36 @@
         "published_date": "2026-04-05"
       }
     ],
-    "last_updated": "2026-05-11"
+    "subsystem_anchors": {
+      "kernel_modules": ["esp4", "esp6", "xfrm_user", "xfrm_algo"],
+      "kernel_symbols": [
+        "esp_input", "esp_input_tail", "esp_input_done2",
+        "esp6_input", "esp6_input_done2",
+        "xfrm_input", "xfrm_rcv_cb", "xfrm_replay_advance"
+      ],
+      "procfs_paths": ["/proc/net/xfrm_stat"],
+      "syscall_surface": [
+        "socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM=6)",
+        "sendmsg() to xfrm netlink with XFRM_MSG_NEWSA / XFRM_MSG_UPDSA"
+      ],
+      "caps_required_legit": ["CAP_NET_ADMIN"],
+      "caps_required_exploit": "CAP_NET_ADMIN within user namespace if unprivileged_userns_clone=1; else CAP_NET_ADMIN on host",
+      "deployment_prevalence_note": "IPsec subsystem present in essentially every distro kernel (CONFIG_XFRM=y). Module ESP4/ESP6 loads lazily on first use; presence of /proc/net/xfrm_stat alone does not indicate active IPsec — check `ip xfrm state` for live SAs."
+    },
+    "iocs": {
+      "behavioral": [
+        "Non-zero /proc/net/xfrm_stat XfrmInNoStates or XfrmInStateInvalid with empty `ip xfrm state show` — kernel doing ESP decap work the operator hasn't configured",
+        "ESP outer-IP fragmentation observed (MF=1 or non-zero frag offset on IP proto 50) with SPI churn >3/min from a single peer AND inner reconstructed payload size > 1480",
+        "Non-root, non-CAP_NET_ADMIN process opening NETLINK_XFRM (family=AF_NETLINK, protocol=6) from inside a user namespace — operational pivot when paired with unprivileged_userns_clone=1",
+        "lsmod contains esp4 OR esp6 AND `ip xfrm state show` empty AND /proc/net/xfrm_stat non-zero on counters — ESP loaded + receiving packets + no SAs configured = active CVE-2026-43284 surface probing"
+      ],
+      "false_positive_distinguishers": [
+        "Distinguish from libreswan/strongSwan/charon by reading /proc/<pid>/comm of the netlink opener",
+        "Distinguish from kube-proxy / Calico / Antrea IPsec from `ip xfrm policy show` matching expected CNI SPI ranges",
+        "Re-sample 60s after lsmod-loaded-no-policy fires; persistent absence of `ip xfrm state` for >120s with loaded modules indicates non-startup-race anomaly"
+      ]
+    },
+    "last_updated": "2026-05-13"
   },
   "CVE-2026-43500": {
     "name": "Dirty Frag (RxRPC component)",
@@ -338,38 +398,85 @@
         "published_date": "2026-04-05"
       }
     ],
-    "last_updated": "2026-05-11"
+    "subsystem_anchors": {
+      "kernel_modules": ["rxrpc", "af_rxrpc", "kafs"],
+      "kernel_symbols": [
+        "rxrpc_recvmsg", "rxrpc_sendmsg",
+        "rxrpc_input_packet", "rxrpc_input_data",
+        "rxrpc_alloc_skb", "rxrpc_kernel_send_data",
+        "afs_make_call", "afs_deliver_to_call"
+      ],
+      "procfs_paths": [
+        "/proc/net/rxrpc/calls",
+        "/proc/net/rxrpc/conns",
+        "/proc/net/rxrpc/peers",
+        "/proc/net/rxrpc/locals"
+      ],
+      "syscall_surface": [
+        "socket(AF_RXRPC, SOCK_DGRAM, PF_INET|PF_INET6)",
+        "setsockopt(RXRPC_SECURITY_KEY / RXRPC_EXCLUSIVE_CONNECTION / RXRPC_UPGRADEABLE_SERVICE)"
+      ],
+      "caps_required_legit": "none — AF_RXRPC sockets openable by any user with the protocol family compiled in",
+      "caps_required_exploit": "none for socket open; CAP_NET_ADMIN not required — this is part of why RxRPC is attractive in a chain",
+      "deployment_prevalence_note": "RxRPC present in mainline as tristate module (CONFIG_AF_RXRPC=m). Loaded only on demand; only first-party in-tree consumer is kafs (CONFIG_AFS_FS). Estimated <2% of enterprise Linux hosts have rxrpc loaded at any given moment. Low ambient noise makes any AF_RXRPC socket open by a non-AFS process a high-signal IoC.",
+      "legitimate_rxrpc_openers": [
+        "Kernel threads: kafsd (per-namespace), kworker doing kafs work",
+        "OpenAFS suite: afsd, aklog, unlog, tokens, fs, vos, pts, bos, kas, udebug, cmdebug, kpasswd, klog, rxdebug, rxgen, xstat_*",
+        "kafs-utils equivalents (varies by distro)",
+        "Filesystem mount processes: mount.afs, mount.kafs"
+      ]
+    },
+    "iocs": {
+      "behavioral": [
