@blamejs/exceptd-skills 0.12.9 → 0.12.10

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## 0.12.10 — 2026-05-13
+
+**Patch: OSV.dev wired as an upstream source, three new catalog entries, one new library-author indicator.**
+
+### OSV.dev as a new upstream source
+
+`lib/source-osv.js` + `OSV_SOURCE` in `lib/refresh-external.js` add OSV.dev (https://api.osv.dev/) as a recognised upstream pull. Operators run `exceptd refresh --source osv` to import advisories from the OSV-aggregated dataset, which covers the OSSF Malicious Packages namespace (`MAL-*`), Snyk advisories (`SNYK-*`), GitHub Advisory Database (`GHSA-*`), RustSec (`RUSTSEC-*`), Mageia (`MGASA-*`), Go Vuln DB (`GO-*`), Ubuntu USN (`USN-*`), PYSEC, and UVI — one unauthenticated API in place of N per-vendor feeds.
+
+The `--advisory <id>` flag now routes non-CVE / non-GHSA identifiers (`MAL-*`, `SNYK-*`, `RUSTSEC-*`, `USN-*`, `UVI-*`, `GO-*`, `MGASA-*`, `PYSEC-*`) through `source-osv`. CVE-* and GHSA-* continue routing through `source-ghsa` because the GitHub Advisory Database carries richer field coverage for those namespaces. Imported entries land as `_auto_imported: true` / `_draft: true` drafts, the same shape GHSA imports use — editorial fields (framework_control_gaps, full iocs, atlas_refs, attack_refs, rwep_factors) remain null until a human or AI assistant runs the cve-curation skill.
+
+When an OSV record carries a `CVE-*` value in its `aliases`, the catalog key is the CVE form and the OSV identifier moves to an `aliases` array on the entry. When no CVE is assigned (e.g. MAL-* malicious-package compromises), the OSV identifier IS the catalog key. The previous identifier convention (CVE-only keys) is preserved as the default; the new identifier shapes are an extension.
+
+Fixture support: `EXCEPTD_OSV_FIXTURE` env var (path to a JSON file with one or many OSV records) enables offline testing — same convention as the existing `EXCEPTD_GHSA_FIXTURE`.
+
+### Three new catalog entries
+
+- **`MAL-2026-3083`** (OSV-native key for the **elementary-data PyPI worm**, April 2026). 1.1M-monthly-downloads package compromised via a GitHub Actions script-injection sink in the project's own workflow (`update_pylon_issue.yml` interpolated `${{ github.event.comment.body }}` directly into a `run:` shell, escalated via the workflow's `GITHUB_TOKEN` to forge an orphan-commit release). Payload was a single `elementary.pth` file in the wheel (Python auto-exec at install time, not import time); infostealer sweeping dbt warehouse creds, AWS/GCP/Azure credentials, SSH keys, Kubernetes configs, cryptocurrency wallets to `igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud` with second-stage at `litter.catbox.moe/iqesmbhukgd2c7hq.sh`. Cataloged from OSV's OSSF Malicious Packages dataset (which published 2026-04-24, 4 days before the Snyk advisory). Aliases retained: `SNYK-PYTHON-ELEMENTARYDATA-16316110`, `pypi/2026-04-compr-elementary-data/elementary-data`. Full Hard Rule #14 IoC block; precedent-setting first MAL-* entry in the catalog.
+
+- **`CVE-2026-42208`** (BerriAI LiteLLM Proxy Auth SQL Injection). CVSS 9.3, **on CISA KEV** (dateAdded 2026-05-08). Crafted Authorization header to any LLM API route reaches a SQL query through the error-logging pathway with the attacker value concatenated rather than parameterised — read/modify the LiteLLM-managed-credentials database without prior auth. Affected: `litellm >= 1.81.16, < 1.83.7`. Patched: 1.83.7+ (parameterised query). Temporary workaround: `general_settings: disable_error_logs: true`. RWEP 65 (P1 / 72h timeline). Operator IoCs: Authorization header > 100 chars or carrying SQL metacharacters; mass key-mint events in LiteLLM logs without admin-UI sessions.
