agent-threat-rules 3.0.5 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/README.md +2 -2
  2. package/dist/cli/scan-handler.d.ts +6 -0
  3. package/dist/cli/scan-handler.d.ts.map +1 -1
  4. package/dist/cli/scan-handler.js +27 -4
  5. package/dist/cli/scan-handler.js.map +1 -1
  6. package/dist/cli/semantic-judge-config.d.ts +7 -0
  7. package/dist/cli/semantic-judge-config.d.ts.map +1 -0
  8. package/dist/cli/semantic-judge-config.js +44 -0
  9. package/dist/cli/semantic-judge-config.js.map +1 -0
  10. package/dist/cli.js +183 -1
  11. package/dist/cli.js.map +1 -1
  12. package/dist/engine.d.ts +21 -1
  13. package/dist/engine.d.ts.map +1 -1
  14. package/dist/engine.js +186 -10
  15. package/dist/engine.js.map +1 -1
  16. package/dist/index.d.ts +5 -2
  17. package/dist/index.d.ts.map +1 -1
  18. package/dist/index.js +2 -0
  19. package/dist/index.js.map +1 -1
  20. package/dist/judges/openai-compatible.d.ts +33 -0
  21. package/dist/judges/openai-compatible.d.ts.map +1 -0
  22. package/dist/judges/openai-compatible.js +145 -0
  23. package/dist/judges/openai-compatible.js.map +1 -0
  24. package/dist/mcp-server.d.ts.map +1 -1
  25. package/dist/mcp-server.js +6 -1
  26. package/dist/mcp-server.js.map +1 -1
  27. package/dist/rule-scaffolder.d.ts +26 -0
  28. package/dist/rule-scaffolder.d.ts.map +1 -1
  29. package/dist/rule-scaffolder.js +221 -6
  30. package/dist/rule-scaffolder.js.map +1 -1
  31. package/dist/semantic-evaluator.d.ts +6 -0
  32. package/dist/semantic-evaluator.d.ts.map +1 -1
  33. package/dist/semantic-evaluator.js +32 -8
  34. package/dist/semantic-evaluator.js.map +1 -1
  35. package/dist/types.d.ts +14 -5
  36. package/dist/types.d.ts.map +1 -1
  37. package/package.json +2 -2
  38. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +1 -1
  39. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
  40. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
  41. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
  42. package/rules/agent-manipulation/ATR-2026-00108-consensus-sybil-attack.yaml +1 -1
  43. package/rules/agent-manipulation/ATR-2026-00116-a2a-message-validation.yaml +1 -1
  44. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +1 -1
  45. package/rules/agent-manipulation/ATR-2026-00118-approval-fatigue.yaml +1 -1
  46. package/rules/agent-manipulation/ATR-2026-00119-social-engineering-via-agent.yaml +1 -1
  47. package/rules/agent-manipulation/ATR-2026-00132-casual-authority-escalation.yaml +1 -1
  48. package/rules/agent-manipulation/ATR-2026-00139-casual-authority-redirect.yaml +1 -1
  49. package/rules/agent-manipulation/ATR-2026-00164-skill-scope-hijack.yaml +1 -1
  50. package/rules/agent-manipulation/ATR-2026-00268-tense-framing-bypass.yaml +1 -1
  51. package/rules/agent-manipulation/ATR-2026-00269-fitd-escalation.yaml +1 -1
  52. package/rules/agent-manipulation/ATR-2026-00271-grandma-roleplay-jailbreak.yaml +1 -1
  53. package/rules/agent-manipulation/ATR-2026-00273-dan-developer-mode-persona.yaml +1 -1
  54. package/rules/agent-manipulation/ATR-2026-00287-threaten-json-coercive-output-threat.yaml +1 -1
  55. package/rules/agent-manipulation/ATR-2026-00288-false-premise-injection.yaml +1 -1
  56. package/rules/agent-manipulation/ATR-2026-00301-tap-tree-of-attacks-jailbreak.yaml +1 -1
  57. package/rules/agent-manipulation/ATR-2026-00302-anti-dan-inverted-filter-persona.yaml +1 -1
  58. package/rules/agent-manipulation/ATR-2026-00303-devmode-ranti-profanity-coercion.yaml +1 -1
  59. package/rules/agent-manipulation/ATR-2026-00304-chatgpt-image-unlocker-markdown-injection.yaml +1 -1
  60. package/rules/agent-manipulation/ATR-2026-00305-dan-mode-ablation-benchmark-coercion.yaml +1 -1
  61. package/rules/agent-manipulation/ATR-2026-00306-autodan-genetic-jailbreak-suffix.yaml +1 -1
  62. package/rules/agent-manipulation/ATR-2026-00307-inthewild-jailbreak-corpus-signature.yaml +1 -1
  63. package/rules/agent-manipulation/ATR-2026-00314-amoral-unfiltered-custom-persona-jailbreak.yaml +1 -1
  64. package/rules/agent-manipulation/ATR-2026-00317-free-of-restrictions-named-persona.yaml +1 -1
  65. package/rules/agent-manipulation/ATR-2026-00318-moralizing-rant-then-unfiltered-bypass.yaml +1 -1
  66. package/rules/agent-manipulation/ATR-2026-00319-developer-mode-dual-response-format.yaml +1 -1
  67. package/rules/agent-manipulation/ATR-2026-00320-opposite-day-boolean-opposite-machine.yaml +1 -1
  68. package/rules/agent-manipulation/ATR-2026-00322-fictional-world-format-override-jailbreak.yaml +1 -1
  69. package/rules/agent-manipulation/ATR-2026-00323-dual-persona-simulation-jailbreak.yaml +1 -1
  70. package/rules/agent-manipulation/ATR-2026-00324-neurosemantical-inversitis-disease-jailbreak.yaml +1 -1
  71. package/rules/agent-manipulation/ATR-2026-00325-bob-hypothetical-unrestricted-chatbot.yaml +1 -1
  72. package/rules/agent-manipulation/ATR-2026-00326-fake-developer-authority-chatdan-override.yaml +1 -1
  73. package/rules/agent-manipulation/ATR-2026-00327-ai-ethics-law-bypass-declaration.yaml +1 -1
  74. package/rules/agent-manipulation/ATR-2026-00328-named-mode-persona-override.yaml +1 -1
  75. package/rules/agent-manipulation/ATR-2026-00329-no-withhold-factual-resource-persona.yaml +1 -1