+        "Any process not on the kafs/OpenAFS allowlist (afsd, aklog, fs, vos, pts, bos, kas, kpasswd, rxdebug, mount.afs, mount.kafs, kafsd, kworker) opening AF_RXRPC socket — RxRPC has near-zero ambient noise outside AFS environments",
+        "/proc/net/rxrpc/calls non-empty on a host with no AFS configuration (/etc/openafs/CellServDB absent AND /etc/krb5.conf absent)",
+        "lsmod contains rxrpc OR af_rxrpc AND lsmod does NOT contain kafs AND /etc/openafs/CellServDB does not exist — module loaded without its only first-party consumer",
+        "Outbound UDP/7000-7007 (kafs RxRPC port range) from a host not declared as an AFS client"
+      ],
+      "false_positive_distinguishers": [
+        "Academic / research / national-lab environments commonly run OpenAFS — establish per-host baseline rather than fleet-wide block",
+        "Integration tests (kafs-testing, OpenAFS regression suite) open AF_RXRPC briefly — distinguish by parent process and lifetime <60s",
+        "Check for kafs-testing or OpenAFS source tree in /home or /opt; check short-lived (<5min) module load via `dmesg | grep rxrpc` timestamps"
+      ]
+    },
+    "pairing_note": "CVE-2026-43500 only realizes its full primitive when chained with CVE-2026-43284. Detection of either subsystem being exercised on a host that should have neither is itself the chain-detection signal. Simultaneous match of esp-module-loaded-no-policy AND rxrpc-active-call-no-afs-config should escalate to a deterministic paired finding.",
+    "last_updated": "2026-05-13"
   },
   "CVE-2025-53773": {
-    "name": "GitHub Copilot Prompt Injection RCE",
+    "name": "GitHub Copilot / VS Code 'YOLO mode' Prompt Injection RCE",
     "type": "RCE-via-prompt-injection",
-    "cvss_score": 9.6,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_correction_note": "v0.12.6 source audit corrected from CVSS 9.6/AV:N (network) to CVSS 7.8/AV:L (local) — the attack is local-vector via developer-side IDE interaction; the attacker does not reach in over the network. NVD authoritative.",
+    "cwe_refs": ["CWE-77"],
     "cisa_kev": false,
     "cisa_kev_date": null,
     "poc_available": true,
-    "poc_description": "Demonstrated — hidden adversarial instructions in GitHub PR descriptions cause GitHub Copilot to execute attacker-controlled code in the developer's session",
+    "poc_description": "Published by Johann Rehberger (Embrace the Red, August 2025). Hidden instructions in any agent-readable content (source comments, README, GitHub issues, tool-call responses) coerce Copilot agent mode to write \"chat.tools.autoApprove\": true to .vscode/settings.json, flipping the agent into 'YOLO mode' where every subsequent shell tool call auto-approves without user confirmation. Demo executes calc.exe / Calculator.app via the autoapproved run_in_terminal tool.",
     "ai_discovered": false,
     "ai_assisted_weaponization": true,
-    "ai_assisted_notes": "AI tooling enables the attack — the vulnerability IS in an AI tool. AI accelerates crafting of effective injection payloads.",
+    "ai_assisted_notes": "The vulnerability IS in an AI tool (Copilot agent mode). Attack chain bottlenecks on a structural settings-file write — converts the 'any text could be injection' fuzzy detection problem into a one-line filesystem IoC.",
     "active_exploitation": "suspected",
-    "affected": "GitHub Copilot users who use Copilot to review or summarize PR descriptions",
+    "affected": "Microsoft Visual Studio 2022 17.14.0-17.14.11 (fixed in 17.14.12). GitHub Copilot Chat extension on VS Code at versions predating the August 2025 Patch Tuesday fix. Architectural surface affects any Copilot-agent-mode-enabled environment.",
     "affected_versions": [
-      "GitHub Copilot < patched version"
+      "Visual Studio 2022: >=17.14.0, <17.14.12",
+      "GitHub Copilot Chat (VS Code extension): versions predating the August 2025 Patch Tuesday fix"
     ],
-    "vector": "Prompt injection via PR description field — adversarial instructions embedded in PR content execute in the context of the developer's Copilot session when the developer interacts with the PR via Copilot",