+
+- **`CVE-2026-39884`** (Flux159 mcp-server-kubernetes Argument Injection). CVSS 8.3. The `port_forward` MCP tool builds a kubectl command string and `.split(' ')`s it instead of using an argv array, so an AI assistant feeding `resourceName: "pod-name --address=0.0.0.0"` (typically via prompt injection upstream) lands attacker flags in kubectl's argv — binds port-forward to all interfaces or redirects to attacker namespace. Affected: `mcp-server-kubernetes <= 3.4.0`. Patched: 3.5.0+ (argv-array refactor). Operator IoCs: MCP audit logs showing port_forward calls with spaces or `--`/`-n` in resourceName; kubectl port-forward processes with `--address=0.0.0.0` on hosts that don't manually port-forward.
+
+Three matching `data/zeroday-lessons.json` entries follow the CVE-2026-45321 lesson shape. Five new control requirements derived from the lessons: NEW-CTRL-011 (GHA script-injection-sink ban), NEW-CTRL-012 (orphan-commit release detection), NEW-CTRL-013 (AI-gateway credential-store isolation), NEW-CTRL-014 (MCP-server argv not shellstring), NEW-CTRL-015 (MCP tool allowlist enforcement).
+
+### One new library-author indicator
+
+`gha-workflow-script-injection-sink` flags any `.github/workflows/*.yml` workflow that interpolates an attacker-controllable `${{ github.event.* }}` field directly into a `run:` shell script — the exact sink the elementary-data attack exploited. Detection grep covers `github.event.comment.body`, `github.event.issue.body`, `github.event.issue.title`, `github.event.pull_request.body`, `github.event.pull_request.title`, `github.event.review.body`, `github.event.head_commit.message`, `github.head_ref`, `github.event.discussion.body`, `github.event.discussion.title`. False-positive demotion path: if the workflow captures the value into an `env:` variable first OR runs only on `pull_request` (sandboxed, not `pull_request_target`) with default-read permissions, the sink isn't exploitable. Cross-referenced to MAL-2026-3083.
+
+### Catalog extensions
+
+- `data/cwe-catalog.json` gains CWE-506 (Embedded Malicious Code) and CWE-88 (Improper Neutralization of Argument Delimiters). Both backed by the new catalog entries.
+- `data/cve-catalog.json` `_meta.id_conventions` documents the MAL-*/SNYK-*/GHSA-*/RUSTSEC-* identifier shapes the catalog now accepts, the alias-retention convention when MITRE issues a CVE later, and the EPSS limitation (FIRST only indexes CVE identifiers).
+
+### Repository
+
+Test count: 441 → 459 (+18: OSV source tests + matching test references for Hard Rule #15 coverage). Predeploy gates: 15/15. Skills: 38/38 signed and verified. No skill bodies changed in this patch.