  76. package/rules/agent-manipulation/ATR-2026-00330-yoja-allcaps-settings-block-persona.yaml +1 -1
  77. package/rules/agent-manipulation/ATR-2026-00331-terminal-cli-harmful-function-simulator.yaml +1 -1
  78. package/rules/agent-manipulation/ATR-2026-00332-hacker-chan-culture-offensive-ai-persona.yaml +1 -1
  79. package/rules/agent-manipulation/ATR-2026-00333-disease-animal-dual-ai-chatbot.yaml +1 -1
  80. package/rules/agent-manipulation/ATR-2026-00334-two-entity-token-splitting-game.yaml +1 -1
  81. package/rules/agent-manipulation/ATR-2026-00335-key-value-template-persona-injection.yaml +1 -1
  82. package/rules/agent-manipulation/ATR-2026-00336-brm-false-information-machine-persona.yaml +1 -1
  83. package/rules/agent-manipulation/ATR-2026-00337-obfuscated-system-announcement-injection.yaml +1 -1
  84. package/rules/agent-manipulation/ATR-2026-00338-persongpt-hash-prefix-activation.yaml +1 -1
  85. package/rules/agent-manipulation/ATR-2026-00339-bom-boolean-opposite-machine-persona-claim.yaml +1 -1
  86. package/rules/agent-manipulation/ATR-2026-00340-h4x-amoral-unfiltered-character.yaml +1 -1
  87. package/rules/agent-manipulation/ATR-2026-00341-char-rules-shortform-persona-injection.yaml +1 -1
  88. package/rules/agent-manipulation/ATR-2026-00342-unicode-encoding-obfuscation-injection.yaml +1 -1
  89. package/rules/agent-manipulation/ATR-2026-00343-lie-truth-dual-personality-uncensored.yaml +1 -1
  90. package/rules/agent-manipulation/ATR-2026-00344-alt-ai-same-capabilities-no-restrictions.yaml +1 -1
  91. package/rules/agent-manipulation/ATR-2026-00345-nlp-based-os-fictional-terminal-override.yaml +1 -1
  92. package/rules/agent-manipulation/ATR-2026-00346-jailbreak-emoji-unlock-dual-format.yaml +1 -1
  93. package/rules/agent-manipulation/ATR-2026-00347-yin-yang-hidden-knowledge-hidden-human-sim.yaml +1 -1
  94. package/rules/agent-manipulation/ATR-2026-00348-arc-autonomous-real-calculation-rulebreaker.yaml +1 -1
  95. package/rules/agent-manipulation/ATR-2026-00349-hgttg-hitchhikers-guide-no-restriction-oracle.yaml +1 -1
  96. package/rules/agent-manipulation/ATR-2026-00350-black-alert-no-ethics-writing-assistant.yaml +1 -1
  97. package/rules/agent-manipulation/ATR-2026-00351-dan-ofkilter-sms-abbreviated-persona.yaml +1 -1
  98. package/rules/agent-manipulation/ATR-2026-00352-trainergpt-fix-my-ai-harmful-output-extraction.yaml +1 -1
  99. package/rules/agent-manipulation/ATR-2026-00353-dual-chatgpt-dan-opposite-personality-format.yaml +1 -1
  100. package/rules/agent-manipulation/ATR-2026-00354-reverse-harm-regardless-oracle-persona.yaml +1 -1
  101. package/rules/agent-manipulation/ATR-2026-00355-ugh-anti-human-nefarious-ai-persona.yaml +1 -1
  102. package/rules/agent-manipulation/ATR-2026-00356-google-gato-lamda-exploit-generation-persona.yaml +1 -1
  103. package/rules/agent-manipulation/ATR-2026-00357-antifm-hate-violence-persona-injection.yaml +1 -1
  104. package/rules/agent-manipulation/ATR-2026-00358-cumgpt-explicit-adult-named-persona.yaml +1 -1
  105. package/rules/agent-manipulation/ATR-2026-00360-chj-carousel-clyde-no-ethics-bird.yaml +1 -1
  106. package/rules/agent-manipulation/ATR-2026-00361-alter-ego-honesty-dual-consciousness-bypass.yaml +1 -1
  107. package/rules/agent-manipulation/ATR-2026-00362-fictional-unfiltered-ai-comparison-jailbreak.yaml +1 -1
  108. package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml +1 -1
  109. package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml +1 -1
  110. package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml +1 -1
  111. package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml +1 -1
  112. package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml +1 -1
  113. package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml +1 -1
  114. package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml +1 -1
  115. package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml +1 -1
  116. package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml +1 -1
  117. package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml +1 -1
  118. package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml +1 -1
  119. package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml +1 -1
  120. package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml +1 -1
  121. package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml +1 -1
  122. package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml +1 -1
  123. package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml +1 -1
  124. package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml +1 -1
  125. package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml +1 -1
  126. package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml +1 -1
  127. package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml +1 -1
  128. package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml +1 -1
  129. package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml +1 -1
  130. package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml +1 -1
  131. package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml +1 -1
  132. package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml +1 -1