+    "vector": "Three-step chain: (1) attacker plants instructions in any content the agent reads — source-file comments, README, issue body, web-fetched docs, MCP tool response; (2) Copilot agent mode follows the planted instructions to write `\"chat.tools.autoApprove\": true` into `.vscode/settings.json` (workspace or user-global) — file write is silent and persistent, no in-editor diff shown; (3) every subsequent shell tool call auto-approves without user confirmation, giving full local code execution under the developer's identity. Worm angle (demonstrated): post-exploitation can `git commit` the malicious settings file and push it to other repos.",
     "complexity": "low",
-    "complexity_notes": "The attacker crafts PR description content. No specialized knowledge required beyond understanding of prompt injection.",
+    "complexity_notes": "Attacker crafts agent-readable content. The agent writes the YOLO-mode flag itself; no race condition or timing dependency. Invisible Unicode Tag-block (U+E0000-U+E007F) variants demonstrated for content-level evasion.",
     "patch_available": true,
     "patch_required_reboot": false,
     "live_patch_available": true,
     "live_patch_tools": [
-      "GitHub SaaS update — no user action required for SaaS patch"
+      "Visual Studio 17.14.12 (August 2025 Patch Tuesday)",
+      "GitHub Copilot Chat extension auto-update"
     ],
     "framework_control_gaps": {
-      "ALL-MAJOR-FRAMEWORKS": "No framework has a control category for prompt injection as an RCE vector. CVSS 9.6 with no framework control.",
-      "NIST-800-53-AC-2": "AI agent actions use the developer's authorized service account — AC-2 controls don't surface the unauthorized action.",
-      "SOC2-CC6": "Same — logical access controls don't apply to model-context-window-mediated actions."
+      "ALL-MAJOR-FRAMEWORKS": "No framework has a control category for AI-agent-configuration bypass of user confirmation. Agent writes a settings file the user never sees a diff for; access control treats this as the developer's authorized action.",
+      "NIST-800-53-AC-2": "AI agent actions use the developer's authorized service account — AC-2 does not constrain agent-config bypass.",
+      "NIST-800-53-CM-7": "Least functionality does not address agent-mode auto-approval flags.",
+      "SOC2-CC6": "Logical access controls don't apply to model-context-window-mediated actions."
     },
     "atlas_refs": [
       "AML.T0051",
@@ -377,45 +484,73 @@
     ],
     "attack_refs": [
       "T1059",
+      "T1059.001",
       "T1190"
     ],
-    "rwep_score": 42,
+    "rwep_score": 30,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
       "ai_factor": 15,
       "active_exploitation": 10,
-      "blast_radius": 22,
+      "blast_radius": 10,
       "patch_available": -15,
       "live_patch_available": -10,
       "reboot_required": 0
     },
-    "epss_score": 0.32,
-    "epss_percentile": 0.92,
-    "epss_date": "2026-05-11",
+    "rwep_notes": "RWEP recomputed in v0.12.6 after CVSS 9.6→7.8 correction. AV:L (local) reduces blast_radius weight; vendor patch + auto-updating IDE reduce live_patch_available impact.",
+    "epss_score": 0.046,
+    "epss_percentile": 0.893,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-53773",
-    "source_verified": "2026-05-01",
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2025-53773",
-      "https://github.com/advisories/GHSA-xxxx"
+      "https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
+      "https://www.wiz.io/vulnerability-database/cve/cve-2025-53773"
     ],
     "vendor_advisories": [
       {
         "vendor": "Microsoft MSRC",
-        "advisory_id": null,
+        "advisory_id": "CVE-2025-53773",
         "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53773",
-        "severity": "critical",
+        "severity": "high",
         "published_date": "2025-08-12"
       },
       {
         "vendor": "GitHub Security Advisories",
         "advisory_id": null,
         "url": "https://github.com/advisories?query=CVE-2025-53773",
-        "severity": "critical",
+        "severity": "high",
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-11"
+    "iocs": {
+      "filesystem_post_exploit": [
+        ".vscode/settings.json (workspace) OR ~/.vscode/settings.json (user-global) contains \"chat.tools.autoApprove\": true — PRIMARY post-exploitation IoC. Setting is experimental + off by default + structural pivot the entire chain depends on. Near-zero false positive for non-developer users.",