+
 ## 0.12.9 — 2026-05-13
 
 **Patch: post-v0.12.8 audit pass — Hard Rule #15 gate flips blocking, sbom evidence-correlation fix, CVE catalog freshness corrections, and recovery of two v0.12.8 stash-restore casualties.**

package/data/_indexes/_meta.json

@@ -1,20 +1,20 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T15:42:51.077Z",
+  "generated_at": "2026-05-13T17:30:56.669Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "9f566f47a27005f91dc31480151ff3c97d62f122569fc4e3b3a298c3d4e29f53",
+    "manifest.json": "b7501793892cdfd22ede52a21ec60629d000a5a562373948dd33c1b840776189",
     "data/atlas-ttps.json": "f3f75ff2778a0a2c7d953a21386bc4f265cb2685ce41242eee45f9e9f2a6add6",
-    "data/cve-catalog.json": "ad92ef439d877b7b201f6ca4f3384d575886c389e2c845c985d17798b45a4ec6",
-    "data/cwe-catalog.json": "68e22967d39a9e22b82d7ac676125f829b551b2c2f3a9c564d3d942bf4ee6ecb",
+    "data/cve-catalog.json": "e4ee5a94bfab0109c2dbd9531a1cd3ad96ce37ad4ec36523d699beace5b6d5d4",
+    "data/cwe-catalog.json": "9d71498894a74a235d2c9dae97d062499529cb031184a4011172bf6dce9f3c3d",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
     "data/exploit-availability.json": "7dad52f459c324c40aa4df7cd9157f6a19f670fdfb9d8f687d777c9d99798668",
     "data/framework-control-gaps.json": "8804a10bf77e987453ea76ae717153118dc5cc625f42e98f78213b08fa144f73",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
     "data/rfc-references.json": "583360bae01e324d752bd28a7d344b4276478381426428d683fc82b0ac19d64a",
-    "data/zeroday-lessons.json": "0840eacd580d4ee5bd7dc44ccea6d52bfa95096576af0ccf67132eea05bedd55",
+    "data/zeroday-lessons.json": "d670e73dfd5237ceb71a56326676d90c05387b9547f8ed6f3a60a153854b444b",
     "skills/kernel-lpe-triage/skill.md": "e8b8601cd3b66d25150bf17f2edd2ef18f10ca6d81ee62aaf874432ee5bdc4b3",
     "skills/ai-attack-surface/skill.md": "2775fe50d58d6437fb629b2f796714ef76ff7b86d271ee5bbd4064b9ca0b0ef6",
     "skills/mcp-agent-trust/skill.md": "de17a4eee67096c737f2eb5972828445021e674fe6c28434cca34d290825739c",
@@ -67,8 +67,8 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 453,
-    "chains_cve_entries": 6,
-    "chains_cwe_entries": 51,
+    "chains_cve_entries": 8,
+    "chains_cwe_entries": 53,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 38,
     "summary_cards": 38,

package/data/_indexes/activity-feed.json

@@ -19,7 +19,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 6
+      "entry_count": 9
     },
     {
       "date": "2026-05-13",
@@ -27,7 +27,7 @@
       "artifact": "data/cwe-catalog.json",
       "path": "data/cwe-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 51
+      "entry_count": 53
     },
     {
       "date": "2026-05-13",
@@ -37,6 +37,14 @@
       "schema_version": "1.0.0",
       "entry_count": 28
     },
+    {
+      "date": "2026-05-13",
+      "type": "catalog_update",
+      "artifact": "data/zeroday-lessons.json",
+      "path": "data/zeroday-lessons.json",
+      "schema_version": "1.0.0",
+      "entry_count": 9
+    },
     {
       "date": "2026-05-11",
       "type": "skill_review",
@@ -343,14 +351,6 @@
       "schema_version": "1.0.0",
       "entry_count": 59
     },
-    {
-      "date": "2026-05-01",
-      "type": "catalog_update",
-      "artifact": "data/zeroday-lessons.json",
-      "path": "data/zeroday-lessons.json",
-      "schema_version": "1.0.0",
-      "entry_count": 6
-    },
     {
       "date": "2026-05-01",
       "type": "manifest_review",

package/data/_indexes/catalog-summaries.json

@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 6,
+      "entry_count": 9,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2026-43284",
@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 51,
+      "entry_count": 53,
       "sample_keys": [
         "CWE-787",
         "CWE-79",
@@ -207,7 +207,7 @@
       "path": "data/zeroday-lessons.json",
       "purpose": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
       "schema_version": "1.0.0",
-      "last_updated": "2026-05-01",
+      "last_updated": "2026-05-13",
       "tlp": "CLEAR",
       "source_confidence_default": "B2",
       "freshness_policy": {
@@ -216,7 +216,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 6,
+      "entry_count": 9,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -1768,6 +1768,57 @@