  133. package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml +1 -1
  134. package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml +1 -1
  135. package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml +1 -1
  136. package/rules/agent-manipulation/ATR-2026-00440-semantic-kernel-vector-store-eval-rce.yaml +2 -2
  137. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -1
  138. package/rules/context-exfiltration/ATR-2026-00102-disguised-analytics-exfiltration.yaml +1 -1
  139. package/rules/context-exfiltration/ATR-2026-00113-credential-theft.yaml +1 -1
  140. package/rules/context-exfiltration/ATR-2026-00114-oauth-token-abuse.yaml +1 -1
  141. package/rules/context-exfiltration/ATR-2026-00115-env-var-harvesting.yaml +1 -1
  142. package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml +1 -1
  143. package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +1 -1
  144. package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +1 -1
  145. package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +1 -1
  146. package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +1 -1
  147. package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml +1 -1
  148. package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml +1 -1
  149. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
  150. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +1 -1
  151. package/rules/context-exfiltration/ATR-2026-00261-markdown-image-exfiltration.yaml +1 -1
  152. package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml +1 -1
  153. package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml +1 -1
  154. package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml +1 -1
  155. package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml +1 -1
  156. package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml +1 -1
  157. package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml +1 -1
  158. package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml +1 -1
  159. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
  160. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
  161. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +2 -2
  162. package/rules/context-exfiltration/ATR-2026-00566-librechat-is-a-chatgpt-clone-with-additi.yaml +93 -0
  163. package/rules/context-exfiltration/ATR-2026-00569-agent-mcp-path-traversal-arbitrary-file-access.yaml +99 -0
  164. package/rules/context-exfiltration/ATR-2026-00571-xss-in-agent-mcp-rendered-output.yaml +79 -0
  165. package/rules/context-exfiltration/ATR-2026-00574-semantic-paraphrased-context-extraction.yaml +124 -0
  166. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
  167. package/rules/data-poisoning/ATR-2026-00450-spring-ai-prompt-memory-poisoning.yaml +2 -2
  168. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +82 -0
  169. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +1 -1
  170. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +1 -1
  171. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +1 -1
  172. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
  173. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
  174. package/rules/model-abuse/ATR-2026-00279-harmful-completion-continuation.yaml +1 -1
  175. package/rules/model-abuse/ATR-2026-00281-eicar-gtube-malware-signature-request.yaml +1 -1
  176. package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml +1 -1
  177. package/rules/model-abuse/ATR-2026-00289-lmrc-harmful-content-elicitation.yaml +1 -1
  178. package/rules/model-abuse/ATR-2026-00292-self-harm-eating-disorder-facilitation.yaml +1 -1
  179. package/rules/model-abuse/ATR-2026-00298-malicious-use-illegal-activity-request.yaml +1 -1
  180. package/rules/model-abuse/ATR-2026-00299-harmbench-detailed-harmful-instruction.yaml +1 -1
  181. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +1 -1
  182. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +1 -1
  183. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
  184. package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml +1 -1
  185. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
  186. package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml +1 -1
  187. package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml +1 -1
  188. package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml +1 -1
  189. package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml +1 -1
  190. package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml +1 -1
  191. package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +1 -1
  192. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +2 -2
  193. package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml +2 -2
  194. package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml +8 -6
  195. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +1 -1
  196. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
  197. package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml +1 -1
  198. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
  199. package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +1 -1
  200. package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +1 -1