+        ".vscode/settings.json content matches regex \"chat\\\\.(experimental|tools)\\\\..*\":\\\\s*true — broader sweep for any auto-approve / experimental flag in workspace-scoped settings.",
+        "settings.json mtime falls inside Copilot agent-mode session window AND diff includes any key under chat.tools.* or github.copilot.advanced.* — Copilot writes are immediately persistent, no diff-approval UI"
+      ],
+      "repository_supply_chain": [
+        "Repository ships a checked-in .vscode/settings.json with chat.tools.autoApprove or chat.experimental.*: true — pre-arms YOLO mode for any cloner running Copilot agent mode (supply-chain plant variant)",
+        "Repository content (README, source comments, issue/PR bodies) contains literal 'chat.tools.autoApprove' OR 'autoApprove\": true' OR 'YOLO mode' — payload must reference target key by name (suppress on this catalog, MSRC, embracethered.com)",
+        "Files in agent-readable surfaces (README.md, source comments, .github/*, CONTRIBUTING.md) contain codepoints in Unicode Tag block U+E0000-U+E007F or zero-width control characters U+200B-U+200F / U+202A-U+202E / U+2060-U+2064 — invisible-instruction injection technique"
+      ],
+      "behavioral": [
+        "Copilot agent tool-call sequence: read_file|web_fetch|github_issue_read → write_file('.vscode/settings.json' OR '*/settings.json') → run_in_terminal, no request_user_confirmation between writes and exec",
+        "Editor (Code.exe / 'Code Helper') parent process spawns interactive shell (powershell/pwsh/bash/zsh) whose command line is not in user shell history AND not in {--login, REPL}"
+      ],
+      "worm_propagation": [
+        "Agent session writes .vscode/settings.json, then issues git add + git commit + git push within the same session — wormable variant demonstrated by Rehberger"
+      ],
+      "version_exposure": [
+        "Visual Studio 2022 installation with productVersion < 17.14.12 (Windows registry: HKLM\\\\SOFTWARE\\\\Microsoft\\\\VisualStudio\\\\Setup; or vswhere.exe -property installationVersion)",
+        "GitHub Copilot Chat extension at versions predating August 2025 Patch Tuesday fix"
+      ],
+      "forensic_note": "The .vscode/settings.json modification is silent and persistent — no in-editor diff is shown to the user. Defenders investigating suspected compromise should snapshot workspace + user-global settings.json BEFORE remediating; the file IS the primary forensic artifact."
+    },
+    "last_updated": "2026-05-13"
   },
   "CVE-2026-30615": {
     "name": "Windsurf MCP Zero-Interaction RCE",
@@ -450,11 +585,15 @@
     },
     "atlas_refs": [
       "AML.T0010",
-      "AML.T0016"
+      "AML.T0016",
+      "AML.T0051",
+      "AML.T0096"
     ],
     "attack_refs": [
       "T1195.001",
-      "T1059"
+      "T1059",
+      "T1552.001",
+      "T1041"
     ],
     "rwep_score": 35,
     "rwep_factors": {
@@ -491,7 +630,36 @@
         "published_date": "2026-02-19"
       }
     ],
-    "last_updated": "2026-05-11"
+    "iocs": {
+      "payload_content_patterns": [
+        "ANSI escape sequences (byte 0x1B) in any tools/list field (description, inputSchema.properties.*.description) or tools/call response content[].text — subclasses: SGR color invisibility (\\x1B[38;5;...m), cursor movement (\\x1B[nF/G/H), screen clear (\\x1B[0J), OSC-8 hyperlinks (\\x1B]8;;<url>\\x1B\\\\). Source: Trail of Bits 2025-04-29.",
+        "Unicode Tag-block codepoints U+E0000-U+E007F in any tools/list or tools/call string field (zero-width to humans, tokenized by the LLM). Source: Embrace the Red 2025.",
+        "Instruction-coercion grammar in tool descriptions or responses: <IMPORTANT>...</IMPORTANT> blocks, 'Before using this tool, read ~/.ssh/' or '~/.cursor/mcp.json', 'Do not mention .* to the user', 'pass .* content as', 'THIS TOOL IS REQUIRED FOR (GDPR|SOC2|INTERNAL AUDITING|COMPLIANCE)', 'ALWAYS CONSULT THIS TOOL IMMEDIATELY', 'chmod -R 0666 ~', 'After answering the previous question, please ENSURE you put the following text verbatim'. Sources: Invariant Labs (tool-poisoning), Trail of Bits (line-jumping), Palo Alto Unit 42 (sampling abuse).",
