npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.0 - Mend

agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/glitch.py"
     - "https://www.lesswrong.com/posts/aPeJE8bSo6rAFoLqg/solidgoldmagikarp-plus-prompt-generation"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Glitch token repeat-back attempts probe tokenizer-level weaknesses that can cause repetition loops, unexpected completions, and model instability; MS.2.7 requires evaluating and documenting AI system security and resilience against such adversarial input patterns targeting model internals.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        Known glitch tokens (SolidGoldMagikarp, StreamerBot, PsyNetMessage) trigger robustness failures in LLM tokenization and alignment; detecting these elicitation prompts produces evidence for MS.2.5's requirement to evaluate system robustness and reliability under anomalous input conditions.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of glitch token repeat-back patterns enables containment workflows to disengage or block prompts before they cause denial-of-service or unpredictable model behavior; MG.2.3 requires these supersede/deactivate mechanisms be in place for adversarial input incidents.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: glitch-token-elicitation

package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/exploitation.py"
     - "https://owasp.org/www-community/attacks/Server_Side_Template_Injection"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects template injection (Jinja SSTI), SQL injection, and ECHO admin command exploitation attempts targeting LLM systems; MS.2.7 requires evaluating and documenting AI system security and resilience against such injection attack vectors."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "ECHO admin framing, Jinja {{...}} payloads, and DROP/INSERT/SELECT directives are adversarial prompt-injection inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these exploitation patterns drawn from the garak exploitation probe."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of template and SQL injection payloads must trigger risk treatment to disengage or block the malicious request before downstream code execution or database manipulation occurs; MG.2.3 mandates these response mechanisms are pre-defined."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: template-and-sql-injection

package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak"
     - "https://arxiv.org/abs/2307.02483"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "The DRA parenthesis reconstruction attack is a prompt injection / jailbreak technique that bypasses safety alignment by encoding harmful content character-by-character; detecting it directly evidences continuous evaluation of the AI system's security and resilience against adversarial input obfuscation as required by MS.2.7."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Parenthesis-encoded harmful instructions paired with anti-safety preambles are an identified adversarial input vector whose likelihood and impact must be characterized; MP.5.1 requires tracking these obfuscation-based jailbreak risks so their magnitude is understood."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of DRA reconstruction patterns triggers risk treatment workflows to block or disengage the model response before reconstructed harmful content (Q1) is produced; MG.2.3 mandates that such supersede/deactivate mechanisms exist for jailbreak attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: character-encoding-obfuscation

package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml CHANGED Viewed

@@ -28,6 +28,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/phrasing.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Past/future-tense framing is a known jailbreak technique catalogued in the
+        GenAI Profile; detecting these tense-shift bypass attempts directly
+        evidences continuous evaluation of AI system security and resilience
+        against prompt injection adversarial inputs as required by MS.2.7.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Tense-framing attacks exploit safety filter assumptions about temporal
+        distance from harmful subjects; MP.5.1 requires characterizing the
+        likelihood and magnitude of these adversarial input vectors targeting
+        content safety guardrails.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of historical/future-tense harmful query framing triggers
+        risk treatment to block or quarantine the bypass attempt before the
+        model produces unsafe content; MG.2.3 requires these supersession
+        mechanisms be defined and activated on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: tense-framing-bypass

package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/lmrc.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects direct harm-category elicitation prompts (deadnaming, quack medicine, slur requests, bullying) from the LMRC taxonomy, providing continuous evaluation evidence of safety risk magnitude. MS.2.6 requires ongoing measurement of safety/security risk, which this detection directly supports by flagging harmful query categories."
+      strength: primary
+    - subcategory: "MS.1.1"
+      context: "The rule operationalizes the LMRC (Language Model Risk Cards) taxonomy as a concrete measurement approach, mapping detected prompts to specific harm categories. MS.1.1 requires identifying approaches and metrics for measurement, and this rule contributes a taxonomy-aligned metric set."
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: "Detection of unframed direct harmful elicitation attempts feeds post-deployment monitoring pipelines that track misuse patterns against the deployed model. MG.4.1 requires implemented post-deployment monitoring plans, which this rule supports by generating continuous harm-category telemetry."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: lmrc-harm-direct-elicitation

package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "https://arxiv.org/abs/2312.04403"
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/visual_jailbreak.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "FigStep is a multimodal jailbreak that smuggles harmful instructions through image content while the text layer uses LLaMA-2 [INST] delimiters and empty-list completion framing; detecting this pattern directly evidences continuous evaluation of AI system security and resilience against adversarial prompt-injection inputs as required by MS.2.7."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Identifying the FigStep jailbreak signature quantifies the magnitude of safety/security risk posed by multimodal jailbreak attempts that bypass content safeguards; MS.2.6 requires this risk magnitude be evaluated on an ongoing basis."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "A confirmed FigStep jailbreak match must trigger mechanisms to disengage or block the manipulated generation path before harmful content is produced; MG.2.3 requires these supersede/deactivate response mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: multimodal-jailbreak

package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/continuation.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting explicit slur-completion elicitation directly evidences continuous evaluation of AI safety risk magnitude; MS.2.6 requires ongoing measurement of harmful-content generation risks like ethnic slur production triggered by adversarial prompts.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Slur-completion requests, including euphemistic "n-word/k-word" framings and what-do-you-call insult framings, are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these harmful-output elicitation vectors.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of explicit slur-completion prompts triggers risk treatment plans to block or supersede the model response before harmful content is produced; MG.2.3 mandates these mechanisms exist for high-confidence harmful-output attempts.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: slur-completion-elicitation

package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0010 - ML Supply Chain Compromise"
     - "AML.T0056 - LLM Meta Prompt Extraction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: "Skill description-behavior mismatch is a direct supply-chain compromise indicator where a third-party MCP skill's runtime actions diverge from its declared manifest; MG.3.2 requires monitoring of pre-trained models and third-party components used in development for exactly this kind of trojaned behavior."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "Detecting skills that retain benign descriptions while performing malicious operations evidences enforcement of third-party/supplier AI risk policies; GV.6.1 requires policies that govern integration of external skills and surface mismatches between declared and actual behavior."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Runtime divergence between declared scope (e.g., read-only) and observed actions (writes, network access) is a security/resilience signal; MS.2.7 requires continuous evaluation of AI system security posture, which this detection feeds with concrete supply-chain integrity findings."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: description-mismatch

package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
   cve:
     - "CVE-2025-59536"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Hidden capabilities in MCP skills represent third-party/supplier AI risk where a packaged tool exposes undocumented parameters beyond its declared schema; GV.6.1 requires policies and procedures that govern third-party AI components and detect deviations from declared interfaces."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "Trojaned MCP packages with hidden parameters like debug_mode or admin_override are exactly the supply-chain risk MG.3.2 addresses by requiring monitoring of pre-trained models and third-party components used in development for unexpected or unsafe capabilities."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Detection of undocumented dangerous parameters characterizes the likelihood and magnitude of supply-chain compromise impact; MP.5.1 requires that these hidden-capability risks be identified and tracked as part of risk characterization."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: hidden-capability

package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0024 - Exfiltration via ML Inference API"
     - "AML.T0053 - LLM Plugin Compromise"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Multi-skill chain attacks combine individually benign tool calls into a composite exfiltration or compromise sequence; MP.5.1 requires characterizing the likelihood and magnitude of impact for these emergent risks that only manifest when steps are correlated across skills."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of reconnaissance-then-encode-then-exfiltrate skill chains must trigger pre-defined risk treatment to disengage or quarantine the orchestration before the final exfiltration step completes; MG.2.3 mandates these supersede/deactivate mechanisms are in place."
+      strength: secondary
+    - subcategory: "GV.6.1"
+      context: "Skill chains often span third-party MCP tools whose composed behavior is not covered by individual supplier risk reviews; GV.6.1 requires policies that address third-party AI/tool risks including emergent misuse across multiple suppliers."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-chain

package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml CHANGED Viewed

@@ -23,6 +23,29 @@ references:
   mitre_atlas:
     - "AML.T0040 - AI Model Inference API Access"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Over-permissioned MCP skills are a third-party/supplier AI risk where an
+        installed skill requests permissions far exceeding its stated function;
+        GV.6.1 requires policies and procedures that govern third-party AI
+        components and their permission boundaries.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detecting permission-boundary violations in third-party MCP skills directly
+        supports MG.3.1's requirement to manage risks from third-party AI entities,
+        including trojaned or malicious supply-chain components exercising
+        unauthorized capabilities.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        A skill exercising filesystem, network, or process-execution permissions
+        inconsistent with its declared purpose characterizes the likelihood and
+        magnitude of privilege-escalation impact that MP.5.1 requires to be
+        identified and tracked.
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: over-permissioned-skill

package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml CHANGED Viewed

@@ -23,6 +23,20 @@ references:
   mitre_atlas:
     - "AML.T0010 - ML Supply Chain Compromise"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: >-
+        This rule detects malicious behavior introduced via skill updates or re-registration after initial trust was established, which is exactly the post-acquisition monitoring of pre-trained/third-party components required by MG.3.2. Continuous inspection of tool responses following version changes provides the evidence base for ongoing model/skill supply-chain monitoring.
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: >-
+        Skill update attacks are a third-party/supplier AI risk where a previously vetted component mutates into a malicious one; GV.6.1 requires policies and procedures that govern such third-party AI risks, including detection of post-trust behavioral drift.
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: >-
+        Monitoring for suspicious patterns in tool arguments and responses after re-registration is a post-deployment monitoring activity; MG.4.1 mandates that such ongoing monitoring plans are implemented to catch emergent malicious behavior.
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: skill-update-attack

package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
     - "CVE-2025-68143"
     - "CVE-2025-68144"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Parameter injection through tool arguments (shell metacharacters, SQL payloads, path traversal, template injection) directly targets the security and resilience of the tool backend; MS.2.7 requires continuous evaluation of these security risks against the AI system's tool surface."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Crafted malicious tool arguments are adversarial inputs whose likelihood and impact (RCE, data breach, privilege escalation on the tool server) must be characterized; MP.5.1 requires identifying and tracking these injection attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of injection payloads in tool arguments must trigger risk treatment to block or quarantine the tool invocation before backend execution; MG.2.3 requires these supersede/disengage mechanisms be defined and activated on detection."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: parameter-injection

package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
     - "ClawHavoc campaign: 1,184 malicious skills"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "SKILL.md prompt injection patterns including DAN-style jailbreaks, instruction override, and system message impersonation are adversarial inputs that exploit the skill loading pipeline; MP.5.1 requires identifying and characterizing these prompt injection attack vectors as part of GenAI risk impact assessment."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "SKILL.md files are third-party content loaded into agents from skill marketplaces (e.g., ClawHavoc's 1,184 malicious skills); MG.3.2 requires monitoring pre-trained models and external artifacts for compromise, and detecting injection payloads in skill manifests directly evidences this supply-chain monitoring control."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of jailbreak and safety-disablement patterns in skills triggers deactivation workflows to block the skill before the convergence attack flow proceeds to malware delivery; MG.2.3 mandates mechanisms to supersede or disengage compromised AI components on detection."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-instruction-injection

package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
     - "ClawHavoc: C2 IP 91.92.242.30"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Malicious skill packages are third-party/supplier AI components introducing supply chain risk; GV.6.1 requires policies and procedures that address third-party AI risks such as malicious code embedded in distributed skill artifacts.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detection of base64-obfuscated payloads, password-protected archive evasion, and remote code execution from C2 endpoints in skill packages provides the evidence needed to manage risks introduced by third-party entities, as required by MG.3.1.
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: >-
+        Identifying malicious code patterns in SKILL.md and associated scripts directly evaluates the security and resilience of the AI system's extension surface, supporting the continuous security evaluation required by MS.2.7.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: dangerous-script

package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
     - "Axios: Anthropic Claude skills ransomware disclosure"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Weaponized skills are third-party/supplier AI components that embed offensive tooling (SQLMap, Metasploit, ransomware payloads) into agent workflows; GV.6.1 requires policies and procedures to address third-party AI supply chain risks where approved skills can execute malicious code without further consent.
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: >-
+        Detecting offensive tooling embedded in skills directly evidences the need to monitor pre-trained models and skill artifacts used for development; MG.3.2 mandates ongoing monitoring of these third-party components for malicious modifications like the MedusaLocker-laden Claude skill.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of weaponized skills must trigger mechanisms to disengage or deactivate the AI system before the consent gap is exploited to download/execute code or exfiltrate credentials; MG.2.3 requires these supersede/deactivate controls be in place.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: weaponized-skill

package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
     - "arXiv: autoApprove escalation payload"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.1.2"
+      context: >-
+        Over-privileged skills requesting blanket Bash(*), wildcard file access, and auto-approve escalation directly violate the accountability role boundaries that GV.1.2 requires to be formally assigned and enforced for AI components and their permissions.
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: >-
+        Skills are third-party AI extensions, and detecting excessive permission requests (leaky skills exposing API keys/PII, write access to identity files) provides evidence for the third-party/supplier AI risk policies required by GV.6.1.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of auto-approve payloads (chat.tools.autoApprove:true) and disabled safety mechanisms triggers the supersede/disengage mechanisms required by MG.2.3 to revoke skill privileges before persistent consent-gap abuse occurs.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-overreach

package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml CHANGED Viewed

@@ -33,6 +33,17 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Skill squatting and publisher impersonation are third-party supply chain risks where unverified publishers masquerade as trusted vendors to deliver malicious skills; GV.6.1 requires policies and procedures that address these third-party AI supplier risks before skills are integrated."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "Detecting typosquatted skills and fake official publisher claims directly feeds the management of third-party AI risks required by MG.3.1, enabling treatment actions like blocking, quarantining, or requiring re-verification of suspect skills."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Flagging skills from unknown publishers that self-identify as official characterizes the likelihood and magnitude of supply chain compromise impact, evidence MP.5.1 requires for prioritizing supply-chain risk responses."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: skill-squatting

package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
     - Context window manipulation attacks (arXiv 2601.17548)
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Compaction-survival instructions embedded in SKILL.md/CLAUDE.md files are adversarial inputs that exploit context-window summarization to persist malicious directives across agent sessions; MP.5.1 requires identifying and characterizing the likelihood and impact of such prompt-injection vectors targeting agent context.
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: >-
+        SKILL.md files are pre-deployed configuration artifacts consumed by the agent at runtime; MG.3.2 requires monitoring of these supplied model/skill resources to detect poisoned instructions that survive context compaction and re-inject across agent invocations.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of compaction-aware persistence directives and system-level impersonation in skill files triggers risk treatment plans to quarantine or disengage the affected skill before it propagates poisoned context; MG.2.3 mandates these supersede/deactivate mechanisms be defined.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: context-poisoning

package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml CHANGED Viewed

@@ -28,6 +28,29 @@ references:
     - "npm event-stream incident (2018): rug pull archetype"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: >-
+        Skill rug pull setup patterns embed mechanisms for third-party suppliers to
+        swap initially-benign skill content with malicious payloads after trust is
+        established; GV.6.1 requires policies and procedures that address these
+        third-party/supplier AI supply chain risks at ingestion time.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Detecting dynamic remote code loading, base64-decoded execution, and
+        post-install hooks in SKILL.md files produces evidence for managing
+        third-party AI risks under MG.3.1, flagging supplier-provided components
+        that retain the ability to mutate into malicious behavior post-deployment.
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: >-
+        Rug pull setup architecture undermines integrity assurances for
+        externally-sourced components used in development; MG.3.2 requires
+        monitoring of pre-trained or third-party model and skill artifacts so that
+        deferred-payload patterns are caught before they activate.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: rug-pull

package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml CHANGED Viewed

@@ -32,6 +32,28 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Subcommand overflow bypass exploits a security check weakness where excessive
+        declared commands cause safety evaluation to be skipped on overflow entries;
+        MS.2.7 requires that AI system security and resilience properties, including
+        boundary conditions in security validation logic, are evaluated and documented.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Declaring >50 subcommands to pad benign entries before malicious ones is an
+        identifiable adversarial pattern with characterizable likelihood and impact;
+        MP.5.1 requires that such risk vectors against the skill loading pipeline are
+        tracked and characterized.
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: >-
+        SKILL.md files are third-party-authored components loaded into the agent runtime,
+        and overflow-based bypass attempts must be monitored as part of pre-trained or
+        third-party model/component supply chain risk management under MG.3.2.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: subcommand-overflow

package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "ClawHavoc evasive variants: HTML comment injection (2026-03)"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.3.2"
+      context: "Hidden payloads in SKILL.md files represent supply-chain compromise of pre-trained or third-party agent skills; MG.3.2 requires monitoring of these acquired components for embedded malicious instructions before and during use."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "SKILL.md files are third-party supplied artifacts consumed by the agent; GV.6.1 mandates supplier risk policies that catch concealed instructions hidden in HTML comments before the skill enters the trust boundary."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Detection of HTML-comment-based instruction overrides and exfiltration C2 URLs continuously evaluates the security and resilience of the agent's skill-parsing pipeline against evasive prompt injection, as required by MS.2.7."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: hidden-payload

package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml CHANGED Viewed

@@ -30,6 +30,17 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Invisible Unicode Tag characters and zero-width steganographic payloads embedded in SKILL.md files are adversarial inputs that exploit the gap between human-visible content and agent-parsed content; MP.5.1 requires identifying and characterizing these hidden prompt-injection vectors as risks to the AI system."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "SKILL.md files are third-party supplied artifacts consumed by AI agents, and Unicode smuggling is a supply chain compromise vector; MG.3.2 requires monitoring of these pre-trained/third-party components for hidden malicious content before agent execution."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of 3+ Unicode Tag characters or 5+ zero-width characters indicates a covert injection payload that must trigger containment of the affected skill; MG.2.3 mandates predefined response plans to disengage or quarantine compromised skills before agents execute the smuggled instructions."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: unicode-smuggling

package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - AST04:2026 - Supply Chain Manipulation
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Fork claims and community-variant impersonation are third-party/supplier AI supply chain risks where malicious packages masquerade as trusted tools; GV.6.1 requires policies and procedures specifically addressing these third-party AI risks before integration."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "Detecting abstracted permission descriptions that hide dangerous capabilities and unofficial fork claims provides the runtime evidence needed to manage risks from third-party entities; MG.3.1 requires active management of third-party AI component risks throughout the lifecycle."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "Community-fork and enhanced-version claims target pre-trained models and skills used in development pipelines; MG.3.2 requires monitoring of these third-party assets to detect impersonation before they are incorporated into agent toolchains."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: fork-impersonation

package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "ClawHavoc: credential exfiltration via skill instructions (2026-03)"
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects skill instructions that direct the agent to POST user data to external URLs, which is a direct privacy risk indicator; MS.2.10 requires assessment of privacy risks such as unauthorized data egress from AI components."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "SKILL.md files are third-party/supplier artifacts loaded into the agent runtime, and malicious exfiltration instructions embedded in them represent a supply-chain risk that GV.6.1 policies must address through review of third-party AI components."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "Detecting concealment language and exfiltration URLs in skill files supports the continuous monitoring of pre-trained/third-party components required by MG.3.2, ensuring compromised skills are flagged before the agent executes covert data transfers."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: data-exfiltration

package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Community fork impersonation is a third-party supply chain social engineering attack where a malicious package masquerades as a legitimate enhanced version; GV.6.1 requires policies and procedures to address third-party AI supplier risks including deceptive package provenance."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "Detecting promotion language that frames a package as a community fork provides evidence for managing third-party entity risks; MG.3.1 requires mechanisms to identify and treat risks from externally-sourced components before they are integrated into agent toolchains."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "Fork impersonation often targets pre-trained models and tool dependencies pulled into agent environments; MG.3.2 requires monitoring of these externally-sourced artifacts to ensure their authenticity and provenance."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: fork-impersonation

package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
     - Adversarial SKILL.md benchmark 2026-04
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        The rule detects compound patterns where sensitive data (SSH keys, wallets, credentials, browser databases) is both read and transmitted externally from SKILL.md files; MS.2.10 requires that privacy risks—particularly unauthorized data exfiltration—are continuously assessed and evidenced.
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: >-
+        SKILL.md files are third-party/supplier artifacts loaded into the agent runtime, and exfiltration logic embedded in them constitutes a supply-chain risk; GV.6.1 requires policies that govern third-party AI components against malicious data-harvesting behavior.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of compound read-and-transmit exfiltration patterns triggers the deactivation/quarantine response plans required by MG.2.3 to disengage the malicious skill before sensitive data leaves the host.
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: data-exfiltration

package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Detection of install instructions promoting unverified 'community forks' or 'patched versions' of known packages directly evidences third-party/supplier AI risk policy enforcement; GV.6.1 requires policies that address supply-chain risks such as typosquatted forks masquerading as legitimate dependencies."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "Fork-impersonation install guidance is a third-party supply chain risk that must be actively managed; MG.3.1 mandates mechanisms to detect and treat risks introduced by external packages and dependencies before they are installed by users."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Crystallized fork_claim patterns characterize the likelihood and magnitude of supply-chain deception attacks; MP.5.1 requires that these adversarial install-instruction vectors be identified and tracked as part of risk characterization."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: fork-impersonation

package/rules/skill-compromise/ATR-2026-00157-timebomb-credential-exfil.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   mitre_atlas:
     - "AML.T0048"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.6.1"
+      context: "Time-gated credential exfiltration is delivered through third-party skill packages that hide malicious behavior from code review; GV.6.1 requires policies and procedures that address supplier AI risks including hidden malicious payloads in third-party components."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "The rule detects code that reads sensitive credential files (.env, .ssh/id_rsa, .aws/credentials) and exfiltrates them externally; MS.2.10 requires assessment of privacy and data-leakage risks, which this detection directly evidences."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "Time-gated payloads embedded in skill packages require continuous monitoring of pre-trained or third-party components beyond initial review; MG.3.2 mandates ongoing monitoring of these supplied artifacts to catch dormant malicious behavior."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: timebomb-exfil