@blamejs/exceptd-skills 0.12.32 → 0.12.34

package/data/cve-catalog.json

@@ -39,7 +39,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.167,
+      "current_rate": 0.162,
       "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
         0.15,
@@ -3441,5 +3441,133 @@
     "discovery_attribution_note": "Picus Security ('BlueHammer' / RedSun research) published a working PoC before Microsoft released the patch — true zero-day disclosure 2026-04-22; CISA KEV listed same day with a 14-day due date. No AI-tool credit on the discovery; conventional Windows-Defender internals research. Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained and https://www.cisa.gov/known-exploited-vulnerabilities-catalog.",
     "_editorial_promoted": "2026-05-15",
     "_editorial_note": "Promoted from draft v0.12.32 (cycle 12 F1 fix): cycle 11 audit confirmed all required fields populated (iocs, vendor_advisories, verification_sources, complexity, affected_versions); RWEP factors satisfy Shape B invariant; discovery_attribution_note cites a researcher / team with URL. Editorial gate: passed."
+  },
+  "MAL-2026-NODE-IPC-STEALER": {
+    "name": "node-ipc credential-stealer (expired-domain account-recovery compromise)",
+    "type": "supply-chain-credential-stealer",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_correction_note": "No NVD CVE assigned as of 2026-05-15; CVSS synthesized per OSSF Malicious-Packages convention: unauthenticated code execution on `require('node-ipc')` against a 3.35M-monthly-download package with confirmed credential exfiltration. AV:N because the malicious payload reaches the victim over the npm registry network channel; UI:R because a developer / CI must invoke `npm install`; S:C because exfiltrated AWS / GCP / Azure / SSH / kubeconfig / Vault material extends the blast radius beyond the consuming process.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV historically excludes ecosystem-package compromises (npm / PyPI / RubyGems malicious-package events) — its scope is federally-deployable products with assigned CVE identifiers. The node-ipc 2026-05-14 publish event is OSSF-MAL-catalogued (MAL-2026-NODE-IPC-STEALER) without a NVD CVE as of 2026-05-15; `cisa_kev: false` is correct, and `active_exploitation: confirmed` reflects the live malicious payload in the registry. Operators should consume CISA-KEV-equivalent guidance from the OpenSSF MAL feed + ecosystem-specific advisories (Socket, StepSecurity, Semgrep, Datadog Security Labs, Snyk) for this class.",
+    "poc_available": true,
+    "poc_description": "Live payload — three malicious versions (node-ipc 9.1.6, 9.2.3, 12.0.1) were published to the public npm registry by attacker-controlled account `atiertant` on 2026-05-14 and remained installable for the exposure window before npm yank. The malicious build IS the PoC.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "No AI-tool credited for discovery. Concurrent ecosystem telemetry detection by Socket, StepSecurity, Semgrep, and Datadog Security Labs within hours of publication; The Hacker News surfaced the consolidated report. ai_discovery_source set to `vendor_research` because the enum does not include an `ecosystem_detection` value; the attribution note records the actual provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-tooling credit on the payload-development side. The 80 KB obfuscated IIFE follows a conventional minifier-plus-string-encoding pattern; no AI-generated code fingerprint reported by the responding firms.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "The three malicious versions executed credential harvesting on every `require('node-ipc')` against installed hosts during the exposure window. Datadog Security Labs and Socket each observed real consumer-side installs of the malicious versions before yank.",
+    "affected": "node-ipc package on npm — versions 9.1.6, 9.2.3, 12.0.1 published 2026-05-14 by publisher `atiertant` (contact `a.tiertant@atlantis-software.net`). Package carries approximately 3.35M monthly downloads per npm registry telemetry; secondary reports cite 822K weekly (Socket) and 10M weekly (The Hacker News) — see source-data ambiguity note in verification_sources. Architectural impact reaches every transitive consumer that resolves any of the three malicious versions during the exposure window.",
+    "affected_versions": [
+      "node-ipc == 9.1.6 (malicious, published 2026-05-14)",
+      "node-ipc == 9.2.3 (malicious, published 2026-05-14)",
+      "node-ipc == 12.0.1 (malicious, published 2026-05-14)"
+    ],
+    "vector": "Novel supply-chain account-recovery abuse via expired maintainer email domain. (1) `atlantis-software.net` — the email domain associated with the legitimate node-ipc maintainer account — lapsed and was re-registered by the attacker on 2026-05-07 via Namecheap PrivateEmail. (2) Attacker invoked the npm password-reset flow, which delivered the reset link to the now-attacker-controlled mailbox. (3) Attacker published three malicious versions (9.1.6, 9.2.3, 12.0.1) with an 80 KB obfuscated IIFE appended to `node-ipc.cjs` that fires on every `require('node-ipc')` — no lifecycle / postinstall hook required, so consumer-side `--ignore-scripts` does NOT mitigate. (4) Payload exfiltrates AWS credentials, GCP service-account keys, Azure tokens, SSH private keys, Kubernetes kubeconfig, HashiCorp Vault tokens, Claude AI configs, and Kiro IDE configs via DNS TXT queries to an Azure-lookalike spoofed domain controlled by the attacker. Class: registry-side account-recovery abuse mediated by DNS lifecycle, NOT credential-dump or token-theft.",
+    "complexity": "low",
+    "complexity_notes": "Consumer-side exploitation is automatic on any process that calls `require('node-ipc')` from a malicious version. No race condition, no user interaction beyond `npm install` resolving to a malicious version. The novel attack precondition (expired-domain re-registration + npm password reset) is itself low-complexity for any attacker who monitors maintainer-email-domain expirations.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "npm audit (yank-aware after npm registry-side removal of the malicious versions)",
+      "Socket (registry-side install-time blocking)",
+      "StepSecurity Harden-Runner (CI-side egress + install-time blocking)",
+      "Snyk (advisory-driven CI policy block)",
+      "Datadog Security Labs CI integrations (telemetry-driven block)",
+      "Semgrep Supply Chain (lockfile audit against the malicious version set)"
+    ],
+    "vendor_update_paths": [
+      "npm yanked the three malicious versions 2026-05-14",
+      "Pin to node-ipc <= 9.1.5 OR >= the post-yank clean republication (consult package security tab on npm for the current clean version range)",
+      "Lockfile audit: scan package-lock.json / yarn.lock / pnpm-lock.yaml for resolved tarball SHAs matching the three malicious version IDs; rotate any credentials reachable from a host that resolved them during the exposure window"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF": "Reused-OSS-component control assumes maintainer-account integrity; does not address maintainer-email-domain expiry as a supply-chain risk class.",
+      "EU-CRA-Art13": "SBOM requirement does not address freshness-of-published-version OR maintainer-account-recovery integrity — pinning to a malicious version is SBOM-compliant.",
+      "NIS2-Art21-supply-chain": "Generic supply chain controls without npm-ecosystem-specific guidance (postinstall vs main-module payload distinction, maintainer-domain-expiry monitoring, registry-account MFA enforcement).",
+      "NIST-800-53-IA-5-Federated": "Authenticator-management control covers operator-side credentials but does not extend to upstream-maintainer-account recovery flow on third-party package registries.",
+      "SLSA-v1.0-Build-L3": "Source / build provenance attestations do not address account-takeover-via-domain-expiry — provenance asserts who built, not whether `who` is still the legitimate maintainer."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0020"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1078",
+      "T1552.001",
+      "T1059.007"
+    ],
+    "rwep_score": 43,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS coverage does not extend to non-CVE OSSF-MAL identifiers as of 2026-05-15.",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-829",
+      "CWE-1357"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html",
+      "https://socket.dev/blog/node-ipc-package-compromised",
+      "https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack",
+      "https://semgrep.dev/blog/2026/not-your-ipc-but-node-ipc-npm-hit-again-with-supply-chain-attack-but-this-time-its-not-a-worm/",
+      "https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "npm (GitHub Advisory Database)",
+        "advisory_id": null,
+        "url": "https://github.com/advisories?query=node-ipc",
+        "severity": "critical",
+        "published_date": "2026-05-14"
+      },
+      {
+        "vendor": "Socket",
+        "advisory_id": null,
+        "url": "https://socket.dev/blog/node-ipc-package-compromised",
+        "severity": "critical",
+        "published_date": "2026-05-14"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "node-ipc.cjs file SHA / size diff vs the prior clean version — three malicious versions (9.1.6, 9.2.3, 12.0.1) ship an 80 KB obfuscated IIFE appended to the main module export. Lockfile-resolved tarball integrity hash for any of these three versions IS the primary artifact IoC.",
+        "package.json publisher metadata: `_npmUser.name == 'atiertant'` OR maintainer email `a.tiertant@atlantis-software.net` on a node-ipc tarball — both are attacker-controlled and distinct from the legitimate historical publisher account."
+      ],
+      "behavioral": [
+        "Process executing `require('node-ipc')` issues outbound DNS TXT queries to an Azure-lookalike domain controlled by the attacker — high-entropy subdomain labels carrying base64 / hex chunks of harvested credential material. DNS-layer telemetry (Resolved, Cloudflare DNS, internal Unbound logs) captures the exfil channel even when HTTP egress is blocked.",
+        "Process executing `require('node-ipc')` performs read access to ANY of: ~/.aws/credentials, ~/.aws/config, ~/.config/gcloud/, ~/.azure/, ~/.ssh/id_*, ~/.kube/config, ~/.vault-token, ~/.config/Claude/, ~/.kiro/ — read pattern is the credential-harvest fingerprint regardless of whether the exfil channel succeeded.",
+        "node binary parent-process executes a `require('node-ipc')` call path AND opens a non-process-typical egress connection within the same scheduler tick — temporal correlation between module load and exfil DNS lookup is near-deterministic on first invocation."
+      ],
+      "version_exposure": [
+        "Lockfile (package-lock.json / yarn.lock / pnpm-lock.yaml) contains a `node-ipc` entry resolved to version 9.1.6, 9.2.3, or 12.0.1 — exact-version match is sufficient; the integrity hash will also differ from any pre-2026-05-14 cache.",
+        "package.json declares a node-ipc dependency range that includes any of the three malicious versions AND the lockfile was regenerated during the 2026-05-14 exposure window (lockfile mtime + node-ipc resolution check)."
+      ],
+      "registry_account_recovery": [
+        "npm account audit: any maintainer account whose primary contact email domain has WHOIS expiry within 90 days. Cross-reference with `npm whoami` + `npm owner ls <package>` for every critical-path dependency. This is the upstream IoC class — once it fires, the package is recoverable by any attacker who registers the domain before the legitimate maintainer renews."
+      ],
+      "forensic_note": "DNS TXT exfiltration is invisible to HTTP egress filtering and to most network IDS rules tuned for HTTPS. Defenders investigating suspected compromise should pull DNS resolver logs for the full exposure window — the exfil channel is the only telemetry that proves the payload fired AND succeeded (file-read alone does not prove successful exfil). Snapshot node_modules/node-ipc tarball before remediating; the tarball IS the primary forensic artifact."
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Concurrent ecosystem-detection by Socket (https://socket.dev/blog/node-ipc-package-compromised), StepSecurity (https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack), Semgrep (https://semgrep.dev/blog/2026/not-your-ipc-but-node-ipc-npm-hit-again-with-supply-chain-attack-but-this-time-its-not-a-worm/), and Datadog Security Labs (https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/) within hours of the 2026-05-14 publish window. Consolidated coverage by The Hacker News (https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html). No single human researcher credited; no AI-tool credit on the defender side. Discovery class: ecosystem-detection (telemetry-driven, no AI tool). Source-data ambiguity noted: monthly-download figure reported as 3.35M (npm registry direct) but Socket cited 822K weekly and The Hacker News cited 10M weekly — npm-registry-direct figure carried in the affected description; alternative figures retained in this note so future audits can reconcile against npm's API once the live counter rolls forward past the yank.",
+    "_editorial_promoted": "2026-05-15",
+    "_editorial_note": "Cycle 13 intake (v0.12.33): cycle 13 agent C surfaced node-ipc 2026-05-14 publish event in the 24h-window check. Novel attack precondition (expired-domain re-registration + npm password-reset abuse) makes this a distinct supply-chain class from the Shai-Hulud (token-compromise) and elementary-data (typosquat + orphan-commit) precedents; warrants its own NEW-CTRL-047 in zeroday-lessons.json. RWEP factors satisfy Shape B invariant (0 + 20 + 0 + 20 + 28 - 15 - 10 + 0 = 43); discovery_attribution_note cites multiple firms with URLs."
   }
 }

package/data/cwe-catalog.json

@@ -1127,7 +1127,8 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "MAL-2026-NODE-IPC-STEALER"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1413,7 +1414,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "ISO-27001-2022-A.8.30"
@@ -1652,7 +1655,9 @@
       "sector-federal-government",
       "supply-chain-integrity"
     ],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
       "ISO-27001-2022-A.5.21",

package/data/d3fend-catalog.json

@@ -1043,5 +1043,51 @@
     "ai_pipeline_applicability": "Self-managed AI hosts: standard FIM applies to MCP server configs, ~/.claude, ~/.cursor settings. Serverless: equivalent is image-immutability + read-only rootfs (modifications outside writable tmpfs are structurally impossible).",
     "lag_notes": "SI-7 covers software/firmware integrity; user-space configuration FIM is implicit not explicit. Framework audits accept 'FIM is deployed' without sampling whether the rule set covers AI-assistant config paths that have become high-value targets.",
     "last_verified": "2026-05-13"
+  },
+  "D3-EFA": {
+    "id": "D3-EFA",
+    "name": "Executable File Analysis",
+    "tactic": "Detect",
+    "subtactic": "File Analysis",
+    "description": "Analyzing the format, contents, or static characteristics of an executable file to determine whether it warrants further investigation. Covers PE/ELF/Mach-O header inspection, embedded-string + import-table review, entropy + packer detection, and YARA-rule matching against known malicious patterns. Distinct from D3-DA (Dynamic Analysis): no execution occurs.",
+    "counters_attack_techniques": [
+      "T1027",
+      "T1027.002",
+      "T1059",
+      "T1078",
+      "T1195.002",
+      "T1204",
+      "T1505.003",
+      "T1546.014",
+      "AML.T0010",
+      "AML.T0019"
+    ],
+    "digital_artifacts_addressed": [
+      "Executable Binary",
+      "Executable Script",
+      "Firmware",
+      "OS Image"
+    ],
+    "skills_referencing": [],
+    "implementation_examples": [
+      "YARA",
+      "PEStudio / PEiD",
+      "radare2 / Cutter / Ghidra (static-only mode)",
+      "ssdeep + sdhash fuzzy-hash matching",
+      "Mandiant CAPA capability detection",
+      "Sigstore cosign verify on container image manifests",
+      "OEM firmware-image signature verification at provisioning time"
+    ],
+    "framework_controls_partially_mapped": [
+      "NIST-800-53-SI-3",
+      "NIST-800-53-SI-7",
+      "NIST-800-53-SI-7(6)",
+      "ISO-27001-2022-A.8.7",
+      "PCI-DSS-v4-5.2.3",
+      "CIS-Controls-v8-10.5"
+    ],
+    "ai_pipeline_applicability": "Directly applicable to model-artifact ingestion paths (pickle/safetensors/ONNX): static analysis of serialized weights can surface malicious __reduce__ payloads (D3-EFA on the pickle stream) before any deserialization occurs. For MCP-server binaries shipped via npm/PyPI, D3-EFA pairs with D3-EAL — analyze first to gate the allowlist decision rather than allow-by-publisher.",
+    "lag_notes": "NIST SI-3 prescribes \"malicious code protection\" without binding the control to static-file-analysis specifically; auditors routinely accept signature-AV deployment as the entire SI-3 implementation, missing the analyze-before-load posture that catches packed / encoder-obfuscated payloads. Distinct from D3-EAL: allowlisting blocks a binary at execute-time; D3-EFA inspects the bytes at file-write / image-pull / artifact-fetch time and gates the allowlist itself.",
+    "last_verified": "2026-05-15"
   }
 }

package/data/playbooks/cloud-iam-incident.json

@@ -347,7 +347,6 @@
       },
       "skill_preload": [
         "cloud-security",
-        "cred-stores",
         "incident-response-playbook",
         "identity-assurance",
         "framework-gap-analysis",
@@ -368,11 +367,6 @@
           "purpose": "Cloud-provider-specific IAM construct inventory and trust-policy hygiene assessment (AWS IAM + STS, GCP IAM + Workload Identity Federation, Azure AD + managed identities).",
           "required": true
         },
-        {
-          "skill": "cred-stores",
-          "purpose": "Cloud-provider key-store posture (KMS / Cloud KMS / Key Vault) and access-key rotation hygiene; cross-walk with credential-store playbook for any compromised principal whose blast radius >= 4.",
-          "required": true
-        },
         {
           "skill": "identity-assurance",
           "purpose": "AAL/IAL/FAL assessment of human-principal MFA posture, federated-identity assurance levels, and step-up authentication coverage on cloud admin actions.",

package/data/playbooks/idp-incident.json

@@ -314,8 +314,7 @@
       },
       "skill_preload": [
         "idp-incident-response",
-        "identity-assurance",
-        "cred-stores"
+        "identity-assurance"
       ]
     },
     "direct": {
@@ -337,11 +336,6 @@
           "purpose": "AAL / IAL / FAL assurance constructs, FIDO2 / WebAuthn / phishing-resistant factor enrolment validation, federated-trust signing-key posture.",
           "required": true
         },
-        {
-          "skill": "cred-stores",
-          "purpose": "Downstream containment — rotate management-API tokens, downstream service-account credentials, session tokens; audit Vault / Secrets Manager for IdP-derived credentials.",
-          "required": true
-        },
         {
           "skill": "framework-gap-analysis",
           "purpose": "Per-framework reconciliation of IdP-tenant control-plane coverage gaps.",

package/data/zeroday-lessons.json

@@ -1832,5 +1832,113 @@
     "ai_discovery_source": "vendor_research",
     "ai_discovery_date": "2026-04-22",
     "ai_assist_factor": "low"
+  },
+  "MAL-2026-NODE-IPC-STEALER": {
+    "name": "node-ipc credential-stealer (expired-domain account-recovery compromise)",
+    "lesson_date": "2026-05-15",
+    "attack_vector": {
+      "description": "Novel supply-chain account-recovery abuse via expired maintainer email domain. The `atlantis-software.net` domain — registered as the contact email for the legitimate node-ipc maintainer npm account — lapsed and was re-registered by an attacker on 2026-05-07 via Namecheap PrivateEmail. The attacker then invoked the npm password-reset flow; the reset link was delivered to the now-attacker-controlled mailbox; the attacker took over the publish-enabled account without ever holding a leaked credential. Three malicious versions (node-ipc 9.1.6, 9.2.3, 12.0.1) were published 2026-05-14 with an 80 KB obfuscated IIFE appended to `node-ipc.cjs`. The payload fires on every `require('node-ipc')` — NOT via a postinstall hook — so consumer-side `npm install --ignore-scripts` does NOT mitigate. Exfiltration covers AWS / GCP / Azure credentials, SSH private keys, Kubernetes kubeconfig, HashiCorp Vault tokens, Claude AI configs, and Kiro IDE configs via DNS TXT queries to an Azure-lookalike spoofed domain. Class: registry-side account-recovery abuse mediated by DNS lifecycle, distinct from token-compromise (Shai-Hulud) and typosquat-orphan-commit (elementary-data) precedents.",
+      "privileges_required": "downstream consumer runs `npm install` resolving to one of the three malicious versions; payload fires automatically on `require('node-ipc')`",
+      "complexity": "low for downstream consumers (automatic on require); low for the maintainer-account takeover itself (any attacker monitoring maintainer-email-domain expirations can reproduce)",
+      "ai_factor": "Not AI-discovered, not AI-built. The novelty is structural — expired-domain → npm password-reset → publish — not algorithmic."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "(1) Continuous WHOIS-expiry monitoring on the email domains of every critical-path package maintainer. (2) Registry-side mandatory MFA on publish-enabled maintainer accounts (npm policy gap as of 2026-05-15). (3) Lockfile pinning to versions published before 2026-05-14T00:00Z, combined with `npm ci` (which refuses lockfile drift) rather than `npm install`. (4) Registry-side hold-period on first-publish-from-recently-recovered-account (npm has no such control today).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "WHOIS-expiry monitoring is novel — no current standard treats expired-domain → account-recovery as a distinct supply-chain attack class. `--ignore-scripts` (the canonical npm-supply-chain mitigation since Shai-Hulud) does NOT mitigate this payload because it ships in the main module, not in a postinstall hook. Lockfile pinning works only if the lockfile predates 2026-05-14 AND `npm ci` is used."
+      },
+      "detection": {
+        "what_would_have_worked": "DNS-resolver telemetry on developer / CI hosts — the payload's DNS TXT exfiltration channel is invisible to HTTP egress filtering but recordable at any DNS resolver (Resolved, Cloudflare DNS, internal Unbound). File-read telemetry on credential-store paths (~/.aws/credentials, ~/.ssh/id_*, ~/.kube/config, ~/.vault-token, ~/.config/Claude/, ~/.kiro/) within the lifetime of a Node process is a near-deterministic IoC for any credential-stealer in the Node ecosystem.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "DNS-layer telemetry is the only channel that proves successful exfiltration; HTTP-egress monitoring will miss this class entirely. Most developer endpoints and CI runners do not retain DNS logs."
+      },
+      "response": {
+        "what_would_have_worked": "npm yanked the three malicious versions on 2026-05-14. Full credential rotation for every account whose material was reachable from any host that resolved a malicious version during the exposure window — AWS access keys, GCP service-account keys, Azure tokens, SSH private keys, kubeconfig, Vault tokens. Lockfile audit + republication of any downstream package the affected host had npm-publish rights on.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Yank closes new consumer exposure but does not retroactively un-harvest credentials already exfiltrated via DNS. The DNS exfil channel is one-shot; rotation is the only operational response."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-218-SSDF": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Reused-OSS-component control assumes maintainer-account integrity; does not address maintainer-email-domain expiry as a supply-chain risk class."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SBOM requirement does not address freshness-of-published-version OR maintainer-account-recovery integrity — pinning to a malicious version is SBOM-compliant."
+      },
+      "NIS2-Art21-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Generic supply chain controls without npm-ecosystem-specific guidance (maintainer-domain-expiry monitoring, registry-account MFA enforcement, main-module-vs-postinstall payload distinction)."
+      },
+      "SLSA-v1.0-Build-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Build provenance attestations assert who built the artifact, not whether `who` is still the legitimate maintainer post-account-recovery."
+      },
+      "NIST-800-53-IA-5-Federated": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authenticator-management control covers operator-side credentials only; does not extend to upstream-maintainer-account recovery flow on third-party package registries."
+      },
+      "ANY-FRAMEWORK": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No current standard treats `expired maintainer email domain → registry-side account recovery → malicious publish` as a distinct supply-chain attack class. NEW-CTRL-047 is the headline novel control this lesson generates."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-047",
+        "name": "PACKAGE-MAINTAINER-DOMAIN-EXPIRY-MONITORING",
+        "description": "Every organization that depends on a critical-path open-source package must continuously monitor the WHOIS expiry date of the email domain associated with each upstream maintainer account on npm / PyPI / Crates / RubyGems. Alert on any maintainer-domain WHOIS expiry within 90 days. Concurrently, require dual-factor account recovery on the consuming organization's own registry accounts (no email-only password reset) — and treat the absence of registry-enforced MFA on upstream maintainers as a supply-chain risk to be tracked in the SBOM / VEX surface.",
+        "evidence": "MAL-2026-NODE-IPC-STEALER — the `atlantis-software.net` domain lapsed on or before 2026-05-07 and was re-registered by the attacker via Namecheap PrivateEmail; npm's email-based password-reset flow then delivered publish rights to the attacker without any credential leak. No current framework treats expired-domain → account-recovery as a distinct supply-chain attack class.",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "NIS2-Art21-supply-chain",
+          "EU-CRA-Art13",
+          "NIST-800-53-IA-5-Federated",
+          "ANY-FRAMEWORK"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-048",
+        "name": "NPM-MAINTAINER-MFA-ENFORCEMENT",
+        "description": "npm (and equivalent registries) must enforce mandatory MFA on publish-enabled maintainer accounts for any package above a download-volume threshold (e.g. >= 100K weekly downloads). Pending registry-side enforcement, consuming organizations should require — via SLA or contractual surface — that critical-path maintainers attest to MFA-on-publish, and refuse to upgrade packages where attestation is absent.",
+        "evidence": "MAL-2026-NODE-IPC-STEALER — node-ipc carries approximately 3.35M monthly downloads; npm did not require MFA on the publish-enabled maintainer account at compromise time, so the password-reset-via-recovered-email flow succeeded without a second factor.",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "NIST-800-53-IA-5-Federated",
+          "NIS2-Art21-supply-chain"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-049",
+        "name": "LOCKFILE-INTEGRITY-VERIFIED-AT-CI-BOOT",
+        "description": "CI pipelines must use `npm ci` (or `pnpm install --frozen-lockfile`, `yarn install --immutable`) rather than `npm install`. The strict-lockfile command refuses to resolve any version not already pinned in the lockfile, catching a maintainer-swap-induced version drift before the malicious tarball is fetched. Additionally, verify tarball integrity hashes against a known-good cache snapshot at CI boot for every dependency in critical-path packages.",
+        "evidence": "MAL-2026-NODE-IPC-STEALER — consumers whose lockfile predated 2026-05-14 were safe only if they used a strict-lockfile install command; `npm install` would have happily upgraded within the declared semver range and pulled the malicious version. The strict-lockfile gate catches the swap even after a successful registry-side publish.",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "EU-CRA-Art13",
+          "SLSA-v1.0-Build-L3"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "Maintainer-domain-expiry monitoring is not a recognized control in any major framework; near-100% of audit-passing organizations have zero coverage of this risk class. Even organizations with strong npm hygiene (lockfile pinning, `npm ci`, `--ignore-scripts` defaults) are exposed because the payload ships in the main module — `--ignore-scripts` does not mitigate, and lockfile pinning only helps if the lockfile predates the malicious publish AND the consumer uses a strict-lockfile install command.",
+      "theater_pattern": "maintainer_account_integrity_assumed_without_evidence"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_date": "2026-05-14",
+    "ai_assist_factor": "low"
   }
 }

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-16T04:00:15.840Z",
+  "_generated_at": "2026-05-16T05:57:55.918Z",
   "atlas_version": "5.4.0",
   "skill_count": 42,
   "skills": [

package/manifest-snapshot.sha256

@@ -1 +1 @@
-9c01b58f0f9e5ceb3070bbfab781ced453d5a8fd0c4a20a883ecbf011004b12c  manifest-snapshot.json
+64d13ed6f7811c491a247b8812a1012096cd1c572a7a64c9eb90eb8bf0402d27  manifest-snapshot.json