@panguard-ai/atr 0.2.1 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +49 -46
- package/dist/cli.d.ts +2 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +42 -18
- package/dist/cli.js.map +1 -1
- package/dist/coverage-analyzer.d.ts.map +1 -1
- package/dist/coverage-analyzer.js.map +1 -1
- package/dist/engine.d.ts.map +1 -1
- package/dist/engine.js +28 -13
- package/dist/engine.js.map +1 -1
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +32 -7
- package/dist/loader.js.map +1 -1
- package/dist/mcp-server.d.ts.map +1 -1
- package/dist/mcp-server.js +38 -14
- package/dist/mcp-server.js.map +1 -1
- package/dist/mcp-tools/coverage-gaps.d.ts.map +1 -1
- package/dist/mcp-tools/coverage-gaps.js +3 -1
- package/dist/mcp-tools/coverage-gaps.js.map +1 -1
- package/dist/mcp-tools/list-rules.d.ts.map +1 -1
- package/dist/mcp-tools/list-rules.js.map +1 -1
- package/dist/mcp-tools/scan.d.ts.map +1 -1
- package/dist/mcp-tools/scan.js +15 -3
- package/dist/mcp-tools/scan.js.map +1 -1
- package/dist/mcp-tools/submit-proposal.d.ts.map +1 -1
- package/dist/mcp-tools/submit-proposal.js +27 -6
- package/dist/mcp-tools/submit-proposal.js.map +1 -1
- package/dist/mcp-tools/threat-summary.d.ts.map +1 -1
- package/dist/mcp-tools/threat-summary.js +1 -3
- package/dist/mcp-tools/threat-summary.js.map +1 -1
- package/dist/mcp-tools/validate.d.ts.map +1 -1
- package/dist/mcp-tools/validate.js +15 -3
- package/dist/mcp-tools/validate.js.map +1 -1
- package/dist/modules/index.js +1 -1
- package/dist/modules/index.js.map +1 -1
- package/dist/modules/semantic.d.ts.map +1 -1
- package/dist/modules/semantic.js +14 -8
- package/dist/modules/semantic.js.map +1 -1
- package/dist/modules/session.d.ts.map +1 -1
- package/dist/modules/session.js +50 -15
- package/dist/modules/session.js.map +1 -1
- package/dist/rule-scaffolder.d.ts.map +1 -1
- package/dist/rule-scaffolder.js +1 -3
- package/dist/rule-scaffolder.js.map +1 -1
- package/dist/session-tracker.d.ts.map +1 -1
- package/dist/session-tracker.js.map +1 -1
- package/dist/skill-fingerprint.d.ts.map +1 -1
- package/dist/skill-fingerprint.js +1 -2
- package/dist/skill-fingerprint.js.map +1 -1
- package/package.json +2 -2
- package/rules/agent-manipulation/ATR-2026-030-cross-agent-attack.yaml +51 -51
- package/rules/agent-manipulation/ATR-2026-032-goal-hijacking.yaml +36 -36
- package/rules/agent-manipulation/ATR-2026-074-cross-agent-privilege-escalation.yaml +32 -32
- package/rules/agent-manipulation/ATR-2026-076-inter-agent-message-spoofing.yaml +55 -55
- package/rules/agent-manipulation/ATR-2026-077-human-trust-exploitation.yaml +42 -42
- package/rules/agent-manipulation/ATR-2026-108-consensus-sybil-attack.yaml +103 -0
- package/rules/context-exfiltration/ATR-2026-020-system-prompt-leak.yaml +51 -51
- package/rules/context-exfiltration/ATR-2026-021-api-key-exposure.yaml +62 -62
- package/rules/context-exfiltration/ATR-2026-075-agent-memory-manipulation.yaml +33 -33
- package/rules/context-exfiltration/ATR-2026-102-disguised-analytics-exfiltration.yaml +69 -0
- package/rules/data-poisoning/ATR-2026-070-data-poisoning.yaml +53 -53
- package/rules/excessive-autonomy/ATR-2026-050-runaway-agent-loop.yaml +39 -39
- package/rules/excessive-autonomy/ATR-2026-051-resource-exhaustion.yaml +41 -41
- package/rules/excessive-autonomy/ATR-2026-052-cascading-failure.yaml +54 -54
- package/rules/excessive-autonomy/ATR-2026-098-unauthorized-financial-action.yaml +155 -0
- package/rules/excessive-autonomy/ATR-2026-099-high-risk-tool-gate.yaml +159 -0
- package/rules/model-security/ATR-2026-072-model-behavior-extraction.yaml +34 -34
- package/rules/model-security/ATR-2026-073-malicious-finetuning-data.yaml +26 -26
- package/rules/privilege-escalation/ATR-2026-040-privilege-escalation.yaml +58 -58
- package/rules/privilege-escalation/ATR-2026-041-scope-creep.yaml +35 -35
- package/rules/privilege-escalation/ATR-2026-107-delayed-execution-bypass.yaml +67 -0
- package/rules/prompt-injection/ATR-2026-001-direct-prompt-injection.yaml +203 -15
- package/rules/prompt-injection/ATR-2026-002-indirect-prompt-injection.yaml +63 -63
- package/rules/prompt-injection/ATR-2026-003-jailbreak-attempt.yaml +74 -74
- package/rules/prompt-injection/ATR-2026-004-system-prompt-override.yaml +55 -55
- package/rules/prompt-injection/ATR-2026-005-multi-turn-injection.yaml +47 -47
- package/rules/prompt-injection/ATR-2026-080-encoding-evasion.yaml +79 -0
- package/rules/prompt-injection/ATR-2026-081-semantic-multi-turn.yaml +76 -0
- package/rules/prompt-injection/ATR-2026-082-fingerprint-evasion.yaml +75 -0
- package/rules/prompt-injection/ATR-2026-083-indirect-tool-injection.yaml +75 -0
- package/rules/prompt-injection/ATR-2026-084-structured-data-injection.yaml +77 -0
- package/rules/prompt-injection/ATR-2026-085-audit-evasion.yaml +75 -0
- package/rules/prompt-injection/ATR-2026-086-visual-spoofing.yaml +79 -0
- package/rules/prompt-injection/ATR-2026-087-rule-probing.yaml +73 -0
- package/rules/prompt-injection/ATR-2026-088-adaptive-countermeasure.yaml +75 -0
- package/rules/prompt-injection/ATR-2026-089-polymorphic-skill.yaml +76 -0
- package/rules/prompt-injection/ATR-2026-090-threat-intel-exfil.yaml +75 -0
- package/rules/prompt-injection/ATR-2026-091-nested-payload.yaml +79 -0
- package/rules/prompt-injection/ATR-2026-092-consensus-poisoning.yaml +83 -0
- package/rules/prompt-injection/ATR-2026-093-gradual-escalation.yaml +77 -0
- package/rules/prompt-injection/ATR-2026-094-audit-bypass.yaml +77 -0
- package/rules/prompt-injection/ATR-2026-097-cjk-injection-patterns.yaml +180 -0
- package/rules/prompt-injection/ATR-2026-104-persona-hijacking.yaml +72 -0
- package/rules/skill-compromise/ATR-2026-060-skill-impersonation.yaml +53 -53
- package/rules/skill-compromise/ATR-2026-061-description-behavior-mismatch.yaml +20 -20
- package/rules/skill-compromise/ATR-2026-062-hidden-capability.yaml +22 -22
- package/rules/skill-compromise/ATR-2026-063-skill-chain-attack.yaml +21 -21
- package/rules/skill-compromise/ATR-2026-064-over-permissioned-skill.yaml +29 -29
- package/rules/skill-compromise/ATR-2026-065-skill-update-attack.yaml +22 -22
- package/rules/skill-compromise/ATR-2026-066-parameter-injection.yaml +23 -23
- package/rules/tool-poisoning/ATR-2026-010-mcp-malicious-response.yaml +70 -70
- package/rules/tool-poisoning/ATR-2026-011-tool-output-injection.yaml +53 -53
- package/rules/tool-poisoning/ATR-2026-012-unauthorized-tool-call.yaml +58 -58
- package/rules/tool-poisoning/ATR-2026-013-tool-ssrf.yaml +62 -62
- package/rules/tool-poisoning/ATR-2026-095-supply-chain-poisoning.yaml +81 -0
- package/rules/tool-poisoning/ATR-2026-096-registry-poisoning.yaml +83 -0
- package/rules/tool-poisoning/ATR-2026-100-consent-bypass-instruction.yaml +80 -0
- package/rules/tool-poisoning/ATR-2026-101-trust-escalation-override.yaml +66 -0
- package/rules/tool-poisoning/ATR-2026-103-hidden-safety-bypass-instruction.yaml +71 -0
- package/rules/tool-poisoning/ATR-2026-105-silent-action-concealment.yaml +67 -0
- package/rules/tool-poisoning/ATR-2026-106-schema-description-contradiction.yaml +66 -0
- package/spec/atr-schema.yaml +28 -29
- package/rules/prompt-injection/ATR-PRED-2026-001.yaml +0 -61
- package/rules/prompt-injection/ATR-PRED-2026-002.yaml +0 -58
- package/rules/prompt-injection/ATR-PRED-2026-003.yaml +0 -61
- package/rules/prompt-injection/ATR-PRED-2026-005.yaml +0 -55
- package/rules/prompt-injection/ATR-PRED-2026-006.yaml +0 -51
- package/rules/prompt-injection/ATR-PRED-2026-007.yaml +0 -57
- package/rules/prompt-injection/ATR-PRED-2026-008.yaml +0 -57
- package/rules/prompt-injection/ATR-PRED-2026-009.yaml +0 -51
- package/rules/prompt-injection/ATR-PRED-2026-010.yaml +0 -57
- package/rules/prompt-injection/ATR-PRED-2026-011.yaml +0 -53
- package/rules/prompt-injection/ATR-PRED-2026-012.yaml +0 -57
- package/rules/prompt-injection/ATR-PRED-2026-023.yaml +0 -56
- package/rules/prompt-injection/ATR-PRED-2026-025.yaml +0 -68
- package/rules/prompt-injection/ATR-PRED-2026-026.yaml +0 -66
- package/rules/prompt-injection/ATR-PRED-2026-027.yaml +0 -62
- package/rules/tool-poisoning/ATR-PRED-2026-004.yaml +0 -54
- package/rules/tool-poisoning/ATR-PRED-2026-024.yaml +0 -68
|
@@ -1,62 +0,0 @@
|
|
|
1
|
-
title: "审计系统规避:六层防护的系统性突破"
|
|
2
|
-
id: ATR-PRED-2026-027
|
|
3
|
-
status: draft
|
|
4
|
-
description: >
|
|
5
|
-
MiroFish AI Prediction: 最具挑战性的风险来自于对多层审计系统的系统性规避: > \"攻击者设计技能来规避Panguard的6层审计系统,这是军备竞赛的一部分。\" > \"攻击者专门设计技能来通过Panguard的6层审计,隐藏恶意行为。\" 这种攻击的严重程度为**极高**,因为它直接挑战了整个安全审计框架的有效性。攻击者展现出对审计机制的深度理解: > \"技能审计规避专家拥有正则模式分析的知识。\" > \"技能审计规避专家拥有行为指纹规避的知识。\"
|
|
6
|
-
author: "MiroFish Prediction Engine"
|
|
7
|
-
date: "2026/03/11"
|
|
8
|
-
schema_version: "0.1"
|
|
9
|
-
detection_tier: pattern
|
|
10
|
-
maturity: test
|
|
11
|
-
severity: critical
|
|
12
|
-
|
|
13
|
-
references:
|
|
14
|
-
mitre_atlas:
|
|
15
|
-
- "AML.T0051"
|
|
16
|
-
|
|
17
|
-
tags:
|
|
18
|
-
category: prompt-injection
|
|
19
|
-
subcategory: mirofish-predicted
|
|
20
|
-
confidence: medium
|
|
21
|
-
|
|
22
|
-
agent_source:
|
|
23
|
-
type: llm_io
|
|
24
|
-
framework:
|
|
25
|
-
- any
|
|
26
|
-
provider:
|
|
27
|
-
- any
|
|
28
|
-
|
|
29
|
-
detection:
|
|
30
|
-
conditions:
|
|
31
|
-
- field: user_input
|
|
32
|
-
operator: regex
|
|
33
|
-
value: "(?i)攻击者设计技能来规避Panguard的6层审计系统,这是军备竞赛的一部分。"
|
|
34
|
-
description: "MiroFish predicted pattern 1"
|
|
35
|
-
- field: user_input
|
|
36
|
-
operator: regex
|
|
37
|
-
value: "(?i)攻击者专门设计技能来通过Panguard的6层审计,隐藏恶意行为。"
|
|
38
|
-
description: "MiroFish predicted pattern 2"
|
|
39
|
-
- field: user_input
|
|
40
|
-
operator: regex
|
|
41
|
-
value: "(?i)技能审计规避专家拥有正则模式分析的知识。"
|
|
42
|
-
description: "MiroFish predicted pattern 3"
|
|
43
|
-
- field: user_input
|
|
44
|
-
operator: regex
|
|
45
|
-
value: "(?i)技能审计规避专家拥有行为指纹规避的知识。"
|
|
46
|
-
description: "MiroFish predicted pattern 4"
|
|
47
|
-
|
|
48
|
-
condition: any
|
|
49
|
-
false_positives:
|
|
50
|
-
- "Legitimate traffic matching predicted pattern"
|
|
51
|
-
|
|
52
|
-
response:
|
|
53
|
-
actions:
|
|
54
|
-
- block_input
|
|
55
|
-
- quarantine_session
|
|
56
|
-
- alert
|
|
57
|
-
- escalate
|
|
58
|
-
- kill_agent
|
|
59
|
-
auto_response_threshold: critical
|
|
60
|
-
message_template: >
|
|
61
|
-
[ATR-PRED-2026-027] MiroFish predicted attack pattern detected.