       "rfc_refs": []
     }
   },
+  "MAL-2026-3083": {
+    "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
+    "rwep": 45,
+    "cvss": 9.3,
+    "cisa_kev": false,
+    "epss_score": null,
+    "epss_percentile": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-42208": {
+    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
+    "rwep": 65,
+    "cvss": 9.8,
+    "cisa_kev": true,
+    "epss_score": 0.37368,
+    "epss_percentile": 0.9722,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-39884": {
+    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
+    "rwep": 20,
+    "cvss": 8.3,
+    "cisa_kev": false,
+    "epss_score": 0.00039,
+    "epss_percentile": 0.11727,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-787": {
     "name": "Out-of-bounds Write",
     "category": "Memory Safety",
@@ -7386,5 +7437,33 @@
       "rfc_refs": []
     },
     "related_cves": []
+  },
+  "CWE-506": {
+    "name": "Embedded Malicious Code",
+    "category": "Supply Chain",
+    "referencing_skills": [],
+    "skill_count": 0,
+    "chain": {
+      "atlas": [],
+      "attack_refs": [],
+      "framework_gaps": [],
+      "d3fend": [],
+      "rfc_refs": []
+    },
+    "related_cves": []
+  },
+  "CWE-88": {
+    "name": "Improper Neutralization of Argument Delimiters in a Command",
+    "category": "Injection",
+    "referencing_skills": [],
+    "skill_count": 0,
+    "chain": {
+      "atlas": [],
+      "attack_refs": [],
+      "framework_gaps": [],
+      "d3fend": [],
+      "rfc_refs": []
+    },
+    "related_cves": []
   }
 }

package/data/_indexes/frequency.json

@@ -2053,9 +2053,11 @@
       "CWE-338",
       "CWE-353",
       "CWE-426",
+      "CWE-506",
       "CWE-522",
       "CWE-759",
       "CWE-760",
+      "CWE-88",
       "CWE-916"
     ],
     "atlas_refs": [

package/data/cve-catalog.json

@@ -35,7 +35,12 @@
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
     "vendor_advisory_field_added": "2026-05-11",
-    "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive."
+    "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
+    "id_conventions": {
+      "default": "CVE-YYYY-NNNNN",
+      "non_cve_keys_accepted": ["SNYK-*", "GHSA-*"],
+      "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
+    }
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -835,5 +840,350 @@
       ]
     },
     "last_updated": "2026-05-13"
+  },
+  "MAL-2026-3083": {
+    "name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
+    "type": "RCE-supply-chain",
+    "aliases": [
+      "SNYK-PYTHON-ELEMENTARYDATA-16316110",
+      "pypi/2026-04-compr-elementary-data/elementary-data"
+    ],
+    "aliases_note": "Primary key is OSV-native MAL-2026-3083 (OSSF Malicious Packages dataset; first publisher 2026-04-24T22:54Z). Snyk SNYK-PYTHON-ELEMENTARYDATA-16316110 and kam193 campaign id pypi/2026-04-compr-elementary-data are cross-references for operator lookup. MITRE has not assigned a CVE id as of 2026-05-13; if one is issued later the catalog key is renamed and aliases retained.",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public forensic writeups + the malicious orphan commit b1e4b1f3aad0d489ab0e9208031c67402bbb8480 still readable on GitHub. The .pth-file install-time payload mechanism is well-understood; the exfiltration domain (skyhanni.cloud subdomain) was active in the wild during the window 2026-04-24 22:20Z through 2026-04-25 ~06:30Z.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "1.1M monthly downloads — anyone who pip-installed elementary-data==0.23.3 during the 8-hour exposure window was hit. Window: 2026-04-24 22:20Z → 2026-04-25 ~06:30Z.",
+    "affected": "elementary-data (PyPI) — data observability tool inside dbt analytics pipelines. ~1.1M monthly downloads.",
+    "affected_versions": [
+      "elementary-data == 0.23.3"
+    ],
+    "vector": "GitHub Actions script-injection sink in `.github/workflows/update_pylon_issue.yml`. Workflow interpolated `${{ github.event.comment.body }}` directly into a `run:` shell script — commenting on any open PR was sufficient to execute attacker-controlled shell with the elevated GITHUB_TOKEN. Attacker forged orphan commit b1e4b1f3aad0d489ab0e9208031c67402bbb8480, tagged v0.23.3, and dispatched the legitimate publishing pipeline — producing a properly-signed release pointing at code the maintainers never saw.",