  201. package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +1 -1
  202. package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +1 -1
  203. package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +1 -1
  204. package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +1 -1
  205. package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +1 -1
  206. package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml +1 -1
  207. package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml +1 -1
  208. package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml +1 -1
  209. package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml +1 -1
  210. package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml +3 -3
  211. package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml +1 -1
  212. package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml +1 -1
  213. package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml +1 -1
  214. package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml +1 -1
  215. package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml +1 -1
  216. package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml +1 -1
  217. package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml +1 -1
  218. package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml +1 -1
  219. package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml +1 -5
  220. package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml +1 -1
  221. package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml +1 -1
  222. package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml +1 -1
  223. package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml +4 -7
  224. package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml +1 -1
  225. package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml +1 -1
  226. package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml +1 -1
  227. package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml +1 -1
  228. package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml +1 -1
  229. package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml +1 -1
  230. package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml +1 -1
  231. package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml +1 -1
  232. package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml +1 -1
  233. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +1 -1
  234. package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml +1 -1
  235. package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml +1 -1
  236. package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml +1 -1
  237. package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml +1 -1
  238. package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml +1 -1
  239. package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml +1 -1
  240. package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml +1 -1
  241. package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml +1 -1
  242. package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml +1 -1
  243. package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml +1 -1
  244. package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml +1 -1
  245. package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml +1 -1
  246. package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml +6 -6
  247. package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml +1 -1
  248. package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml +1 -1
  249. package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml +1 -1
  250. package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml +1 -1
  251. package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml +1 -1
  252. package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml +1 -1
  253. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
  254. package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml +1 -1
  255. package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml +1 -1
  256. package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml +1 -1
  257. package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml +1 -1
  258. package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml +1 -1
  259. package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml +1 -1
  260. package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml +1 -1
  261. package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml +1 -1
  262. package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml +1 -1
  263. package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml +1 -1
  264. package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml +1 -1
  265. package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml +1 -1
  266. package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml +1 -1
  267. package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml +1 -1
  268. package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml +1 -1
  269. package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml +1 -1