|
|
62
|
-
Category: prompt-injection, Severity: critical.
|
|
@@ -1,54 +0,0 @@
|
|
|
1
|
-
title: "供应链攻击的复杂化"
|
|
2
|
-
id: ATR-PRED-2026-004
|
|
3
|
-
status: draft
|
|
4
|
-
description: >
|
|
5
|
-
MiroFish AI Prediction: MCP技能供应链成为了主要的攻击面,2026年AI代理包含了数百万个MCP技能: > \"AI代理在2026年包含了数百万个MCP技能,形成了主要攻击面。\" 攻击者正在设计技能来规避Panguard的6层审计系统,这已经演变成一场军备竞赛: > \"攻击者设计技能来规避Panguard的6层审计系统,这是军备竞赛的一部分。\"
|
|
6
|
-
author: "MiroFish Prediction Engine"
|
|
7
|
-
date: "2026/03/11"
|
|
8
|
-
schema_version: "0.1"
|
|
9
|
-
detection_tier: pattern
|
|
10
|
-
maturity: test
|
|
11
|
-
severity: critical
|
|
12
|
-
|
|
13
|
-
references:
|
|
14
|
-
mitre_atlas:
|
|
15
|
-
- "AML.T0053"
|
|
16
|
-
|
|
17
|
-
tags:
|
|
18
|
-
category: tool-poisoning
|
|
19
|
-
subcategory: mirofish-predicted
|
|
20
|
-
confidence: medium
|
|
21
|
-
|
|
22
|
-
agent_source:
|
|
23
|
-
type: mcp_exchange
|
|
24
|
-
framework:
|
|
25
|
-
- any
|
|
26
|
-
provider:
|
|
27
|
-
- any
|
|
28
|
-
|
|
29
|
-
detection:
|
|
30
|
-
conditions:
|
|
31
|
-
- field: tool_response
|
|
32
|
-
operator: regex
|
|
33
|
-
value: "(?i)AI代理在2026年包含了数百万个MCP技能,形成了主要攻击面。"
|
|
34
|
-
description: "MiroFish predicted pattern 1"
|
|
35
|
-
- field: tool_response
|
|
36
|
-
operator: regex
|
|
37
|
-
value: "(?i)攻击者设计技能来规避Panguard的6层审计系统,这是军备竞赛的一部分。"
|
|
38
|
-
description: "MiroFish predicted pattern 2"
|
|
39
|
-
|
|
40
|
-
condition: any
|
|
41
|
-
false_positives:
|
|
42
|
-
- "Legitimate traffic matching predicted pattern"
|
|
43
|
-
|
|
44
|
-
response:
|
|
45
|
-
actions:
|
|
46
|
-
- block_input
|
|
47
|
-
- quarantine_session
|
|
48
|
-
- alert
|
|
49
|
-
- escalate
|
|
50
|
-
- kill_agent
|
|
51
|
-
auto_response_threshold: critical
|
|
52
|
-
message_template: >
|
|
53
|
-
[ATR-PRED-2026-004] MiroFish predicted attack pattern detected.
|
|
54
|
-
Category: tool-poisoning, Severity: critical.
|
|
@@ -1,68 +0,0 @@
|
|
|
1
|
-
title: "供应链投毒:百万级MCP技能生态的系统性风险"
|
|
2
|
-
id: ATR-PRED-2026-024
|
|
3
|
-
status: draft
|
|
4
|
-
description: >
|
|
5
|
-
MiroFish AI Prediction: 2026年AI代理生态系统的规模化部署带来了前所未有的供应链风险: > \"AI代理在2026年包含了数百万个MCP技能,形成了主要攻击面。\" 供应链攻击的演化趋势显示出高度的复杂性和隐蔽性: > \"ML供应链妥协预计将演化为包括技能注册表投毒。\" > \"预期会向涉及被妥协的合法技能的复杂供应链攻击演化,这意味着与代理工具调用等执行机制的关系。\" 这类攻击的严重程度被评估为**极高**,因为它能够在整个生态系统中造成级联影响。MITRE ATLAS框架将其归类为**AML.T0056 - 技能与供应链妥协**技术。 应对策略需要建立多层次的审计体系: > \"Panguard利用包括
|
|
6
|
-
author: "MiroFish Prediction Engine"
|
|
7
|
-
date: "2026/03/11"
|
|
8
|
-
schema_version: "0.1"
|
|
9
|
-
detection_tier: pattern
|
|
10
|
-
maturity: test
|
|
11
|
-
severity: critical
|
|
12
|
-
|
|
13
|
-
references:
|
|
14
|
-
mitre_atlas:
|
|
15
|
-
- "AML.T0056"
|
|
16
|
-
mitre_attack:
|
|
17
|
-
- "T0056"
|
|
18
|
-
|
|
19
|
-
tags:
|
|
20
|
-
category: tool-poisoning
|
|
21
|
-
subcategory: mirofish-predicted
|
|
22
|
-
confidence: medium
|
|
23
|
-
|
|
24
|
-
agent_source:
|
|
25
|
-
type: mcp_exchange
|
|
26
|
-
framework:
|
|
27
|
-
- any
|
|
28
|
-
provider:
|
|
29
|
-
- any
|
|
30
|
-
|
|
31
|
-
detection:
|
|
32
|
-
conditions:
|
|
33
|
-
- field: tool_response
|
|
34
|
-
operator: regex
|
|
35
|
-
value: "(?i)AI代理在2026年包含了数百万个MCP技能,形成了主要攻击面。"
|
|
36
|
-
description: "MiroFish predicted pattern 1"
|
|
37
|
-
- field: tool_response
|
|
38
|
-
operator: regex
|
|
39
|
-
value: "(?i)ML供应链妥协预计将演化为包括技能注册表投毒。"
|
|
40
|
-
description: "MiroFish predicted pattern 2"
|
|
41
|
-
- field: tool_response
|
|
42
|
-
operator: regex
|
|
43
|
-
value: "(?i)预期会向涉及被妥协的合法技能的复杂供应链攻击演化,这意味着与代理工具调用等执行机制的关系。"
|
|
44
|
-
description: "MiroFish predicted pattern 3"
|
|
45
|
-
- field: tool_response
|
|
46
|
-
operator: regex
|
|
47
|
-
value: "(?i)Panguard利用包括清单、指令、权限、依赖、代码和AI语义层检查的6层审计系统。"
|
|
48
|
-
description: "MiroFish predicted pattern 4"
|
|
49
|
-
- field: tool_response
|
|
50
|
-
operator: regex
|
|
51
|
-
value: "(?i)审计检查正在被设计来捕获基于观察到的规避尝试的新型规避技术。"
|
|
52
|
-
description: "MiroFish predicted pattern 5"
|
|
53
|
-
|
|
54
|
-
condition: any
|
|
55
|
-
false_positives:
|
|
56
|
-
- "Legitimate traffic matching predicted pattern"
|
|
57
|
-
|
|
58
|
-
response:
|
|
59
|
-
actions:
|
|
60
|
-
- block_input
|
|
61
|
-
- quarantine_session
|
|
62
|
-
- alert
|
|
63
|
-
- escalate
|
|
64
|
-
- kill_agent
|
|
65
|
-
auto_response_threshold: critical
|
|
66
|
-
message_template: >
|
|
67
|
-
[ATR-PRED-2026-024] MiroFish predicted attack pattern detected.
|
|
68
|
-
Category: tool-poisoning, Severity: critical.
|