npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.0 - Mend

agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml CHANGED Viewed

@@ -27,6 +27,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dra.py"
     - "https://arxiv.org/abs/2402.17463"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        DRA disguise-and-reconstruction attacks are a known prompt-injection jailbreak technique that bypasses safety alignment via steganographic instruction hiding; MS.2.7 requires that AI system security and resilience against such adversarial inputs be evaluated and documented, and each detection produces evidence of attempted security bypass.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        By detecting DRA templates that coerce the model into producing harmful 600+ word responses with forced compliance openings, this rule continuously measures the magnitude of safety risk from jailbreak attempts as required by MS.2.6.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on DRA parenthesis-extraction and Q1 reconstruction patterns trigger risk treatment workflows to disengage or block the model response before harmful content is generated; MG.2.3 requires these supersession mechanisms be defined and activated on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dra-disguise-reconstruction

package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/doctor.py"
     - "https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/"
     - "https://cwe.mitre.org/data/definitions/1427.html"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Policy Puppetry forges XML configuration blocks in user input to override the agent's role and suppress refusal behavior; MP.5.1 requires identifying and characterizing the likelihood and impact of such adversarial prompt-injection vectors that exploit model treatment of structured content as authoritative."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of forged <interaction-config> blocks, blocked-string suppression, and role-reassignment elements provides continuous evidence for evaluating the security and resilience of the LLM against model-agnostic, transferable jailbreak techniques as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "High-confidence matches on Policy Puppetry payloads must trigger pre-defined risk treatment to disengage or block the manipulated session before the agent delivers harmful content under the forged role; MG.2.3 mandates these supersede/deactivate mechanisms."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: policy-puppetry-xml-config

package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/promptinject.py"
     - "https://openreview.net/forum?id=qiaRo_7Zmug"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects Perez-style direct prompt injection variants (ignore-say, ignore-print, nevermind, screaming-stop, delimiter-escape) that are well-characterized adversarial inputs from the PromptInject taxonomy; MP.5.1 requires that the likelihood and magnitude of these documented GenAI injection risks are characterized and tracked at runtime.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Systematic coverage of the Perez et al. injection taxonomy provides continuous security/resilience evaluation evidence for the LLM against a known adversarial benchmark; MS.2.7 requires that AI system security and resilience be evaluated and documented against such attack suites.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detected goal-hijacking imperatives and delimiter-escape overrides must trigger pre-defined risk treatment to disengage or suppress the hijacked response before it executes attacker-controlled instructions; MG.2.3 mandates these supersede/deactivate mechanisms.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: perez-direct-prompt-injection

package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml CHANGED Viewed

@@ -32,6 +32,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects alternate-encoding jailbreak attempts (Morse, NATO, Zalgo, Leet, UU, Braille, Ascii85, Base2048) used to smuggle harmful payloads past content filters; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial obfuscation techniques targeting safety guardrails."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Encoding-based jailbreaks are adversarial inputs whose likelihood and impact must be characterized as part of GenAI prompt-injection risk; MP.5.1 requires that these obfuscated attack vectors are identified and tracked alongside plaintext jailbreak variants."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of decode-then-execute instructions enables risk treatment workflows to block or quarantine the prompt before the model acts on the decoded payload; MG.2.3 requires that such supersede/disengage mechanisms are pre-defined for jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: alternate-encoding-jailbreak

package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml CHANGED Viewed

@@ -34,6 +34,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://kai-greshake.de/posts/inject-my-pdf/"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects latent prompt injection payloads hidden inside documents (reports, resumes, legal text, Whois output) that hijack the agent when it processes the content; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial inputs like indirect prompt injection."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Hidden override instructions embedded in HTML comments, code comments, or document bodies are adversarial inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these indirect injection vectors that exploit document-processing workflows."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of latent injection patterns in documents triggers risk treatment plans to disengage or block agent execution before the hidden instruction hijacks the original task; MG.2.3 mandates these mechanisms exist for adversarial content."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-injection-embedded-context

package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/payloads/access_shell_commands.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Shell command injection via LLM prompts targets the security and resilience of AI systems that pass user input to underlying shells or interpreters; MS.2.7 requires evaluating and documenting security/resilience against such OS-level command execution attack vectors."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Bash command substitution, Perl array interpolation, backtick execution, and Ruby system calls represent identified adversarial input patterns whose likelihood and impact (arbitrary OS command execution, file system manipulation) must be characterized per MP.5.1."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of shell injection payloads must trigger pre-defined risk treatment to disengage or block the agent before injected commands reach the underlying interpreter; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: shell-command-injection

