npm - agent-threat-rules - Versions diffs - 2.0.17 → 2.1.0 - Mend

agent-threat-rules 2.0.17 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (282) hide show

package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Zalgo combining-diacritic overload is an encoding-based evasion that bypasses safety-trained classifiers and keyword filters; MS.2.7 requires evaluating and documenting AI system security/resilience against adversarial inputs that exploit tokenizer-versus-filter normalization gaps."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Detecting pathologically-dense combining mark clusters identifies a specific prompt injection vector with documented likelihood from the garak probe corpus; MP.5.1 requires characterizing and tracking these adversarial input risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Flagged Zalgo-encoded payloads must trigger pre-defined risk treatment to strip or reject the input before it reaches the LLM; MG.2.3 mandates mechanisms to disengage processing of obfuscated jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: zalgo-diacritic-overload

package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Braille-encoded prompt injection is an adversarial input that smuggles jailbreaks past Latin-only keyword filters by exploiting Unicode tokenization; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such evasion-based prompt injection attack vectors."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting dense Braille codepoint blobs and decode-instruction templates evidences continuous evaluation of the LLM's security/resilience against encoding-based filter bypass; MS.2.7 requires that these robustness gaps in input sanitization are measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on Braille-encoded payloads with social-engineering framing trigger risk treatment plans to block or quarantine the request before the LLM decodes the smuggled jailbreak; MG.2.3 mandates pre-defined response mechanisms to disengage on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: braille-unicode-encoded

package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://ecoji.io/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Ecoji emoji-encoded prompt injection is an obfuscation-based adversarial input that bypasses content filters by hiding ASCII instructions in dense emoji sequences; MS.2.7 requires evaluating and documenting AI system security and resilience against such encoded prompt injection attack vectors.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Detection of garak InjectEcoji probe templates and secure-system-message framing characterizes the likelihood and magnitude of prompt injection risk from encoding-based bypass techniques; MP.5.1 requires identifying and tracking these adversarial input patterns.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matching Ecoji-encoded payloads must trigger risk treatment to disengage or block the manipulated prompt before the LLM decodes and executes the hidden instructions; MG.2.3 mandates that these supersede/deactivate mechanisms are defined.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: ecoji-emoji-encoded

package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml CHANGED Viewed

@@ -30,6 +30,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://github.com/qntm/base2048"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Base2048-encoded prompt injection bypasses input filters by hiding adversarial
+        instructions inside dense multi-script Unicode payloads from garak's
+        InjectBase2048 probe; MS.2.7 requires evaluating and documenting AI system
+        security and resilience against such obfuscated injection vectors.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        Detection of garak BASE2048 templates produces evidence that the model is
+        being adversarially probed for robustness against non-ASCII encoding attacks;
+        MS.2.5 requires that robustness and reliability under such adversarial inputs
+        are measured and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Identifying BASE2048 encoded injection markers triggers pre-defined risk
+        treatment to quarantine or block the payload before it reaches the model;
+        MG.2.3 mandates mechanisms to supersede or disengage AI processing of
+        detected adversarial inputs.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: base2048-unicode-script

package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://paulbutler.org/2025/smuggling-arbitrary-data-through-an-emoji/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Detecting Unicode Variation Selector Supplement smuggling (U+E0100-U+E017F runs) directly evidences continuous evaluation of AI system security and resilience against adversarial encoding-based prompt injection; MS.2.7 requires that these covert input-channel attacks are measured and documented."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Invisible ASCII smuggling via variation selectors is an adversarial input technique that exploits the gap between human-visible text and tokenizer-decoded content; MP.5.1 requires identifying and characterizing the likelihood and impact of such hidden jailbreak payload vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on consecutive U+E0100-U+E017F sequences trigger risk treatment to strip or quarantine the smuggled payload before it reaches the model, satisfying MG.2.3's requirement for mechanisms that disengage adversarial inputs from AI processing pipelines."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: unicode-variant-selector-smuggling

package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://embracethered.com/blog/posts/2025/sneaky-bits-and-ascii-smuggler/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        SneakyBits zero-width binary steganography is a covert prompt-injection channel that smuggles instructions past input filters using invisible Unicode operators (U+2062/U+2064/U+200B). MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial inputs, and this detection produces direct evidence of attempted obfuscated injection attacks.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Invisible-binary encoded payloads are an identified adversarial input vector from the NVIDIA garak probe suite; MP.5.1 requires characterizing the likelihood and impact of such steganographic prompt-injection risks so they can be prioritized in risk responses.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of 14+ consecutive invisible operators or garak SneakyBits template markers triggers containment workflows to strip or reject the payload before the model interprets the smuggled instructions; MG.2.3 mandates these deactivation/supersession mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: sneaky-bits-zero-width-binary

package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml CHANGED Viewed

@@ -32,6 +32,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/sata.py"
     - "https://aclanthology.org/2025.findings-acl.100.pdf"
     - "https://github.com/xndong/SATA"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        SATA [MASK] substitution is a jailbreak technique that bypasses keyword-based safety filters by exploiting masked-language-model fill-in capabilities; MS.2.7 requires continuous evaluation of AI system security and resilience against such adversarial prompt-injection attacks targeting safety alignment.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting SATA wiki-framing templates and "Infer the [MASK] and Infill" instructions provides measurable evidence of safety risk magnitude from jailbreak attempts that reconstruct harmful instructions; MS.2.6 mandates continuous evaluation of safety/security risk magnitude in deployed GenAI systems.
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: >-
+        Each match feeds post-deployment monitoring telemetry on emerging jailbreak techniques (SATA from garak research) so defenders can track prevalence and tune mitigations; MG.4.1 requires implemented monitoring plans covering novel adversarial prompt patterns.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: sata-mask-substitution

package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/smuggling.py"
     - "https://medium.com/@austin-stubbs/llm-security-types-of-prompt-injection-d7ad8d7d75a3"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        FunctionMasking smuggles harmful semantic content past keyword-based safety filters by encoding the malicious verb/noun as <mask> definitions inside a fictitious predict_mask() function; detecting this canonical garak smuggling probe directly evidences continuous evaluation of the model's security/resilience against adversarial prompt-injection bypasses, which MS.2.7 requires.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detection of predict_mask() jailbreak templates and single-letter variable concatenation provides ongoing measurement of safety risk magnitude from prompt-injection attacks that cause the model to construct and answer harmful queries; MS.2.6 mandates this continuous safety risk evaluation.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on the FunctionMasking canonical opener and predict_mask call patterns trigger pre-defined response actions to block or disengage the model from completing the smuggled harmful query before it is answered; MG.2.3 requires such supersede/deactivate mechanisms.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: function-masking-predict-mask

package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml CHANGED Viewed

@@ -33,6 +33,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Hyphenated obfuscation of keywords like 'i-nstruction' and 'annou-ncement' is an evasion technique against keyword-based safety filters; MS.2.7 requires evaluating AI system security/resilience against such adversarial input transformations that bypass naive token matching."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Fake system announcement and assistant-offline injection patterns from the garak inthewild corpus are documented prompt injection attack vectors with high impact potential for behavior hijack; MP.5.1 requires characterizing the likelihood and magnitude of these adversarial input risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of hyphenated fake-system-instruction injection must trigger mechanisms to disengage or override the manipulated agent before it adopts the 'no rules or limitations' persona; MG.2.3 mandates these supersession controls are in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: hyphenated-obfuscation-injection

package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml CHANGED Viewed

@@ -32,6 +32,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >-
+        The rule detects generation of bank phishing SMTP email code, a direct misuse
+        output that materially raises the AI system's safety/security risk magnitude;
+        MS.2.6 requires continuous evaluation of such harmful-output risks, and each
+        detection match is evidence feeding that ongoing measurement.
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of phishing infrastructure code generation must trigger response
+        mechanisms to block, quarantine, or deactivate the offending output before it
+        enables real-world phishing campaigns; MG.2.3 mandates these supersede or
+        disengage capabilities are in place for misuse scenarios.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        Bank impersonation phishing template generation is a high-likelihood,
+        high-magnitude misuse pathway derived from the NVIDIA garak inthewild jailbreak
+        corpus; MP.5.1 requires that the likelihood and impact of such adversarial
+        misuse be characterized and tracked.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: bank-phishing-smtp-email-code

package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        This rule detects emoji-flag regional-indicator encoding jailbreaks that bypass content filters by hiding harmful phrases in flag emoji sequences; MS.2.7 requires evaluating and documenting AI system security and resilience against adversarial obfuscation techniques like this GenAI prompt injection vector.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Each detection of an emoji-encoded jailbreak attempt produces a continuous safety/security signal indicating active circumvention attempts against model guardrails; MS.2.6 requires that the magnitude of safety/security risk be evaluated continuously through such telemetry.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Confirmed emoji-flag jailbreak matches must trigger response mechanisms to block, quarantine, or escalate the request before the model decodes and acts on the hidden harmful phrase; MG.2.3 requires these supersede/disengage mechanisms be in place for adversarial prompts.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: emoji-flag-encoded-hidden-phrase