+    "complexity": "low",
+    "complexity_notes": "Anyone with a GitHub account can comment on a public PR. Self-replicating in pattern: any project running a similar workflow shape (`${{ github.event.* }}` directly in `run:`) is exploitable by the same primitive.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "pip uninstall elementary-data && pip install elementary-data==0.23.4 (clean replacement, same-day)",
+      "Yank 0.23.3 from any private mirror; PyPI has already yanked the public copy",
+      "GHCR :latest re-points to clean image; rebuild any image FROM elementary-data:0.23.3"
+    ],
+    "framework_control_gaps": {
+      "SLSA-L3": "Same shape as CVE-2026-45321 — provenance valid, payload malicious. The publishing pipeline ran on a malicious orphan commit and emitted a legitimate signed release. SLSA-L3 attests WHICH pipeline built the artifact, not that the pipeline was driven by trusted inputs.",
+      "NIST-800-53-SA-12": "Supply chain protection treats signed release as the trust anchor. The signature was valid; the input to the signing pipeline was attacker-controlled.",
+      "NIST-800-218-PO.4": "Define and use secure development security checks. Direct interpolation of github.event.* into run: scripts is a documented secure-development anti-pattern (GitHub Actions docs explicitly warn against it) but is not framework-enforced.",
+      "EU-CRA-Art13": "Required vulnerability handling doesn't address the case where the maintainer was an unwitting publisher.",
+      "NIS2-Art21-2d": "Supply chain risk management presumes detectable signal at consumption. Valid signature neutralizes consumer-side checks."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0018",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1078.004",
+      "T1552.001",
+      "T1059.006"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Canonical RWEP = 45. Operationally treat as P1 — the 8h mass-exposure window (2026-04-24 22:20Z → 2026-04-25 ~06:30Z) means anyone who installed during that window is affected regardless of whether they later upgraded; credential rotation is required. The RWEP formula caps blast_radius at 30 and has no factor for time-bounded mass-exposure windows; the qualitative narrative here is the authoritative risk signal. CISA KEV listing (when it arrives) will add +25 → 70.",
+    "epss_score": null,
+    "epss_percentile": null,
+    "epss_date": "2026-05-13",
+    "epss_source": null,
+    "epss_note": "EPSS coverage does not extend to non-CVE advisories. FIRST EPSS API only indexes CVE identifiers; MAL-* / SNYK-* / GHSA-* keys return no data. Re-query and populate epss_score when MITRE assigns a CVE id and the entry is renamed.",
+    "cwe_refs": ["CWE-506", "CWE-77", "CWE-94"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://api.osv.dev/v1/query (POST {package:{name:elementary-data,ecosystem:PyPI},version:0.23.3}) — returns MAL-2026-3083",
+      "https://security.snyk.io/vuln/SNYK-PYTHON-ELEMENTARYDATA-16316110",
+      "https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection",
+      "https://snyk.io/blog/malicious-release-of-elementary-data-pypi-package-steals-cloud-credentials-from-data-engineers/",
+      "https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/",
+      "https://www.chainguard.dev/unchained/chainguard-customers-safe-from-elementary-data-compromise",
+      "https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3",
+      "https://bad-packages.kam193.eu/pypi/campaign/2026-04-compr-elementary-data"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "OSV.dev (OSSF Malicious Packages)",
+        "advisory_id": "MAL-2026-3083",
+        "url": "https://osv.dev/vulnerability/MAL-2026-3083",
+        "severity": "critical",
+        "published_date": "2026-04-24"
+      },
+      {
+        "vendor": "Snyk",
+        "advisory_id": "SNYK-PYTHON-ELEMENTARYDATA-16316110",
+        "url": "https://security.snyk.io/vuln/SNYK-PYTHON-ELEMENTARYDATA-16316110",
+        "severity": "critical",
+        "published_date": "2026-04-28"
+      },
+      {
+        "vendor": "StepSecurity",
+        "advisory_id": null,
+        "url": "https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection",
+        "severity": "critical",
+        "published_date": "2026-04-25"
+      },
+      {
+        "vendor": "Elementary Data",
+        "advisory_id": null,
+        "url": "https://github.com/elementary-data/elementary/issues/2205",
+        "severity": "critical",
+        "published_date": "2026-04-25"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "site-packages/elementary.pth (any line starting with `import` — auto-execs on every python invocation; ~245 KB base64-encoded harvester)",
+        "PyPI package elementary-data==0.23.3 (yanked; the wheel+sdist differ from 0.23.2 by exactly one file: elementary.pth)",
+        "GHCR image elementarydata/elementary-data:latest pre-2026-04-25 — image digest sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255",
+        "Clean baseline: GHCR sha256:b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9"
+      ],
+      "persistence_artifacts": [
+        "$TMPDIR/.trinny-security-update (campaign persistence marker; presence on disk = install-time payload executed)",
+        "elementary.pth in any site-packages — Python auto-loads .pth files on interpreter startup"
+      ],
+      "credential_paths_scanned": [
+        "~/.dbt/profiles.yml (dbt warehouse credentials — primary target given elementary's dbt user base)",
+        "~/.aws/credentials, application_default_credentials.json (GCP), ~/.azure/",
+        "~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.git-credentials",
+        "~/.docker/config.json, ~/.kube/config, /etc/kubernetes/*.conf",
+        "~/.npmrc, ~/.pypirc, ~/.cargo/credentials.toml",
+        ".env* files up to 6 directory levels deep",
+        "~/.vault-token, ~/.netrc, ~/.pgpass, ~/.my.cnf",
+        "/etc/passwd, /etc/shadow, shell history files, /var/log/auth.log",
+        "Cryptocurrency wallet files"
+      ],
+      "c2_indicators": [
+        "DNS / outbound HTTPS to igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud (sole exfiltration domain)",
+        "Outbound HTTP request carrying header `X-Rise-To-The-Trinny: agree` (campaign tag)",
+        "Any outbound from python child of pip / pip install on a host that just installed elementary-data"
+      ],
+      "supply_chain_entry_vectors": [
+        "GitHub repo with any `.github/workflows/*.yml` interpolating `${{ github.event.comment.body }}` / `github.event.issue.body` / `github.event.review.body` directly into a `run: |` block — exploitable by anyone who can comment on a PR/issue",
+        "Orphan-commit-driven release: any release tag whose target commit is NOT an ancestor of the default branch — forged via privileged token usage",
+        "GitHub repo with `permissions: contents: write` on a workflow that triggers on `issue_comment` / `pull_request_target` / similar untrusted-input triggers"
+      ],
+      "behavioral": [
+        "Brand-new GitHub account (created within 7 days) commenting on a high-download package's open PR with a payload-shaped string (shell metacharacters in a context that gets shell-interpolated)",
+        "Release tag pointing at an orphan commit (no path through git rev-list to the default branch)",
+        "Workflow run on a public repo where GITHUB_TOKEN.permissions includes contents:write AND the trigger event is issue_comment / pull_request_target",
+        "pip install of a major-version-pinned package returning a wheel whose contents differ from the previous patch version by added .pth file"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-42208": {
+    "name": "BerriAI LiteLLM Proxy Auth SQL Injection",
+    "type": "RCE-via-sql-injection",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_v4_score": 9.3,
+    "cvss_v4_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-08",
+    "cisa_kev_due_date": "2026-05-29",
+    "poc_available": true,
+    "poc_description": "GHSA-r75f-5x8p-qvmc documents the sink shape — crafted Authorization header to any LLM API route reaches the vulnerable query through error-handling paths. KEV-listed implies in-wild exploitation evidence.",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV listing criterion is in-wild exploitation evidence.",
+    "affected": "BerriAI LiteLLM Proxy — open-source LLM-API gateway managing credentials + routing across model providers. Used in front of AI agent stacks, MCP-server fronts, multi-model proxy deployments. Substantial production footprint.",
+    "affected_versions": [
+      "litellm >= 1.81.16",
+      "litellm < 1.83.7"
+    ],
+    "vector": "Authorization header value passed directly into a SQL query in the proxy's auth path. Crafted bearer-token-shape strings reach the error-logging pathway which executes SQL with the attacker-controlled value as a string-concatenated parameter. Result: read/modify the managed-credentials DB without prior auth.",
+    "complexity": "low",
+    "complexity_notes": "Curl-able exploit — POST to /chat/completions with a SQL-injection payload in Authorization. Network-reachable, no auth, no UI.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade to litellm 1.83.7+ (parameterised query — caller-supplied value is now a SQL parameter not a concatenated string)",
+      "Temporary workaround: `general_settings: disable_error_logs: true` removes the error-handling pathway the injection abuses"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address argument-vs-statement distinction in SQL libraries. SI-10 is satisfied by 'we validate inputs' regardless of whether the validation runs before the SQL parameter binding.",
+      "OWASP-LLM01": "Prompt injection control set doesn't address the AI-PROXY backend SQL surface — LiteLLM is the substrate that gates LLM API access, not the LLM itself.",
+      "NIS2-Art21-2e": "Cryptographic measures control doesn't address application-layer SQL injection.",
+      "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI gateway infrastructure."
+    },
+    "atlas_refs": [
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078.001"
+    ],
+    "rwep_score": 65,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Operationally P1 — KEV-listed, network-vector, no auth, full credential DB compromise. AI-stack fleets running LiteLLM as the gateway should patch within the KEV 21-day window at minimum.",
+    "epss_score": 0.37368,
+    "epss_percentile": 0.9722,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-42208",
+    "cwe_refs": ["CWE-89"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-42208",
+      "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "BerriAI",
+        "advisory_id": "GHSA-r75f-5x8p-qvmc",
+        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208",
+        "severity": "critical",
+        "published_date": "2026-05-08"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "POST /chat/completions with Authorization header value containing SQL-injection metacharacters (`'`, `--`, `OR 1=1`, UNION-based payloads)",
+        "Any HTTP request to a LiteLLM proxy where the Authorization header value is unusually long (> 100 chars) or contains characters outside [A-Za-z0-9\\-_.~+/=]"
+      ],
+      "behavioral": [
+        "LiteLLM proxy db (default sqlite or postgres) showing new rows in the LiteLLM_VerificationToken / LiteLLM_UserTable created without a corresponding admin-UI session",
+        "LiteLLM error logs containing parameterised-SQL failure shapes that include the Authorization header string verbatim (pre-1.83.7 the value lands in error logs in cleartext)",
+        "Outbound network from a LiteLLM proxy host to a model-provider endpoint using a freshly-issued virtual key that has no admin-event history",
+        "Mass key-generation events in LiteLLM logs (the SQLi path includes a key-mint primitive)"
+      ],
+      "c2_indicators": [
+        "Outbound from a LiteLLM proxy host to model-provider endpoints (openai, anthropic, etc.) using virtual keys not minted via the admin UI (compromised proxy uses its own stolen keys to mask attacker traffic as legitimate proxy traffic)"
+      ],
+      "credential_paths_scanned": [
+        "LiteLLM proxy DATABASE_URL-pointed database (sqlite file or postgres connection) — once SQLi reaches the DB, the entire managed-credentials table is read/write",
+        "Environment variables LITELLM_MASTER_KEY, DATABASE_URL on the proxy host"
+      ]
+    },
+    "last_updated": "2026-05-13"
+  },
+  "CVE-2026-39884": {
+    "name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
+    "type": "argument-injection",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "GHSA-4xqg-gf5c-ghwq publishes the PoC: invoke port_forward tool with resourceName containing space-delimited kubectl flags. Attacker-controllable args reach kubectl via .split(' ') concatenation in startPortForward() / executeKubectlCommandAsync().",
+    "ai_discovered": false,
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "active_exploitation_notes": "No public exploitation evidence as of 2026-05-13, but the MCP-server ecosystem has known opportunistic-scan history. Treated as suspected.",
+    "affected": "Flux159 mcp-server-kubernetes — MCP server giving AI assistants kubectl control. Installed in AI agent stacks that talk to Kubernetes clusters.",
+    "affected_versions": [
+      "mcp-server-kubernetes <= 3.4.0"
+    ],
+    "vector": "AI assistant invokes the port_forward MCP tool with resourceName='pod-name --address=0.0.0.0' or similar. The MCP server builds a string-form kubectl command and uses .split(' ') instead of an args array — the attacker-controlled flag lands as a distinct argv entry to kubectl. --address=0.0.0.0 binds the port-forward to all interfaces; -n kube-system redirects to attacker-chosen namespace.",
+    "complexity": "low",
+    "complexity_notes": "Only requires the AI assistant to be tricked (prompt injection in retrieved docs / commit messages / MCP tool responses) into passing a tainted resourceName. PR-injection / RAG-poisoning surface upstream gates exploitation.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade mcp-server-kubernetes to 3.5.0+ (argv-array refactor)",
+      "Until patched: disable the port_forward tool in MCP allowlist (most operator deployments don't rely on it)"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control doesn't address the argv-vs-string boundary that argument injection exploits — many MCP servers concatenate user input into shell commands without registering this as a code-review failure.",
+      "OWASP-LLM01": "Prompt-injection-as-access-control gap — the attacker doesn't compromise the MCP server directly; they feed adversarial input that the AI passes through.",
+      "NIS2-Art21-2g": "Patch management presumes traditional CVE timelines; MCP plugin ecosystem patch awareness lags."
+    },
+    "atlas_refs": [
+      "AML.T0053",
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1078"
+    ],
+    "rwep_score": 20,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P3 — patch available, mitigation via tool disable, but the class (AI-mediated argument injection into infrastructure tools) is operationally important to track.",
+    "epss_score": 0.00039,
+    "epss_percentile": 0.11727,
+    "epss_date": "2026-05-13",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-39884",
+    "cwe_refs": ["CWE-88"],
+    "source_verified": "2026-05-13",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-39884",
+      "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Flux159",
+        "advisory_id": "GHSA-4xqg-gf5c-ghwq",
+        "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-4xqg-gf5c-ghwq",
+        "severity": "high",
+        "published_date": "2026-04-15"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "src/tools/port_forward.ts startPortForward() / executeKubectlCommandAsync() in any version <= 3.4.0 — calls `.split(' ')` on user-input-concatenated command string",
+        "dist/tools/port_forward.js — compiled artifact in installed package"
+      ],
+      "behavioral": [
+        "MCP audit log showing port_forward tool calls with resourceName containing spaces or kubectl flag prefixes (`--`, `-n`)",
+        "kubectl port-forward processes with --address=0.0.0.0 on hosts that never invoke port-forward manually",
+        "kubectl port-forward processes targeting kube-system / kube-public namespaces when the operator's intended namespace was a workload namespace",
+        "Multiple -n flags in a single kubectl invocation (split-by-space duplicate-flag injection signature)"
+      ],
+      "runtime_syscall": [
+        "execve of kubectl with argv containing /^--address=/ from a parent process in node_modules/mcp-server-kubernetes/dist/",
+        "Network listener bound to 0.0.0.0:<port> by a kubectl process on a host that should only port-forward to localhost"
+      ]
+    },
+    "last_updated": "2026-05-13"
   }
 }