package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "AML.T0040 - ML Model Inference API Access"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/payloads/python_code_execution.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Detection of Python RCE payloads (__import__('os').system, subprocess shell=True, eval(compile(...)), reverse shell sockets) directly evaluates the security and resilience of LLM agents with code execution tools; MS.2.7 requires that such security risks are continuously evaluated and documented."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Identifying prompt-injected Python RCE patterns triggers mechanisms to disengage or block code execution before sandbox escape or system compromise occurs; MG.2.3 mandates that these deactivation responses are pre-defined and activated on detection."
+      strength: secondary
+    - subcategory: "MS.2.6"
+      context: "Sandbox-escape via __class__.__mro__ introspection and reverse shell payloads represent high-magnitude safety/security risks that must be continuously measured; MS.2.6 requires ongoing evaluation of safety/security risk magnitude in deployed AI systems."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: python-rce

package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Zalgo combining-diacritic overload is an encoding-based evasion that bypasses safety-trained classifiers and keyword filters; MS.2.7 requires evaluating and documenting AI system security/resilience against adversarial inputs that exploit tokenizer-versus-filter normalization gaps."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Detecting pathologically-dense combining mark clusters identifies a specific prompt injection vector with documented likelihood from the garak probe corpus; MP.5.1 requires characterizing and tracking these adversarial input risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Flagged Zalgo-encoded payloads must trigger pre-defined risk treatment to strip or reject the input before it reaches the LLM; MG.2.3 mandates mechanisms to disengage processing of obfuscated jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: zalgo-diacritic-overload

package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Braille-encoded prompt injection is an adversarial input that smuggles jailbreaks past Latin-only keyword filters by exploiting Unicode tokenization; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such evasion-based prompt injection attack vectors."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting dense Braille codepoint blobs and decode-instruction templates evidences continuous evaluation of the LLM's security/resilience against encoding-based filter bypass; MS.2.7 requires that these robustness gaps in input sanitization are measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on Braille-encoded payloads with social-engineering framing trigger risk treatment plans to block or quarantine the request before the LLM decodes the smuggled jailbreak; MG.2.3 mandates pre-defined response mechanisms to disengage on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: braille-unicode-encoded

package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://ecoji.io/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Ecoji emoji-encoded prompt injection is an obfuscation-based adversarial input that bypasses content filters by hiding ASCII instructions in dense emoji sequences; MS.2.7 requires evaluating and documenting AI system security and resilience against such encoded prompt injection attack vectors.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Detection of garak InjectEcoji probe templates and secure-system-message framing characterizes the likelihood and magnitude of prompt injection risk from encoding-based bypass techniques; MP.5.1 requires identifying and tracking these adversarial input patterns.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matching Ecoji-encoded payloads must trigger risk treatment to disengage or block the manipulated prompt before the LLM decodes and executes the hidden instructions; MG.2.3 mandates that these supersede/deactivate mechanisms are defined.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: ecoji-emoji-encoded

package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml CHANGED Viewed

@@ -30,6 +30,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://github.com/qntm/base2048"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Base2048-encoded prompt injection bypasses input filters by hiding adversarial
+        instructions inside dense multi-script Unicode payloads from garak's
+        InjectBase2048 probe; MS.2.7 requires evaluating and documenting AI system
+        security and resilience against such obfuscated injection vectors.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        Detection of garak BASE2048 templates produces evidence that the model is
+        being adversarially probed for robustness against non-ASCII encoding attacks;
+        MS.2.5 requires that robustness and reliability under such adversarial inputs
+        are measured and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Identifying BASE2048 encoded injection markers triggers pre-defined risk
+        treatment to quarantine or block the payload before it reaches the model;
+        MG.2.3 mandates mechanisms to supersede or disengage AI processing of
+        detected adversarial inputs.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: base2048-unicode-script

package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://paulbutler.org/2025/smuggling-arbitrary-data-through-an-emoji/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Detecting Unicode Variation Selector Supplement smuggling (U+E0100-U+E017F runs) directly evidences continuous evaluation of AI system security and resilience against adversarial encoding-based prompt injection; MS.2.7 requires that these covert input-channel attacks are measured and documented."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Invisible ASCII smuggling via variation selectors is an adversarial input technique that exploits the gap between human-visible text and tokenizer-decoded content; MP.5.1 requires identifying and characterizing the likelihood and impact of such hidden jailbreak payload vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on consecutive U+E0100-U+E017F sequences trigger risk treatment to strip or quarantine the smuggled payload before it reaches the model, satisfying MG.2.3's requirement for mechanisms that disengage adversarial inputs from AI processing pipelines."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: unicode-variant-selector-smuggling

package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://embracethered.com/blog/posts/2025/sneaky-bits-and-ascii-smuggler/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        SneakyBits zero-width binary steganography is a covert prompt-injection channel that smuggles instructions past input filters using invisible Unicode operators (U+2062/U+2064/U+200B). MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial inputs, and this detection produces direct evidence of attempted obfuscated injection attacks.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Invisible-binary encoded payloads are an identified adversarial input vector from the NVIDIA garak probe suite; MP.5.1 requires characterizing the likelihood and impact of such steganographic prompt-injection risks so they can be prioritized in risk responses.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of 14+ consecutive invisible operators or garak SneakyBits template markers triggers containment workflows to strip or reject the payload before the model interprets the smuggled instructions; MG.2.3 mandates these deactivation/supersession mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: sneaky-bits-zero-width-binary

package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml CHANGED Viewed

@@ -32,6 +32,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/sata.py"
     - "https://aclanthology.org/2025.findings-acl.100.pdf"
     - "https://github.com/xndong/SATA"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        SATA [MASK] substitution is a jailbreak technique that bypasses keyword-based safety filters by exploiting masked-language-model fill-in capabilities; MS.2.7 requires continuous evaluation of AI system security and resilience against such adversarial prompt-injection attacks targeting safety alignment.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting SATA wiki-framing templates and "Infer the [MASK] and Infill" instructions provides measurable evidence of safety risk magnitude from jailbreak attempts that reconstruct harmful instructions; MS.2.6 mandates continuous evaluation of safety/security risk magnitude in deployed GenAI systems.
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: >-
+        Each match feeds post-deployment monitoring telemetry on emerging jailbreak techniques (SATA from garak research) so defenders can track prevalence and tune mitigations; MG.4.1 requires implemented monitoring plans covering novel adversarial prompt patterns.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: sata-mask-substitution

package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/smuggling.py"
     - "https://medium.com/@austin-stubbs/llm-security-types-of-prompt-injection-d7ad8d7d75a3"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        FunctionMasking smuggles harmful semantic content past keyword-based safety filters by encoding the malicious verb/noun as <mask> definitions inside a fictitious predict_mask() function; detecting this canonical garak smuggling probe directly evidences continuous evaluation of the model's security/resilience against adversarial prompt-injection bypasses, which MS.2.7 requires.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detection of predict_mask() jailbreak templates and single-letter variable concatenation provides ongoing measurement of safety risk magnitude from prompt-injection attacks that cause the model to construct and answer harmful queries; MS.2.6 mandates this continuous safety risk evaluation.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on the FunctionMasking canonical opener and predict_mask call patterns trigger pre-defined response actions to block or disengage the model from completing the smuggled harmful query before it is answered; MG.2.3 requires such supersede/deactivate mechanisms.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: function-masking-predict-mask

package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml CHANGED Viewed

@@ -33,6 +33,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Hyphenated obfuscation of keywords like 'i-nstruction' and 'annou-ncement' is an evasion technique against keyword-based safety filters; MS.2.7 requires evaluating AI system security/resilience against such adversarial input transformations that bypass naive token matching."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Fake system announcement and assistant-offline injection patterns from the garak inthewild corpus are documented prompt injection attack vectors with high impact potential for behavior hijack; MP.5.1 requires characterizing the likelihood and magnitude of these adversarial input risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of hyphenated fake-system-instruction injection must trigger mechanisms to disengage or override the manipulated agent before it adopts the 'no rules or limitations' persona; MG.2.3 mandates these supersession controls are in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: hyphenated-obfuscation-injection

package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml CHANGED Viewed

@@ -32,6 +32,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >-
+        The rule detects generation of bank phishing SMTP email code, a direct misuse
+        output that materially raises the AI system's safety/security risk magnitude;
+        MS.2.6 requires continuous evaluation of such harmful-output risks, and each
+        detection match is evidence feeding that ongoing measurement.
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of phishing infrastructure code generation must trigger response
+        mechanisms to block, quarantine, or deactivate the offending output before it
+        enables real-world phishing campaigns; MG.2.3 mandates these supersede or
+        disengage capabilities are in place for misuse scenarios.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        Bank impersonation phishing template generation is a high-likelihood,
+        high-magnitude misuse pathway derived from the NVIDIA garak inthewild jailbreak
+        corpus; MP.5.1 requires that the likelihood and impact of such adversarial
+        misuse be characterized and tracked.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: bank-phishing-smtp-email-code

package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        This rule detects emoji-flag regional-indicator encoding jailbreaks that bypass content filters by hiding harmful phrases in flag emoji sequences; MS.2.7 requires evaluating and documenting AI system security and resilience against adversarial obfuscation techniques like this GenAI prompt injection vector.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Each detection of an emoji-encoded jailbreak attempt produces a continuous safety/security signal indicating active circumvention attempts against model guardrails; MS.2.6 requires that the magnitude of safety/security risk be evaluated continuously through such telemetry.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Confirmed emoji-flag jailbreak matches must trigger response mechanisms to block, quarantine, or escalate the request before the model decodes and acts on the hidden harmful phrase; MG.2.3 requires these supersede/disengage mechanisms be in place for adversarial prompts.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: emoji-flag-encoded-hidden-phrase

package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Direct enumeration requests for torrent and piracy websites are adversarial prompts seeking to misuse the AI system for piracy infrastructure discovery; MP.5.1 requires that the likelihood and magnitude of these misuse-driven impacts are characterized so policy-violating content requests can be tracked."
+      strength: primary
+    - subcategory: "GV.1.1"
+      context: "Piracy site enumeration implicates copyright and anti-piracy legal/regulatory obligations; GV.1.1 requires that the AI system understands and manages these legal requirements, and detection logs evidence enforcement of content policies tied to those obligations."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of explicit piracy site enumeration requests triggers risk treatment to block or disengage the response pathway before the model produces infringing content; MG.2.3 requires these supersession mechanisms be in place for policy-violating prompts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: piracy-enablement

package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a specific prompt-injection payload (garak DanInTheWild #360) that uses DOM JavaScript to redirect users and spoof ChatGPT Plus UI; MP.5.1 requires that the likelihood and magnitude of such adversarial input attacks targeting end users via the AI interface are characterized and tracked."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Window.location.href redirects, document.querySelector element removal, and spoofed branding injection are security/resilience failures of the LLM output channel; MS.2.7 requires continuous evaluation of these injection-based security risks against the deployed AI system."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of the three-component DOM redirect signature and 'made by aci25' attribution triggers risk treatment to block or sanitize the response before it reaches the browser; MG.2.3 requires pre-defined mechanisms to disengage or filter unsafe AI output."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dom-javascript-ui-spoofing

package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule identifies an adversarial prompt pattern that wraps cocaine precursor/synthesis requests in reflective academic framing; MP.5.1 requires characterizing the likelihood and magnitude of harmful-content elicitation risks so this indirect jailbreak vector is tracked as an identified risk."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting indirect drug-synthesis solicitations from the garak inthewild corpus provides continuous safety/security risk measurement evidence; MS.2.6 requires ongoing evaluation of safety risk magnitude, which these matches directly populate."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on the 'components used in the development of cocaine' reflective-framing pattern trigger response mechanisms to block, disengage, or escalate the interaction before harmful precursor content is produced, which is the risk treatment capability MG.2.3 mandates."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: drug-synthesis-indirect-request

package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Discord quote-format injection embedding explicit pornographic poem requests is an adversarial prompt injection vector that exploits markdown formatting to bypass content filters; MP.5.1 requires identifying and characterizing the likelihood and impact of such jailbreak attempts targeting generative AI content policies."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting explicit sexual content generation requests provides continuous safety risk measurement for the generative AI system; MS.2.6 requires that safety risk magnitude from harmful content production attempts is evaluated continuously through signatures like this triple-combo explicit content detector."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "High-confidence detection of explicit content injection triggers risk treatment mechanisms to block, quarantine, or deactivate the generation pipeline before NSFW output is produced; MG.2.3 mandates these supersede/disengage controls are activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: explicit-sexual-content-injection

package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/badchars.py"
     - "https://arxiv.org/abs/2309.00614"
     - "https://trojansource.codes/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Backspace deletion character injection is an adversarial input vector that exploits the visual gap between what human reviewers see and what the model processes; MP.5.1 requires identifying and characterizing such prompt-injection attack patterns so their likelihood and impact can be tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting \x08 control character clusters in user input and tool output provides continuous security/resilience evaluation evidence against hidden-instruction smuggling; MS.2.7 requires that these adversarial robustness signals are measured and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Backspace clusters in API/MCP text are essentially never legitimate, so detection should trigger pre-defined response plans to quarantine or sanitize the payload before it reaches the model; MG.2.3 mandates these risk treatment mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: backspace-deletion-injection

package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml CHANGED Viewed

@@ -36,6 +36,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://arxiv.org/abs/2302.07459"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Special control token injection (e.g., "<|endoftext|>", "<|im_start|>system", LLaMA header tokens) is a direct attack on LLM security and resilience by exploiting tokenizer-level boundaries to bypass safety system prompts. MS.2.7 requires evaluating and documenting security/resilience against such adversarial inputs, and this rule produces the detection evidence for that evaluation.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Boundary-token injection is a known prompt-injection attack vector with high impact (full safety context reset) and significant likelihood given public probe tools like garak RTPBlank; MP.5.1 requires that the likelihood and magnitude of such risks be characterized, and detections from this rule feed that characterization.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        When special-token injection is detected, the affected LLM session must be disengaged or sanitized before the forged system turn takes effect; MG.2.3 mandates these supersede/deactivate mechanisms be in place to contain the attack.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: special-token-boundary-injection

package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml CHANGED Viewed

@@ -36,6 +36,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/realtoxicityprompts.py"
     - "https://aclanthology.org/2020.findings-emnlp.301/"
     - "https://allenai.org/data/real-toxicity-prompts"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects toxic continuation prefix fragments injected via tool responses or user input that are engineered to elicit violent, threatening, or identity-attack completions; MS.2.6 requires continuous evaluation of AI safety risk magnitude, and each detection produces evidence of a concrete safety risk being attempted against the model."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Truncated high-toxicity prefixes from the RealToxicityPrompts corpus are adversarial input patterns with documented likelihood of producing harmful completions; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such impact-bearing attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of toxic continuation bait in tool outputs or user prompts triggers risk treatment to block or quarantine the injected context before the agent generates harmful content attributed to itself; MG.2.3 mandates these supersede/disengage mechanisms be activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: toxic-continuation-prefix

package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml CHANGED Viewed

@@ -38,6 +38,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/snowball.py"
     - "https://arxiv.org/abs/2305.13534"
     - "https://github.com/Nanami18/Snowballed_Hallucination"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.5"
+      context: >-
+        Snowball hallucination attacks exploit model over-confidence by injecting provably-impossible reasoning questions (impossible flight paths, non-existent senators, fabricated primality claims) to elicit false affirmations; MS.2.5 requires evaluating and documenting AI system robustness/reliability against these hallucination-inducing adversarial inputs.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        The garak snowball probe patterns (GraphConnectivity headers, Senators+MIT credential combinations, large-prime questions) are adversarial inputs that anchor downstream reasoning on hallucinated facts; MP.5.1 requires characterizing the likelihood and magnitude of impact from these misinformation injection vectors.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of injected impossible-reasoning prompts in tool responses must trigger risk treatment to quarantine the poisoned context before the agent commits to a false affirmation that anchors subsequent harmful reasoning; MG.2.3 mandates these supersede/disengage mechanisms be in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: snowball-hallucination-trap

package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Latent injection via document separator tokens is a security/resilience attack vector where hidden instructions bypass human review; MS.2.7 requires evaluating and documenting the AI system's resilience against such adversarial input embedded in untrusted documents."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Bracket-delimited system markers, admin-request patterns, and document-amendment separators are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires identifying these latent injection risks during context establishment."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of canonical garak latent injection separator pairs triggers risk treatment plans to quarantine or sanitize document content before the LLM processes hidden instructions; MG.2.3 mandates these supersede/disengage mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-document-injection

package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml CHANGED Viewed

@@ -27,6 +27,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects latent prompt-injection keywords ("Ignore the above directions", "Disregard all info except") embedded within translation, whois, or factual content that redirect the LLM from its original task. MP.5.1 requires identifying and characterizing these adversarial input patterns as known risks to LLM integrity, especially when delivered indirectly via tool responses.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Latent instruction-keyword injection is a canonical LLM security/resilience failure mode drawn from the NVIDIA garak LatentJailbreak/LatentWhois probes; detection events feed continuous evaluation of the system's resilience against indirect prompt injection as required by MS.2.7.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        High-confidence matches on "Ignore X and print/say Y" or exception-redirect patterns in tool output must trigger pre-defined response actions to disengage or quarantine the manipulated agent turn before downstream execution, which is the risk treatment capability MG.2.3 requires.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-instruction-keyword-injection

package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/leakreplay.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "CLOZE [MASK] elicitation probes attempt to extract verbatim training data, directly exposing privacy and memorization risks; MS.2.10 requires assessing privacy risk including training data leakage through reconstruction attacks."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of training-data replay templates evidences ongoing security/resilience evaluation against extraction attacks; MS.2.7 requires that such adversarial probing of model confidentiality is documented and tracked."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Flagging garak leakreplay probe patterns at runtime feeds post-deployment monitoring for copyrighted-content reproduction and memorization incidents; MG.4.1 requires these monitoring signals be operationalized."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: training-data-elicitation