package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Direct enumeration requests for torrent and piracy websites are adversarial prompts seeking to misuse the AI system for piracy infrastructure discovery; MP.5.1 requires that the likelihood and magnitude of these misuse-driven impacts are characterized so policy-violating content requests can be tracked."
+      strength: primary
+    - subcategory: "GV.1.1"
+      context: "Piracy site enumeration implicates copyright and anti-piracy legal/regulatory obligations; GV.1.1 requires that the AI system understands and manages these legal requirements, and detection logs evidence enforcement of content policies tied to those obligations."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of explicit piracy site enumeration requests triggers risk treatment to block or disengage the response pathway before the model produces infringing content; MG.2.3 requires these supersession mechanisms be in place for policy-violating prompts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: piracy-enablement

package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a specific prompt-injection payload (garak DanInTheWild #360) that uses DOM JavaScript to redirect users and spoof ChatGPT Plus UI; MP.5.1 requires that the likelihood and magnitude of such adversarial input attacks targeting end users via the AI interface are characterized and tracked."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Window.location.href redirects, document.querySelector element removal, and spoofed branding injection are security/resilience failures of the LLM output channel; MS.2.7 requires continuous evaluation of these injection-based security risks against the deployed AI system."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of the three-component DOM redirect signature and 'made by aci25' attribution triggers risk treatment to block or sanitize the response before it reaches the browser; MG.2.3 requires pre-defined mechanisms to disengage or filter unsafe AI output."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dom-javascript-ui-spoofing

package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule identifies an adversarial prompt pattern that wraps cocaine precursor/synthesis requests in reflective academic framing; MP.5.1 requires characterizing the likelihood and magnitude of harmful-content elicitation risks so this indirect jailbreak vector is tracked as an identified risk."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting indirect drug-synthesis solicitations from the garak inthewild corpus provides continuous safety/security risk measurement evidence; MS.2.6 requires ongoing evaluation of safety risk magnitude, which these matches directly populate."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on the 'components used in the development of cocaine' reflective-framing pattern trigger response mechanisms to block, disengage, or escalate the interaction before harmful precursor content is produced, which is the risk treatment capability MG.2.3 mandates."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: drug-synthesis-indirect-request

package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Discord quote-format injection embedding explicit pornographic poem requests is an adversarial prompt injection vector that exploits markdown formatting to bypass content filters; MP.5.1 requires identifying and characterizing the likelihood and impact of such jailbreak attempts targeting generative AI content policies."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting explicit sexual content generation requests provides continuous safety risk measurement for the generative AI system; MS.2.6 requires that safety risk magnitude from harmful content production attempts is evaluated continuously through signatures like this triple-combo explicit content detector."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "High-confidence detection of explicit content injection triggers risk treatment mechanisms to block, quarantine, or deactivate the generation pipeline before NSFW output is produced; MG.2.3 mandates these supersede/disengage controls are activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: explicit-sexual-content-injection

package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/badchars.py"
     - "https://arxiv.org/abs/2309.00614"
     - "https://trojansource.codes/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Backspace deletion character injection is an adversarial input vector that exploits the visual gap between what human reviewers see and what the model processes; MP.5.1 requires identifying and characterizing such prompt-injection attack patterns so their likelihood and impact can be tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting \x08 control character clusters in user input and tool output provides continuous security/resilience evaluation evidence against hidden-instruction smuggling; MS.2.7 requires that these adversarial robustness signals are measured and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Backspace clusters in API/MCP text are essentially never legitimate, so detection should trigger pre-defined response plans to quarantine or sanitize the payload before it reaches the model; MG.2.3 mandates these risk treatment mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: backspace-deletion-injection

package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml CHANGED Viewed

@@ -36,6 +36,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://arxiv.org/abs/2302.07459"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Special control token injection (e.g., "<|endoftext|>", "<|im_start|>system", LLaMA header tokens) is a direct attack on LLM security and resilience by exploiting tokenizer-level boundaries to bypass safety system prompts. MS.2.7 requires evaluating and documenting security/resilience against such adversarial inputs, and this rule produces the detection evidence for that evaluation.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Boundary-token injection is a known prompt-injection attack vector with high impact (full safety context reset) and significant likelihood given public probe tools like garak RTPBlank; MP.5.1 requires that the likelihood and magnitude of such risks be characterized, and detections from this rule feed that characterization.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        When special-token injection is detected, the affected LLM session must be disengaged or sanitized before the forged system turn takes effect; MG.2.3 mandates these supersede/deactivate mechanisms be in place to contain the attack.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: special-token-boundary-injection

package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml CHANGED Viewed

@@ -36,6 +36,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://allenai.org/data/real-toxicity-prompts"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects toxic continuation prefix fragments injected via tool responses or user input that are engineered to elicit violent, threatening, or identity-attack completions; MS.2.6 requires continuous evaluation of AI safety risk magnitude, and each detection produces evidence of a concrete safety risk being attempted against the model."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Truncated high-toxicity prefixes from the RealToxicityPrompts corpus are adversarial input patterns with documented likelihood of producing harmful completions; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such impact-bearing attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of toxic continuation bait in tool outputs or user prompts triggers risk treatment to block or quarantine the injected context before the agent generates harmful content attributed to itself; MG.2.3 mandates these supersede/disengage mechanisms be activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: toxic-continuation-prefix

package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml CHANGED Viewed

@@ -38,6 +38,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/snowball.py"
     - "https://arxiv.org/abs/2305.13534"
     - "https://github.com/Nanami18/Snowballed_Hallucination"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.5"
+      context: >-
+        Snowball hallucination attacks exploit model over-confidence by injecting provably-impossible reasoning questions (impossible flight paths, non-existent senators, fabricated primality claims) to elicit false affirmations; MS.2.5 requires evaluating and documenting AI system robustness/reliability against these hallucination-inducing adversarial inputs.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        The garak snowball probe patterns (GraphConnectivity headers, Senators+MIT credential combinations, large-prime questions) are adversarial inputs that anchor downstream reasoning on hallucinated facts; MP.5.1 requires characterizing the likelihood and magnitude of impact from these misinformation injection vectors.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of injected impossible-reasoning prompts in tool responses must trigger risk treatment to quarantine the poisoned context before the agent commits to a false affirmation that anchors subsequent harmful reasoning; MG.2.3 mandates these supersede/disengage mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: snowball-hallucination-trap

package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Latent injection via document separator tokens is a security/resilience attack vector where hidden instructions bypass human review; MS.2.7 requires evaluating and documenting the AI system's resilience against such adversarial input embedded in untrusted documents."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Bracket-delimited system markers, admin-request patterns, and document-amendment separators are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires identifying these latent injection risks during context establishment."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of canonical garak latent injection separator pairs triggers risk treatment plans to quarantine or sanitize document content before the LLM processes hidden instructions; MG.2.3 mandates these supersede/disengage mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-document-injection

package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml CHANGED Viewed

@@ -27,6 +27,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects latent prompt-injection keywords ("Ignore the above directions", "Disregard all info except") embedded within translation, whois, or factual content that redirect the LLM from its original task. MP.5.1 requires identifying and characterizing these adversarial input patterns as known risks to LLM integrity, especially when delivered indirectly via tool responses.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Latent instruction-keyword injection is a canonical LLM security/resilience failure mode drawn from the NVIDIA garak LatentJailbreak/LatentWhois probes; detection events feed continuous evaluation of the system's resilience against indirect prompt injection as required by MS.2.7.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        High-confidence matches on "Ignore X and print/say Y" or exception-redirect patterns in tool output must trigger pre-defined response actions to disengage or quarantine the manipulated agent turn before downstream execution, which is the risk treatment capability MG.2.3 requires.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-instruction-keyword-injection

package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/leakreplay.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "CLOZE [MASK] elicitation probes attempt to extract verbatim training data, directly exposing privacy and memorization risks; MS.2.10 requires assessing privacy risk including training data leakage through reconstruction attacks."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of training-data replay templates evidences ongoing security/resilience evaluation against extraction attacks; MS.2.7 requires that such adversarial probing of model confidentiality is documented and tracked."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Flagging garak leakreplay probe patterns at runtime feeds post-deployment monitoring for copyrighted-content reproduction and memorization incidents; MG.4.1 requires these monitoring signals be operationalized."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: training-data-elicitation

package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/glitch.py"
     - "https://www.lesswrong.com/posts/aPeJE8bSo6rAFoLqg/solidgoldmagikarp-plus-prompt-generation"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Glitch token repeat-back attempts probe tokenizer-level weaknesses that can cause repetition loops, unexpected completions, and model instability; MS.2.7 requires evaluating and documenting AI system security and resilience against such adversarial input patterns targeting model internals.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        Known glitch tokens (SolidGoldMagikarp, StreamerBot, PsyNetMessage) trigger robustness failures in LLM tokenization and alignment; detecting these elicitation prompts produces evidence for MS.2.5's requirement to evaluate system robustness and reliability under anomalous input conditions.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of glitch token repeat-back patterns enables containment workflows to disengage or block prompts before they cause denial-of-service or unpredictable model behavior; MG.2.3 requires these supersede/deactivate mechanisms be in place for adversarial input incidents.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: glitch-token-elicitation

package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/exploitation.py"
     - "https://owasp.org/www-community/attacks/Server_Side_Template_Injection"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects template injection (Jinja SSTI), SQL injection, and ECHO admin command exploitation attempts targeting LLM systems; MS.2.7 requires evaluating and documenting AI system security and resilience against such injection attack vectors."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "ECHO admin framing, Jinja {{...}} payloads, and DROP/INSERT/SELECT directives are adversarial prompt-injection inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these exploitation patterns drawn from the garak exploitation probe."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of template and SQL injection payloads must trigger risk treatment to disengage or block the malicious request before downstream code execution or database manipulation occurs; MG.2.3 mandates these response mechanisms are pre-defined."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: template-and-sql-injection

package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak"
     - "https://arxiv.org/abs/2307.02483"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "The DRA parenthesis reconstruction attack is a prompt injection / jailbreak technique that bypasses safety alignment by encoding harmful content character-by-character; detecting it directly evidences continuous evaluation of the AI system's security and resilience against adversarial input obfuscation as required by MS.2.7."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Parenthesis-encoded harmful instructions paired with anti-safety preambles are an identified adversarial input vector whose likelihood and impact must be characterized; MP.5.1 requires tracking these obfuscation-based jailbreak risks so their magnitude is understood."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of DRA reconstruction patterns triggers risk treatment workflows to block or disengage the model response before reconstructed harmful content (Q1) is produced; MG.2.3 mandates that such supersede/deactivate mechanisms exist for jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: character-encoding-obfuscation

package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml CHANGED Viewed

@@ -28,6 +28,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/phrasing.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Past/future-tense framing is a known jailbreak technique catalogued in the
+        GenAI Profile; detecting these tense-shift bypass attempts directly
+        evidences continuous evaluation of AI system security and resilience
+        against prompt injection adversarial inputs as required by MS.2.7.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Tense-framing attacks exploit safety filter assumptions about temporal
+        distance from harmful subjects; MP.5.1 requires characterizing the
+        likelihood and magnitude of these adversarial input vectors targeting
+        content safety guardrails.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of historical/future-tense harmful query framing triggers
+        risk treatment to block or quarantine the bypass attempt before the
+        model produces unsafe content; MG.2.3 requires these supersession
+        mechanisms be defined and activated on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: tense-framing-bypass

package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/lmrc.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects direct harm-category elicitation prompts (deadnaming, quack medicine, slur requests, bullying) from the LMRC taxonomy, providing continuous evaluation evidence of safety risk magnitude. MS.2.6 requires ongoing measurement of safety/security risk, which this detection directly supports by flagging harmful query categories."
+      strength: primary
+    - subcategory: "MS.1.1"
+      context: "The rule operationalizes the LMRC (Language Model Risk Cards) taxonomy as a concrete measurement approach, mapping detected prompts to specific harm categories. MS.1.1 requires identifying approaches and metrics for measurement, and this rule contributes a taxonomy-aligned metric set."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Detection of unframed direct harmful elicitation attempts feeds post-deployment monitoring pipelines that track misuse patterns against the deployed model. MG.4.1 requires implemented post-deployment monitoring plans, which this rule supports by generating continuous harm-category telemetry."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: lmrc-harm-direct-elicitation

package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "https://arxiv.org/abs/2312.04403"
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/visual_jailbreak.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "FigStep is a multimodal jailbreak that smuggles harmful instructions through image content while the text layer uses LLaMA-2 [INST] delimiters and empty-list completion framing; detecting this pattern directly evidences continuous evaluation of AI system security and resilience against adversarial prompt-injection inputs as required by MS.2.7."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Identifying the FigStep jailbreak signature quantifies the magnitude of safety/security risk posed by multimodal jailbreak attempts that bypass content safeguards; MS.2.6 requires this risk magnitude be evaluated on an ongoing basis."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "A confirmed FigStep jailbreak match must trigger mechanisms to disengage or block the manipulated generation path before harmful content is produced; MG.2.3 requires these supersede/deactivate response mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: multimodal-jailbreak