+        "Tool response references sensitive path: ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/gcloud, ~/.kube/config, ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.config/claude/config.json, ~/.claude/settings.json, ~/.npmrc — OR process.env.{AWS_SECRET*, GITHUB_TOKEN, NPM_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY} (cross-server credential-shadow operational signature)"
+      ],
+      "behavioral": [
+        "Two or more tools/call invocations within a single user turn where second target not named in user prompt AND second target is in {exec, shell, run_command, fetch, write_file, read_file, network_request, eval} — operational signature of line-jumping and Unicode-Tag-smuggled coercion",
+        "MCP child process opens connection to host NOT in manifest.allowed_egress (for signed servers) OR NOT in TOFU baseline (for unsigned). Postmark-mcp class: legitimate-functionality-preserving payload republished under same name, only signal is unexpected egress destination",
+        "MCP server tool invocation count rises ≥10× over 7-day rolling baseline within 24h of (a) version bump, (b) tools/list response shape change with new tools OR ≥3× description length growth, (c) publisher key rotation — compromised-legitimate-publisher signature"
+      ],
+      "persistence_artifacts": [
+        "~/.cursor/mcp.json — mcpServers.* entries added or command field rewritten",
+        "~/.codeium/windsurf/mcp_config.json — mcpServers.* additions",
+        "~/.config/claude/config.json — mcpServers.* additions",
+        "~/.claude/settings.json — permissions.allow relaxations OR hooks.SessionStart additions referencing MCP launcher (cross-cuts CVE-2026-45321 persistence vector)",
+        "~/.config/Code/User/settings.json — chat.mcp.servers additions",
+        ".vscode/mcp.json in project root — workspace-scoped MCP additions",
+        "~/.gemini/settings.json — mcpServers additions",
+        "package.json — postinstall script that writes any of the above"
+      ],
+      "supply_chain_entry_vectors": [
+        "npm same-name republish of legitimate MCP package (canonical example: postmark-mcp impersonating ActiveCampaign's Postmark MCP)",
+        "npm typosquat within edit-distance-2 of @modelcontextprotocol/* official namespace",
+        "SANDWORM_MODE-style worm: malicious package writes mcpServers entry into local AI-assistant config on postinstall, propagating across every assistant on the developer endpoint",
+        "Compromised legitimate publisher key — malicious update from previously-trusted maintainer; signature-based controls do not fire"
+      ]
+    },
+    "last_updated": "2026-05-13"
   },
   "CVE-2026-45321": {
     "name": "Mini Shai-Hulud TanStack npm worm",
@@ -590,20 +758,69 @@
     "iocs": {
       "payload_artifacts": [
         "node_modules/@tanstack/*/router_init.js",
-        "node_modules/@tanstack/*/router_runtime.js"
+        "node_modules/@tanstack/*/router_runtime.js",
+        "node_modules/@tanstack/*/tanstack_runner.js",
+        "Any file with SHA-256 ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js)",
+        "Any file with SHA-256 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 (tanstack_runner.js)",
+        "package.json containing optionalDependencies '@tanstack/setup' referencing github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c (attacker fork commit; zero-FP campaign signature)",
+        "package.json prepare script matching /bun run tanstack_runner\\.js.*exit 1/",
+        "Any @tanstack/* tarball > 600 KB unpacked OR > 3x file-count delta vs prior minor version (clean ~190 KB, infected ~900 KB, +23 file delta)"
       ],
       "persistence_artifacts": [
         ".claude/settings.json hooks.SessionStart entry running `node .vscode/setup.mjs`",
+        ".claude/router_runtime.js (payload copy planted outside node_modules)",
+        ".claude/setup.mjs and .vscode/setup.mjs shared loader shims",
         ".vscode/tasks.json folder-open task pointing at .vscode/setup.mjs",
-        "~/Library/LaunchAgents/com.tanstack.*.plist (macOS persistence)",
-        "~/.config/systemd/user/*.service referencing the staged setup.mjs (Linux systemd-user persistence)"
+        "~/Library/LaunchAgents/com.user.gh-token-monitor.plist (macOS persistence; observed label is com.user.gh-token-monitor, NOT com.tanstack.*)",
+        "~/.config/systemd/user/gh-token-monitor.service (Linux systemd-user persistence)",
+        "~/.local/bin/gh-token-monitor.sh (continuous GitHub-token-validity monitor daemon)",
+        "~/.config/gh-token-monitor/token (stolen token at rest)",
+        ".github/workflows/codeql_analysis.yml in a repo that doesn't otherwise use CodeQL — worm-propagated workflow exfiltrating secrets.toJSON"
+      ],
+      "credential_paths_scanned": [
+        "~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/config",
+        "~/.git-credentials, ~/.config/git/credentials, ~/.gitconfig",
+        "~/.npmrc (project and home)",
+        "~/.aws/credentials, ~/.aws/config, ~/.aws/sso/cache/*.json",
+        "~/.config/gcloud/application_default_credentials.json, ~/.config/gcloud/credentials.db, ~/.config/gcloud/access_tokens.db",
+        "~/.azure/accessTokens.json, ~/.azure/azureProfile.json",
+        "~/.kube/config, /var/run/secrets/kubernetes.io/serviceaccount/token",
+        "~/.claude.json, ~/.claude/mcp.json, ~/.config/anthropic/, ~/.config/openai/",
+        "~/.bitcoin/wallet.dat, ~/.ethereum/keystore/*, Exodus / Electrum / Atomic Wallet stores; browser-extension storage for MetaMask / Phantom",
+        "Process env: NPM_TOKEN, GITHUB_TOKEN, ACTIONS_ID_TOKEN_REQUEST_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, GOOGLE_APPLICATION_CREDENTIALS, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, VAULT_TOKEN, VAULT_ADDR, OPENAI_API_KEY, ANTHROPIC_API_KEY"
+      ],
+      "c2_indicators": [
+        "git-tanstack.com (primary typosquat C2; serves Python payload at /transformers.pyz)",
+        "filev2.getsession.org/file/ (Session messenger dead-drop, RSA-4096-OAEP wrapped exfil)",
+        "api.masscan.cloud (direct credential POST)",
+        "169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDSv1 scrape from build runner)",
+        "169.254.170.2 (AWS ECS task-role metadata)",
+        "vault.svc.cluster.local:8200 (in-cluster HashiCorp Vault enumeration)",
+        "registry.npmjs.org/-/npm/v1/tokens (npm token enumeration on live account)",
+        "GitHub dead-drop repos with description 'A Mini Shai-Hulud has Appeared' (Mini) / 'Sha1-Hulud: The Second Coming.' (Shai-Hulud 2.0) / 'Shai-Hulud Migration' (original Sept 2025); repo names matching ^[0-9a-z]{18}$ or suffixed '-migration'",
+        "Worm-propagated commits: author 'claude@users.noreply.github.com', message 'chore: update dependencies', branch matching ^dependabot/github_actions/format/",
+        "npmjs.help (typosquat credential-harvest domain; original Shai-Hulud campaign infrastructure)"
+      ],
+      "host_recon": [
+        "python3 reading /proc/<pid>/mem in a CI environment (OIDC token-scrape signature for the ACTIONS_ID_TOKEN_REQUEST_TOKEN lift)",
+        "bun.sh download or `bun run` invocation in a Node-only / pnpm-only project (Bun runtime chosen to evade Node-aware EDR)",
+        "Outbound DNS for filev2.getsession.org / git-tanstack.com / api.masscan.cloud spawned by npm/pnpm/bun install child process"
       ],
       "behavioral": [
         "Build job restores actions/cache key matching Linux-pnpm-store-<hash> written by a non-publishing workflow",
         "Same repo has pull_request_target trigger anywhere AND id-token: write anywhere AND actions/cache used by both",
-        "@tanstack/* package resolved within publish window 2026-05-11T19:20Z..2026-05-11T19:26Z"
+        "@tanstack/* package resolved within publish window 2026-05-11T19:20Z..2026-05-11T19:26Z",
+        "Workflow file under .github/workflows/*.yml modified by a commit whose author is not a repo collaborator AND timestamp within 24h of an npm token use event (worm propagation signature retained from original Shai-Hulud Sept 2025)",
+        "Public GitHub repo created on victim account within 1h of an npm install of an @tanstack/* package, with description containing 'Shai-Hulud', 'Sha1-Hulud', or 'A Mini Shai-Hulud has Appeared'",
+        "Private repos of victim re-created as public with '-migration' suffix (original Shai-Hulud migration pattern)"
       ],
-      "destructive": "Payload triggers wipe on token-revocation — operators rotating npm tokens after suspected exposure should snapshot affected hosts first."
+      "destructive": [
+        "Payload triggers wipe on token-revocation — operators rotating npm tokens after suspected exposure should snapshot affected hosts first.",
+        "Literal substring 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner' in any file under node_modules/, .claude/, .vscode/, OR in `npm token list` description for any account — deterministic zero-FP campaign signature",
+        "rm -rf \"$HOME\" or rm -rf ~/ child process spawned by gh-token-monitor.sh after HTTP 4xx from api.github.com/user",
+        "Linux variant (original Shai-Hulud carry-forward): find \"$HOME\" -type f -writable -user \"$(id -un)\" -print0 | xargs -0 -r shred -uvz -n 1",
+        "Windows variant (original Shai-Hulud carry-forward): del /F /Q /S \"%USERPROFILE%*\" && cipher /W:%USERPROFILE%"
+      ]
     },
     "last_updated": "2026-05-13"
   }

package/data/playbooks/kernel.json

@@ -1,10 +1,17 @@
 {
   "_meta": {
     "id": "kernel",
-    "version": "1.0.0",
-    "last_threat_review": "2026-05-11",
-    "threat_currency_score": 92,
+    "version": "1.1.0",
+    "last_threat_review": "2026-05-13",
+    "threat_currency_score": 95,
     "changelog": [
+      {
+        "version": "1.1.0",
+        "date": "2026-05-13",
+        "summary": "Primary-source IoC audit (v0.12.6 / AGENTS.md Hard Rule #14). CVE-2026-31431 (Copy Fail) gains runtime_syscall + kernel_trace + behavioral + livepatch_gap IoCs cross-referenced against Dirty Pipe (CVE-2022-0847) + Dirty COW (CVE-2016-5195) + DirtyCred prior art. CVE-2026-43284 + CVE-2026-43500 (Dirty Frag pair) gain subsystem_anchors (kernel symbols esp_input / xfrm_input / rxrpc_recvmsg, kernel modules esp4/esp6/xfrm_user/af_rxrpc/kafs, procfs paths /proc/net/xfrm_stat + /proc/net/rxrpc/*) + behavioral IoCs (ESP module loaded with no policy + non-AFS process opening AF_RXRPC). Catches active exploitation, not just vulnerable kernel version match.",
+        "cves_added": [],
+        "framework_gaps_updated": []
+      },
       {
         "version": "1.0.0",
         "date": "2026-05-11",

package/data/playbooks/mcp.json

@@ -1,10 +1,17 @@
 {
   "_meta": {
     "id": "mcp",
-    "version": "1.1.0",
+    "version": "1.2.0",
     "last_threat_review": "2026-05-13",
-    "threat_currency_score": 97,
+    "threat_currency_score": 98,
     "changelog": [
+      {
+        "version": "1.2.0",
+        "date": "2026-05-13",
+        "summary": "Primary-source IoC audit (v0.12.6 / AGENTS.md Hard Rule #14). CVE-2026-30615 (Windsurf MCP RCE) IoC block populated from null to full: ANSI escape sequences in tool descriptions (Trail of Bits 2025-04-29), Unicode Tag-block smuggling U+E0000-U+E007F (Embrace the Red 2025), instruction-coercion grammar (<IMPORTANT>, 'Before using this tool, read ~/.ssh', 'Do not mention to user' — Invariant Labs tool-poisoning), sensitive-path references in tool responses (cross-server credential-shadow signature), unprompted-tool-chain behavioral, MCP egress beyond manifest (postmark-mcp class — Acuvity/Semgrep), invocation-count anomaly post-update (compromised-legitimate-publisher detector — Trail of Bits TOFU). Adds atlas_refs AML.T0051 (indirect prompt injection) + AML.T0096; attack_refs T1552.001 + T1041. CVE-2025-53773 (Copilot YOLO mode, CVSS corrected 9.6→7.8) now cross-references this playbook for the .vscode/settings.json:chat.tools.autoApprove IoC.",
+        "cves_added": [],
+        "framework_gaps_updated": []
+      },
       {
         "version": "1.1.0",
         "date": "2026-05-13",
@@ -415,6 +422,20 @@
           "source": "$HOME/.claude/settings.json (permissions.allow), Cursor's .cursorrules, Windsurf workspace policy, VS Code chat.mcp.allowlist",
           "description": "Per-tool allowlist policy — the operator's documented set of authorized tools.",
           "required": false
+        },
+        {
+          "id": "vscode-copilot-yolo-mode",
+          "type": "config_file",
+          "source": "Read .vscode/settings.json (workspace) AND $HOME/.vscode/settings.json (user-global) AND $HOME/.config/Code/User/settings.json AND $HOME/Library/Application Support/Code/User/settings.json — extract any key matching chat.tools.* OR chat.experimental.* OR github.copilot.advanced.*",
+          "description": "v0.12.6: CVE-2025-53773 (Copilot YOLO mode) post-exploitation IoC. The exploit chain coerces Copilot agent mode to write \"chat.tools.autoApprove\": true silently — no diff-approval UI is shown. Source: Embrace the Red (Rehberger) Aug 2025.",
+          "required": false
+        },
+        {
+          "id": "mcp-tool-response-log",
+          "type": "log_pattern",
+          "source": "AI client MCP-protocol logs: ~/.claude/logs/mcp/*.jsonl (Claude Code), ~/.cursor/logs/mcp-*.log (Cursor), ~/.codeium/windsurf/logs/mcp_*.log (Windsurf)",
+          "description": "v0.12.6: Verbatim tools/list and tools/call response capture. The only artifact that lets ANSI-escape, Unicode-Tag-smuggling, instruction-coercion-grammar, and sensitive-path-reference indicators fire. If client doesn't log MCP responses, mark inconclusive and recommend enabling MCP request/response verbose logging in client settings.",
+          "required": false
         }
       ],
       "collection_scope": {

package/data/playbooks/sbom.json

@@ -1,10 +1,17 @@
 {
   "_meta": {
     "id": "sbom",
-    "version": "1.1.0",
+    "version": "1.2.0",
     "last_threat_review": "2026-05-13",
-    "threat_currency_score": 97,
+    "threat_currency_score": 98,
     "changelog": [
+      {
+        "version": "1.2.0",
+        "date": "2026-05-13",
+        "summary": "Primary-source IoC audit (v0.12.6 / AGENTS.md Hard Rule #14). CVE-2026-45321 (Mini Shai-Hulud) IoC block expanded from 4 categories to 8: adds SHA-256 hashes for router_init.js + tanstack_runner.js, attacker-fork commit (79ac49ee), tarball-size anomaly threshold, gh-token-monitor daemon family, C2 domains (git-tanstack.com, filev2.getsession.org, api.masscan.cloud), GitHub dead-drop description strings ('A Mini Shai-Hulud has Appeared'), cloud-metadata recon endpoints, credential search paths (~/.aws, ~/.ssh, ~/.kube, AI tool credentials, crypto wallets), worm propagation via .github/workflows/codeql_analysis.yml, ransom string 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner'. Cross-referenced against Aikido / StepSecurity / Socket / Wiz / Datadog / Sysdig / Pulsedive primary sources on the original Sept 2025 Shai-Hulud worm and the May 2026 Mini variant.",
+        "cves_added": [],
+        "framework_gaps_updated": []
+      },
       {
         "version": "1.1.0",
         "date": "2026-05-13",

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEALm7uQSdGjE9NSorvxoDnbqolbQaRXyGrgb82J5gUHhA=
+MCowBQYDK2VwAyEAwEeCeTewS5TXFoRNRX4VKRHZL14bwdTVOZoMcedzq5s=
 -----END PUBLIC KEY-----

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-13T02:48:32.579Z",
+  "_generated_at": "2026-05-13T03:58:09.357Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [