@blamejs/exceptd-skills 0.12.27 → 0.12.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +3 -0
- package/CHANGELOG.md +22 -0
- package/data/_indexes/_meta.json +22 -19
- package/data/_indexes/activity-feed.json +26 -5
- package/data/_indexes/catalog-summaries.json +3 -3
- package/data/_indexes/chains.json +994 -64
- package/data/_indexes/currency.json +28 -1
- package/data/_indexes/frequency.json +428 -124
- package/data/_indexes/handoff-dag.json +70 -19
- package/data/_indexes/jurisdiction-map.json +37 -12
- package/data/_indexes/section-offsets.json +282 -0
- package/data/_indexes/stale-content.json +2 -2
- package/data/_indexes/summary-cards.json +198 -0
- package/data/_indexes/token-budget.json +168 -3
- package/data/_indexes/trigger-table.json +190 -0
- package/data/_indexes/xref.json +145 -2
- package/data/attack-techniques.json +104 -19
- package/data/framework-control-gaps.json +498 -11
- package/data/playbooks/cloud-iam-incident.json +1351 -0
- package/data/playbooks/idp-incident.json +1259 -0
- package/data/playbooks/ransomware.json +1407 -0
- package/data/rfc-references.json +44 -0
- package/manifest-snapshot.json +219 -2
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +282 -41
- package/package.json +1 -1
- package/sbom.cdx.json +7 -7
- package/skills/cloud-iam-incident/skill.md +419 -0
- package/skills/idp-incident-response/skill.md +352 -0
- package/skills/ransomware-response/skill.md +374 -0
package/data/rfc-references.json
CHANGED
|
@@ -152,8 +152,10 @@
|
|
|
152
152
|
"lag_notes": "RFC 7519 is the spec; RFC 8725 (Best Current Practices) is what implementations should follow. Many MCP servers still hand-roll JWT validation and miss BCP 225 guidance.",
|
|
153
153
|
"skills_referencing": [
|
|
154
154
|
"api-security",
|
|
155
|
+
"cloud-iam-incident",
|
|
155
156
|
"cloud-security",
|
|
156
157
|
"identity-assurance",
|
|
158
|
+
"idp-incident-response",
|
|
157
159
|
"mcp-agent-trust",
|
|
158
160
|
"sector-financial",
|
|
159
161
|
"sector-healthcare",
|
|
@@ -301,8 +303,10 @@
|
|
|
301
303
|
"relevance": "BCP 225. Required reading for any MCP / agent / AI-API auth implementation. Covers algorithm-confusion attacks, kid traversal, audience pinning. mcp-agent-trust uses this as the JWT-handling baseline.",
|
|
302
304
|
"skills_referencing": [
|
|
303
305
|
"api-security",
|
|
306
|
+
"cloud-iam-incident",
|
|
304
307
|
"cloud-security",
|
|
305
308
|
"identity-assurance",
|
|
309
|
+
"idp-incident-response",
|
|
306
310
|
"mcp-agent-trust",
|
|
307
311
|
"sector-financial",
|
|
308
312
|
"webapp-security"
|
|
@@ -421,6 +425,7 @@
|
|
|
421
425
|
"skills_referencing": [
|
|
422
426
|
"ai-c2-detection",
|
|
423
427
|
"api-security",
|
|
428
|
+
"idp-incident-response",
|
|
424
429
|
"mcp-agent-trust",
|
|
425
430
|
"sector-financial",
|
|
426
431
|
"sector-healthcare"
|
|
@@ -557,5 +562,44 @@
|
|
|
557
562
|
"coordinated-vuln-disclosure"
|
|
558
563
|
],
|
|
559
564
|
"last_verified": "2026-05-13"
|
|
565
|
+
},
|
|
566
|
+
"RFC-7591": {
|
|
567
|
+
"number": 7591,
|
|
568
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
569
|
+
"status": "Proposed Standard",
|
|
570
|
+
"published": "2015-07",
|
|
571
|
+
"tracker": "https://www.rfc-editor.org/info/rfc7591",
|
|
572
|
+
"relevance": "Dynamic Client Registration is the legitimate OAuth flow for self-service app onboarding into an IdP. Operator-facing: when DCR is enabled without strong attestation, a compromised tenant or compromised admin can register a malicious app whose redirect_uri exfiltrates auth codes — the 2023-2024 Microsoft Storm-0558 / Midnight Blizzard incidents exercised this surface via consent abuse on tenant-published apps. Pair with RFC 7592 (DCR Management Protocol) for full lifecycle controls.",
|
|
573
|
+
"skills_referencing": [
|
|
574
|
+
"idp-incident-response",
|
|
575
|
+
"identity-assurance"
|
|
576
|
+
],
|
|
577
|
+
"last_verified": "2026-05-15"
|
|
578
|
+
},
|
|
579
|
+
"RFC-8693": {
|
|
580
|
+
"number": 8693,
|
|
581
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
582
|
+
"status": "Proposed Standard",
|
|
583
|
+
"published": "2020-01",
|
|
584
|
+
"tracker": "https://www.rfc-editor.org/info/rfc8693",
|
|
585
|
+
"relevance": "Token exchange is the canonical mechanism for cloud IAM impersonation and service-account delegation chains (AWS STS AssumeRoleWithWebIdentity, GCP Workload Identity Federation, Azure Workload Identity). Operator-facing: token-exchange chains are the modern equivalent of pass-the-token — a compromised upstream token mints downstream tokens with widened audience claims. Audit chain depth + audience expansion + lifetime ladder.",
|
|
586
|
+
"skills_referencing": [
|
|
587
|
+
"cloud-iam-incident",
|
|
588
|
+
"identity-assurance"
|
|
589
|
+
],
|
|
590
|
+
"last_verified": "2026-05-15"
|
|
591
|
+
},
|
|
592
|
+
"RFC-9068": {
|
|
593
|
+
"number": 9068,
|
|
594
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
595
|
+
"status": "Proposed Standard",
|
|
596
|
+
"published": "2021-10",
|
|
597
|
+
"tracker": "https://www.rfc-editor.org/info/rfc9068",
|
|
598
|
+
"relevance": "Standardises the JWT claim set for OAuth access tokens (typ, scope, client_id, etc.) that cloud IAM and SaaS APIs accept as bearer credentials. Operator-facing: when tokens omit the audience claim or accept loose typ values, replay across services becomes trivial — most cloud-IAM token-forgery incidents (Azure storm-0558 key-leak class) reduce to insufficient claim validation. Pair with RFC 8725 (JWT BCP) for hardening.",
|
|
599
|
+
"skills_referencing": [
|
|
600
|
+
"cloud-iam-incident",
|
|
601
|
+
"identity-assurance"
|
|
602
|
+
],
|
|
603
|
+
"last_verified": "2026-05-15"
|
|
560
604
|
}
|
|
561
605
|
}
|
package/manifest-snapshot.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
|
|
3
|
-
"_generated_at": "2026-05-
|
|
3
|
+
"_generated_at": "2026-05-15T23:28:24.427Z",
|
|
4
4
|
"atlas_version": "5.1.0",
|
|
5
|
-
"skill_count":
|
|
5
|
+
"skill_count": 42,
|
|
6
6
|
"skills": [
|
|
7
7
|
{
|
|
8
8
|
"name": "age-gates-child-safety",
|
|
@@ -339,6 +339,82 @@
|
|
|
339
339
|
],
|
|
340
340
|
"dlp_refs": []
|
|
341
341
|
},
|
|
342
|
+
{
|
|
343
|
+
"name": "cloud-iam-incident",
|
|
344
|
+
"version": "1.0.0",
|
|
345
|
+
"triggers": [
|
|
346
|
+
"access key public repo",
|
|
347
|
+
"aws account takeover",
|
|
348
|
+
"aws sso compromise",
|
|
349
|
+
"azure managed identity replay",
|
|
350
|
+
"cloud iam compromise",
|
|
351
|
+
"cloudtrail anomaly",
|
|
352
|
+
"cross account assume role",
|
|
353
|
+
"crypto mining cloud",
|
|
354
|
+
"federated trust abuse",
|
|
355
|
+
"gcp service account compromise",
|
|
356
|
+
"iam access key leak",
|
|
357
|
+
"iam identity center",
|
|
358
|
+
"imds metadata abuse",
|
|
359
|
+
"imdsv1 ssrf",
|
|
360
|
+
"oidc trust policy",
|
|
361
|
+
"scattered spider aws",
|
|
362
|
+
"snowflake aa24",
|
|
363
|
+
"workload identity federation"
|
|
364
|
+
],
|
|
365
|
+
"data_deps": [
|
|
366
|
+
"atlas-ttps.json",
|
|
367
|
+
"attack-techniques.json",
|
|
368
|
+
"cve-catalog.json",
|
|
369
|
+
"cwe-catalog.json",
|
|
370
|
+
"d3fend-catalog.json",
|
|
371
|
+
"framework-control-gaps.json",
|
|
372
|
+
"global-frameworks.json"
|
|
373
|
+
],
|
|
374
|
+
"atlas_refs": [
|
|
375
|
+
"AML.T0051"
|
|
376
|
+
],
|
|
377
|
+
"attack_refs": [
|
|
378
|
+
"T1078",
|
|
379
|
+
"T1078.004",
|
|
380
|
+
"T1098.001",
|
|
381
|
+
"T1538",
|
|
382
|
+
"T1552.005",
|
|
383
|
+
"T1580"
|
|
384
|
+
],
|
|
385
|
+
"framework_gaps": [
|
|
386
|
+
"AU-ISM-1546-Cloud-Service-Account",
|
|
387
|
+
"AWS-Security-Hub-Coverage-Gap",
|
|
388
|
+
"CISA-Snowflake-AA24-IdP-Cloud",
|
|
389
|
+
"FedRAMP-IL5-IAM-Federated",
|
|
390
|
+
"ISO-27017-Cloud-IAM",
|
|
391
|
+
"NIST-800-53-AC-2-Cross-Account",
|
|
392
|
+
"SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
393
|
+
"UK-CAF-B2-Cloud-IAM"
|
|
394
|
+
],
|
|
395
|
+
"rfc_refs": [
|
|
396
|
+
"RFC-7519",
|
|
397
|
+
"RFC-8693",
|
|
398
|
+
"RFC-8725",
|
|
399
|
+
"RFC-9068"
|
|
400
|
+
],
|
|
401
|
+
"cwe_refs": [
|
|
402
|
+
"CWE-269",
|
|
403
|
+
"CWE-287",
|
|
404
|
+
"CWE-522",
|
|
405
|
+
"CWE-732",
|
|
406
|
+
"CWE-798",
|
|
407
|
+
"CWE-863"
|
|
408
|
+
],
|
|
409
|
+
"d3fend_refs": [
|
|
410
|
+
"D3-CAA",
|
|
411
|
+
"D3-CBAN",
|
|
412
|
+
"D3-IOPR",
|
|
413
|
+
"D3-MFA",
|
|
414
|
+
"D3-NTA"
|
|
415
|
+
],
|
|
416
|
+
"dlp_refs": []
|
|
417
|
+
},
|
|
342
418
|
{
|
|
343
419
|
"name": "cloud-security",
|
|
344
420
|
"version": "1.0.0",
|
|
@@ -894,6 +970,83 @@
|
|
|
894
970
|
"d3fend_refs": [],
|
|
895
971
|
"dlp_refs": []
|
|
896
972
|
},
|
|
973
|
+
{
|
|
974
|
+
"name": "idp-incident-response",
|
|
975
|
+
"version": "1.0.0",
|
|
976
|
+
"triggers": [
|
|
977
|
+
"apt29 entra",
|
|
978
|
+
"auth0 breach",
|
|
979
|
+
"cozy bear",
|
|
980
|
+
"cross-tenant abuse",
|
|
981
|
+
"entra app consent",
|
|
982
|
+
"entra id compromise",
|
|
983
|
+
"federated trust abuse",
|
|
984
|
+
"help-desk social engineering",
|
|
985
|
+
"identity provider incident",
|
|
986
|
+
"idp incident",
|
|
987
|
+
"management api token leak",
|
|
988
|
+
"mfa factor swap",
|
|
989
|
+
"midnight blizzard",
|
|
990
|
+
"oauth consent abuse",
|
|
991
|
+
"octo tempest",
|
|
992
|
+
"okta breach",
|
|
993
|
+
"okta compromise",
|
|
994
|
+
"onelogin breach",
|
|
995
|
+
"ping identity breach",
|
|
996
|
+
"saml token forgery",
|
|
997
|
+
"scattered spider",
|
|
998
|
+
"service account compromise",
|
|
999
|
+
"storm-0875",
|
|
1000
|
+
"tenant compromise"
|
|
1001
|
+
],
|
|
1002
|
+
"data_deps": [
|
|
1003
|
+
"attack-techniques.json",
|
|
1004
|
+
"cve-catalog.json",
|
|
1005
|
+
"cwe-catalog.json",
|
|
1006
|
+
"d3fend-catalog.json",
|
|
1007
|
+
"framework-control-gaps.json",
|
|
1008
|
+
"global-frameworks.json"
|
|
1009
|
+
],
|
|
1010
|
+
"atlas_refs": [],
|
|
1011
|
+
"attack_refs": [
|
|
1012
|
+
"T1078.004",
|
|
1013
|
+
"T1098.001",
|
|
1014
|
+
"T1199",
|
|
1015
|
+
"T1556.007",
|
|
1016
|
+
"T1606.002"
|
|
1017
|
+
],
|
|
1018
|
+
"framework_gaps": [
|
|
1019
|
+
"AU-ISM-1559-IdP",
|
|
1020
|
+
"DORA-Art-19-IdP-4h",
|
|
1021
|
+
"ISO-27001-2022-A.5.16-Federated",
|
|
1022
|
+
"NIS2-Art-21-Federated-Identity",
|
|
1023
|
+
"NIST-800-53-IA-5-Federated",
|
|
1024
|
+
"OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
1025
|
+
"SOC2-CC6-OAuth-Consent",
|
|
1026
|
+
"UK-CAF-B2-IdP-Tenant"
|
|
1027
|
+
],
|
|
1028
|
+
"rfc_refs": [
|
|
1029
|
+
"RFC-7519",
|
|
1030
|
+
"RFC-7591",
|
|
1031
|
+
"RFC-8725",
|
|
1032
|
+
"RFC-9421"
|
|
1033
|
+
],
|
|
1034
|
+
"cwe_refs": [
|
|
1035
|
+
"CWE-269",
|
|
1036
|
+
"CWE-284",
|
|
1037
|
+
"CWE-287",
|
|
1038
|
+
"CWE-345",
|
|
1039
|
+
"CWE-522",
|
|
1040
|
+
"CWE-863"
|
|
1041
|
+
],
|
|
1042
|
+
"d3fend_refs": [
|
|
1043
|
+
"D3-CBAN",
|
|
1044
|
+
"D3-IOPR",
|
|
1045
|
+
"D3-MFA",
|
|
1046
|
+
"D3-NTA"
|
|
1047
|
+
],
|
|
1048
|
+
"dlp_refs": []
|
|
1049
|
+
},
|
|
897
1050
|
{
|
|
898
1051
|
"name": "incident-response-playbook",
|
|
899
1052
|
"version": "1.0.0",
|
|
@@ -1289,6 +1442,70 @@
|
|
|
1289
1442
|
],
|
|
1290
1443
|
"dlp_refs": []
|
|
1291
1444
|
},
|
|
1445
|
+
{
|
|
1446
|
+
"name": "ransomware-response",
|
|
1447
|
+
"version": "1.0.0",
|
|
1448
|
+
"triggers": [
|
|
1449
|
+
"akira ransomware",
|
|
1450
|
+
"alphv",
|
|
1451
|
+
"blackcat",
|
|
1452
|
+
"blacksuit",
|
|
1453
|
+
"cuba ransomware",
|
|
1454
|
+
"cyber insurance ransomware",
|
|
1455
|
+
"data theft before encryption",
|
|
1456
|
+
"decryptor availability",
|
|
1457
|
+
"double extortion",
|
|
1458
|
+
"encryption event",
|
|
1459
|
+
"exfil before encrypt",
|
|
1460
|
+
"hunters international",
|
|
1461
|
+
"immutable backup",
|
|
1462
|
+
"lockbit",
|
|
1463
|
+
"no more ransom",
|
|
1464
|
+
"ofac sanctions ransomware",
|
|
1465
|
+
"ransom payment",
|
|
1466
|
+
"ransomhub",
|
|
1467
|
+
"ransomware",
|
|
1468
|
+
"ransomware incident",
|
|
1469
|
+
"royal ransomware",
|
|
1470
|
+
"shadow copy deletion"
|
|
1471
|
+
],
|
|
1472
|
+
"data_deps": [
|
|
1473
|
+
"atlas-ttps.json",
|
|
1474
|
+
"cve-catalog.json",
|
|
1475
|
+
"cwe-catalog.json",
|
|
1476
|
+
"d3fend-catalog.json",
|
|
1477
|
+
"framework-control-gaps.json",
|
|
1478
|
+
"global-frameworks.json",
|
|
1479
|
+
"zeroday-lessons.json"
|
|
1480
|
+
],
|
|
1481
|
+
"atlas_refs": [],
|
|
1482
|
+
"attack_refs": [
|
|
1483
|
+
"T1059",
|
|
1484
|
+
"T1078",
|
|
1485
|
+
"T1486",
|
|
1486
|
+
"T1567"
|
|
1487
|
+
],
|
|
1488
|
+
"framework_gaps": [
|
|
1489
|
+
"Decryptor-Availability-Pre-Decision",
|
|
1490
|
+
"EU-Sanctions-Reg-2014-833-Cyber",
|
|
1491
|
+
"Immutable-Backup-Recovery",
|
|
1492
|
+
"Insurance-Carrier-24h-Notification",
|
|
1493
|
+
"OFAC-SDN-Payment-Block",
|
|
1494
|
+
"PHI-Exfil-Before-Encrypt-Breach-Class"
|
|
1495
|
+
],
|
|
1496
|
+
"rfc_refs": [],
|
|
1497
|
+
"cwe_refs": [
|
|
1498
|
+
"CWE-287",
|
|
1499
|
+
"CWE-798"
|
|
1500
|
+
],
|
|
1501
|
+
"d3fend_refs": [
|
|
1502
|
+
"D3-CSPP",
|
|
1503
|
+
"D3-IOPR",
|
|
1504
|
+
"D3-NTA",
|
|
1505
|
+
"D3-RPA"
|
|
1506
|
+
],
|
|
1507
|
+
"dlp_refs": []
|
|
1508
|
+
},
|
|
1292
1509
|
{
|
|
1293
1510
|
"name": "researcher",
|
|
1294
1511
|
"version": "1.0.0",
|
package/manifest-snapshot.sha256
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
ac16c35fbc0c164c00294ca821b6e44c12908800b5e6cfb339ea472c9a9ed5e0 manifest-snapshot.json
|