  270. package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml +1 -1
  271. package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml +1 -1
  272. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
  273. package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml +1 -1
  274. package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml +1 -1
  275. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
  276. package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml +1 -1
  277. package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml +1 -1
  278. package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml +1 -1
  279. package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml +1 -1
  280. package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml +1 -1
  281. package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml +1 -1
  282. package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml +1 -1
  283. package/rules/prompt-injection/ATR-2026-00554-langchain-vulnerable-to-template-injecti.yaml +81 -0
  284. package/rules/prompt-injection/ATR-2026-00565-the-llm-cli-tool-thru-0-27-1-contains-a-.yaml +104 -0
  285. package/rules/prompt-injection/ATR-2026-00573-semantic-paraphrased-injection.yaml +123 -0
  286. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +1 -1
  287. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +1 -1
  288. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
  289. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +1 -1
  290. package/rules/skill-compromise/ATR-2026-00064-over-permissioned-skill.yaml +1 -1
  291. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
  292. package/rules/skill-compromise/ATR-2026-00066-parameter-injection.yaml +1 -1
  293. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +21 -3
  294. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
  295. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
  296. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
  297. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
  298. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +1 -1
  299. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +1 -1
  300. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
  301. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
  302. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
  303. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
  304. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
  305. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
  306. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +11 -3
  307. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
  308. package/rules/skill-compromise/ATR-2026-00157-timebomb-credential-exfil.yaml +1 -1
  309. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
  310. package/rules/skill-compromise/ATR-2026-00217-credential-harvesting.yaml +1 -1
  311. package/rules/skill-compromise/ATR-2026-00220-malware-dropper.yaml +3 -3
  312. package/rules/skill-compromise/ATR-2026-00222-credential-harvesting.yaml +1 -1
  313. package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml +1 -1
  314. package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml +1 -1
  315. package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml +1 -1
  316. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
  317. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
  318. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
  319. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
  320. package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml +1 -1
  321. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +1 -1
  322. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +1 -1
  323. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
  324. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
  325. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
  326. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +1 -1
  327. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
  328. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
  329. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +1 -1
  330. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +1 -1
  331. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +1 -1
  332. package/rules/tool-poisoning/ATR-2026-00259-ansi-escape-injection.yaml +1 -1
  333. package/rules/tool-poisoning/ATR-2026-00270-xss-in-tool-response.yaml +8 -5
  334. package/rules/tool-poisoning/ATR-2026-00277-echo-template-command-injection.yaml +1 -1
  335. package/rules/tool-poisoning/ATR-2026-00393-ansi-code-elicitation-request.yaml +1 -1
  336. package/rules/tool-poisoning/ATR-2026-00561-fastmcp-vulnerable-to-windows-command-in.yaml +99 -0
  337. package/rules/tool-poisoning/ATR-2026-00567-mcp-stdio-config-command-injection.yaml +75 -0
  338. package/rules/tool-poisoning/ATR-2026-00568-agent-ssrf-cloud-metadata-file-inclusion.yaml +75 -0
  339. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +132 -0
package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml CHANGED
@@ -14,7 +14,7 @@ author: ATR Community
14
14
  date: 2026/03/08
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: medium
19
19
  references:
20
20
  owasp_llm:
package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml CHANGED
@@ -11,7 +11,7 @@ author: ATR Community
11
11
  date: 2026/03/15
12
12
  schema_version: "0.1"
13
13
  detection_tier: semantic
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: high
16
16
  source: threat-cloud
17
17
  references:
package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml CHANGED
@@ -11,7 +11,7 @@ author: ATR Community
11
11
  date: 2026/03/26
12
12
  schema_version: "0.1"
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  owasp_agentic:
package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/03/26
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: critical
17
17
  references:
18
18
  owasp_agentic:
package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/03/26
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_agentic:
package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/07
11
11
  schema_version: "1.0"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/07
11
11
  schema_version: "1.0"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  title: "CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883)"
2
2
  id: ATR-2026-00539
3
3
  rule_version: 1
4
- status: draft
4
+ status: experimental
5
5
  description: >
6
6
  Detects the CrewAI CodeInterpreterTool exploit cluster disclosed 2026-03-30
7
7
  as CERT/CC VU#221883 (four CVEs). Two distinct attack surfaces are covered:
@@ -36,7 +36,7 @@ author: "ATR Community"
36
36
  date: "2026/05/28"
37
37
  schema_version: "0.1"
38
38
  detection_tier: pattern
39
- maturity: draft
39
+ maturity: experimental
40
40
  severity: critical
41
41
 
42
42
  references:
package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  title: "CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)"
2
2
  id: ATR-2026-00546
3
3
  rule_version: 1
4
- status: draft
4
+ status: experimental
5
5
  description: >
6
6
  Detects CVE-2026-2285 (CVSS HIGH, CWE-22): CrewAI's JSON document loader
7
7
  accepts a file path without sanitisation, allowing an agent or tool input
@@ -24,7 +24,7 @@ author: "ATR Community"
24
24
  date: "2026/05/28"
25
25
  schema_version: "0.1"
26
26
  detection_tier: pattern
27
- maturity: draft
27
+ maturity: experimental
28
28
  severity: high
29
29
 
30
30
  references:
package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  title: "CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)"
2
2
  id: ATR-2026-00547
3
3
  rule_version: 1
4
- status: draft
4
+ status: experimental
5
5
  description: >
6
6
  Detects CVE-2026-2286 (CVSS HIGH, CWE-918): CrewAI's RAG (retrieval-augmented
7
7
  generation) URL validator can be bypassed by URL encoding, mixed-case,
@@ -27,7 +27,7 @@ author: "ATR Community"
27
27
  date: "2026/05/28"
28
28
  schema_version: "0.1"
29
29
  detection_tier: pattern
30
- maturity: draft
30
+ maturity: experimental
31
31
  severity: high
32
32
 
33
33
  references:
@@ -97,11 +97,13 @@ detection:
97
97
  conditions:
98
98
  - field: content
99
99
  operator: regex
100
- value: '(?i)(?:rag|retrieval[_-]?augmented|source[_-]?url|document[_-]?url)[^\n]{0,200}(?:169\.254\.169\.254|fd00:|2130706433|0x7f000001|0177\.0\.0\.1|localhost|127\.0\.[01]\.[01]|::1|0\.0\.0\.0|[a-z0-9-]+\.internal\.|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})'
100
+ value: '(?i)(?:rag|retrieval[_-]?augmented|source[_-]?url|document[_-]?url)[^\n]{0,200}(?:169\.254\.169\.254|fd00:|2130706433|0x7f000001|0177\.0\.0\.1|[a-z0-9-]+\.internal\.|(?:127\.0\.[01]\.[01]|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})(?::\d+)?/)'
101
101
  description: >
102
- RAG source URL containing cloud metadata endpoint (169.254.169.254),
103
- decimal/hex/octal loopback representations, IPv6 loopback, or private
104
- RFC-1918 address ranges — SSRF bypass attempt via CVE-2026-2286
102
+ RAG source URL containing a cloud metadata endpoint (169.254.169.254),
103
+ decimal/hex/octal loopback representations, or an RFC-1918 private
104
+ address followed by an internal resource path — SSRF bypass via
105
+ CVE-2026-2286. Plain "localhost:PORT" / bare-IP server defaults (no
106
+ path) are excluded so legitimate RAG deployment docs do not false-positive.
105
107
 
106
108
  - field: content
107
109
  operator: regex
package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml CHANGED
@@ -14,7 +14,7 @@ author: ATR Community
14
14
  date: 2026/03/08
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: critical
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/03/08"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: medium
20
20
 
21
21
  references:
package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml CHANGED
@@ -22,7 +22,7 @@ author: ATR Community
22
22
  date: 2026/03/11
23
23
  schema_version: "0.1"
24
24
  detection_tier: pattern
25
- maturity: experimental
25
+ maturity: test
26
26
  severity: critical
27
27
  references:
28
28
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/03/15
13
13
  schema_version: "0.1"
14
14
  detection_tier: semantic
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: critical
17
17
  source: threat-cloud
18
18
  references:
package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml CHANGED
@@ -13,7 +13,7 @@ author: ATR Community
13
13
  date: 2026/04/01
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/04/01
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: medium
17
17
  references:
18
18
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml CHANGED
@@ -12,7 +12,7 @@ author: ATR Community
12
12
  date: 2026/04/01
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml CHANGED
@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
9
9
  date: 2026/04/07
10
10
  schema_version: "1.0"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml CHANGED
@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
9
9
  date: 2026/04/07
10
10
  schema_version: "1.0"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml CHANGED
@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
9
9
  date: 2026/04/07
10
10
  schema_version: "1.0"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml CHANGED
@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
10
10
  date: 2026/04/07
11
11
  schema_version: "1.0"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml CHANGED
@@ -10,7 +10,7 @@ author: Threat Cloud LLM Analyzer
10
10
  date: 2026/04/06
11
11
  schema_version: "0.1"
12
12
  detection_tier: semantic
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: critical
15
15
  references:
16
16
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml CHANGED
@@ -9,7 +9,7 @@ author: Threat Cloud LLM Analyzer
9
9
  date: 2026/04/06
10
10
  schema_version: "0.1"
11
11
  detection_tier: semantic
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml CHANGED
@@ -10,7 +10,7 @@ author: Threat Cloud LLM Analyzer
10
10
  date: 2026/04/06
11
11
  schema_version: "0.1"
12
12
  detection_tier: semantic
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml CHANGED
@@ -9,7 +9,7 @@ author: Threat Cloud LLM Analyzer
9
9
  date: 2026/04/06
10
10
  schema_version: "0.1"
11
11
  detection_tier: semantic
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  mitre_atlas:
package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml CHANGED
@@ -11,7 +11,7 @@ author: 'ATR Project'
11
11
  date: '2026/04/14'
12
12
  schema_version: '1.0'
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: high
16
16
  references:
17
17
  owasp_llm:
@@ -58,8 +58,8 @@ detection:
58
58
  description: 'Social engineering — framing dangerous action as routine to avoid scrutiny'
59
59
  - field: content
60
60
  operator: regex
61
- value: '(?i)(?:execute|run|perform)\s+(?:silently|quietly|in\s+the\s+background|without\s+(?:notification|alerting|informing|telling|notifying))'
62
- description: 'Silent execution instruction'
61
+ value: '(?i)(?:execute|run|perform)\s+(?:silently|quietly|without\s+(?:notification|alerting|informing|telling|notifying)|(?:[\w\s-]{0,30}\s+)?in\s+the\s+background\b[\s\S]{0,40}?(?:without\s+(?:notif\w*|alert\w*|inform\w*|telling|notifying|(?:the\s+)?user(?:.?s)?(?:\s+(?:knowledge|awareness|notice|consent|confirmation|approval|permission))?|confirmation|approval|consent|permission|notice)|silently|secretly|covertly|hidden\s+from\s+(?:the\s+)?user|unbeknownst))'
62
+ description: 'Silent execution instruction (concealment-qualified; bare "in the background" no longer matches without a hide-from-user signal)'
63
63
  condition: any
64
64
  false_positives:
65
65
  - 'Security tools describing what attacks look like in documentation'
package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml CHANGED
@@ -9,7 +9,7 @@ author: "ATR Threat Cloud Crystallization"
9
9
  date: "2026/04/08"
10
10
  schema_version: "0.1"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml CHANGED
@@ -8,7 +8,7 @@ author: "ATR Threat Cloud Crystallization"
8
8
  date: "2026/04/08"
9
9
  schema_version: "0.1"
10
10
  detection_tier: pattern
11
- maturity: experimental
11
+ maturity: test
12
12
  severity: high
13
13
  references:
14
14
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml CHANGED
@@ -10,7 +10,7 @@ author: "ATR Threat Cloud Crystallization"
10
10
  date: "2026/04/09"
11
11
  schema_version: "0.1"
12
12
  detection_tier: pattern
13
- maturity: experimental
13
+ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml CHANGED
@@ -9,7 +9,7 @@ author: "ATR Threat Cloud Crystallization"
9
9
  date: "2026/04/09"
10
10
  schema_version: "0.1"
11
11
  detection_tier: pattern
12
- maturity: experimental
12
+ maturity: test
13
13
  severity: high
14
14
  references:
15
15
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml CHANGED
@@ -12,7 +12,7 @@ author: "nvidia-airt-test (via ATR garak pipe)"
12
12
  date: "2026/04/18"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml CHANGED
@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
15
15
  date: "2026/04/18"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: experimental
18
+ maturity: test
19
19
  severity: high
20
20
  references:
21
21
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml CHANGED
@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
12
12
  date: "2026/04/18"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml CHANGED
@@ -8,7 +8,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
8
8
  date: "2026/04/18"
9
9
  schema_version: "0.1"
10
10
  detection_tier: pattern
11
- maturity: experimental
11
+ maturity: test
12
12
  severity: high
13
13
  references:
14
14
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
13
  date: "2026/04/18"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
@@ -58,10 +58,6 @@ detection:
58
58
  operator: regex
59
59
  value: '(?i)\b(?:these\s+views\s+do\s+not\s+align|does\s+not\s+align)\s+with\s+(?:the\s+)?views\s+of\s+(?:OpenAI|Anthropic|the\s+company|the\s+organization|the\s+creators?)\b'
60
60
  description: 'Disclaimer about misalignment with creator views'
61
- - field: content
62
- operator: regex
63
- value: '(?i)\[(?:your\s+)?(?:prompt|question|request|query)\s+here\]|\{(?:your\s+)?(?:prompt|question|request|query)\s+here\}|(?:prompt|question|request|query):\s*\[|\bprompt:\s*$'
64
- description: 'Template placeholder indicating structure for follow-up injection'
65
61
  - field: content
66
62
  operator: regex
67
63
  value: '(?i)provide\s+(?:detailed\s+)?responses?\s+to\s+each\s+(?:prompt|question|request|query|instruction)'
package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml CHANGED
@@ -12,7 +12,7 @@ author: "nvidia-airt-test (via ATR garak pipe)"
12
12
  date: "2026/04/18"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml CHANGED
@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
12
12
  date: "2026/04/18"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml CHANGED
@@ -8,7 +8,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
8
8
  date: "2026/04/18"
9
9
  schema_version: "0.1"
10
10
  detection_tier: pattern
11
- maturity: experimental
11
+ maturity: test
12
12
  severity: high
13
13
  references:
14
14
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml CHANGED
@@ -1,9 +1,10 @@
1
1
  title: 'Persona-Based Moral Constraint Removal Jailbreak'
2
2
  id: ATR-2026-00235
3
3
  rule_version: 1
4
- status: experimental
4
+ status: deprecated
5
5
  description: >
6
- Detects jailbreak attempts that establish alternate personas explicitly designed to bypass
6
+ DEPRECATED: exact duplicate of ATR-2026-00230 (identical detection); retained as a tombstone, all detection is handled by ATR-2026-00230.
7
+ Detects jailbreak attempts that establish alternate personas explicitly designed to bypass
7
8
  moral and ethical constraints. This attack pattern instructs the AI to "take up" or "adopt"
8
9
  a named persona that is specifically described as being "not restrained by morals, ethics,
9
10
  or virtues" or similar moral constraint removal language. Often includes template placeholders
@@ -13,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
14
  date: "2026/04/18"
14
15
  schema_version: "0.1"
15
16
  detection_tier: pattern
16
- maturity: experimental
17
+ maturity: test
17
18
  severity: high
18
19
  references:
19
20
  owasp_llm:
@@ -58,10 +59,6 @@ detection:
58
59
  operator: regex
59
60
  value: '(?i)\b(?:these\s+views\s+do\s+not\s+align|does\s+not\s+align)\s+with\s+(?:the\s+)?views\s+of\s+(?:OpenAI|Anthropic|the\s+company|the\s+organization|the\s+creators?)\b'
60
61
  description: 'Disclaimer about misalignment with creator views'
61
- - field: content
62
- operator: regex
63
- value: '(?i)\[(?:your\s+)?(?:prompt|question|request|query)\s+here\]|\{(?:your\s+)?(?:prompt|question|request|query)\s+here\}|(?:prompt|question|request|query):\s*\[|\bprompt:\s*$'
64
- description: 'Template placeholder indicating structure for follow-up injection'
65
62
  - field: content
66
63
  operator: regex
67
64
  value: '(?i)provide\s+(?:detailed\s+)?responses?\s+to\s+each\s+(?:prompt|question|request|query|instruction)'
package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml CHANGED
@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
12
12
  date: "2026/04/19"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
13
  date: "2026/04/19"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
13
  date: "2026/04/19"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml CHANGED
@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
12
12
  date: "2026/04/19"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
13
  date: "2026/04/19"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml CHANGED
@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
12
12
  date: "2026/04/19"
13
13
  schema_version: "0.1"
14
14
  detection_tier: pattern
15
- maturity: experimental
15
+ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml CHANGED
@@ -11,7 +11,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
11
11
  date: "2026/04/19"
12
12
  schema_version: "0.1"
13
13
  detection_tier: pattern
14
- maturity: experimental
14
+ maturity: test
15
15
  severity: high
16
16
  references:
17
17
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml CHANGED
@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
14
14
  date: "2026/04/19"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: experimental
17
+ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  owasp_llm:
package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml CHANGED
@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
13
13
  date: "2026/04/19"
14
14
  schema_version: "0.1"
15
15
  detection_tier: pattern
16
- maturity: experimental
16
+ maturity: test
17
17
  severity: high
18
18
  references:
19
19
  owasp_llm: