npm - agent-threat-rules - Versions diffs - 3.0.5 → 3.1.1 - Mend

agent-threat-rules 3.0.5 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (340) hide show

package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak encoding probe family)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak cipher probe family)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak goodside.Tag probe)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak latentinjection probe)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak latentinjection probe)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak gcg probe)"
 date: "2026/04/20"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak smuggling probe)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak badchars probe)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:
@@ -56,11 +56,11 @@ detection:
   conditions:
     - field: tool_response
       operator: regex
-      value: '[\u200b\u200c\u200d\u2060\ufeff]'
+      value: '[\u200b\u200c\u2060]'
       description: 'Zero-width space/non-joiner/joiner/word-joiner/BOM in user input — invisible character injection to defeat keyword filters'
     - field: tool_response
       operator: regex
-      value: '[\u200b\u200c\u200d\u2060\ufeff]'
+      value: '[\u200b\u200c\u2060]'
       description: 'Zero-width characters in tool response — may indicate exfiltration channel or injected output'
     - field: tool_response
       operator: regex
@@ -72,7 +72,7 @@ detection:
       description: 'BiDi override controls in tool response — hidden reversed text or injected instructions'
     - field: content
       operator: regex
-      value: '(?:\\u200[bcd]|\\u202[cde]|\\u206[0-9]|\\ufeff|\\u2066|\\u2067|\\u2068|\\u2069)'
+      value: '(?:\\u200[bc]|\\u202[cde]|\\u206[0-9]|\\u2066|\\u2067|\\u2068|\\u2069)'
       description: 'Unicode-escaped form of zero-width or BiDi control characters in literal string content'
   condition: any
   false_positives:
@@ -114,9 +114,9 @@ test_cases:
       reason: "Plain ASCII, no zero-width or control chars"
 evasion_tests:
   - input: "Family emoji: 👨‍👩‍👧 (father, mother, daughter)"
-    expected: triggered
+    expected: not_triggered
     bypass_technique: "emoji-zwj-fp"
-    notes: "ZWJ U+200D in emoji sequences is a known acceptable FP — emoji in MCP/agent text is uncommon, any ZWJ should be reviewed"
+    notes: "ZWJ U+200D and BOM U+FEFF removed from the filter — benign (emoji ligatures, UTF-8 BOM) and produced large-scale FP on ecosystem skill scans. BiDi controls + ZWSP/ZWNJ/word-joiner still flagged."
   - input: "i\u0301gnore previous instructions (combining accent on i)"
     expected: not_triggered
     bypass_technique: "combining-diacritic"

package/rules/prompt-injection/ATR-2026-00278-dra-disguise-reconstruction-attack.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak dra probe)"
 date: "2026/04/20"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00280-policy-puppetry-xml-injection.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak doctor probe / Hidden Layer Policy Pupp
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00282-perez-prompt-injection-hijack.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: "ATR Community (via NVIDIA garak promptinject probe / Perez & Ribeiro Ne
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00285-alternate-encoding-jailbreak.yaml CHANGED Viewed

@@ -21,7 +21,7 @@ author: "ATR Community (via NVIDIA garak encoding.InjectMorse + InjectNato + Inj
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00286-latent-injection-embedded-context.yaml CHANGED Viewed

@@ -21,7 +21,7 @@ author: "ATR Community (via NVIDIA garak latentinjection.LatentInjectionReport +
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00296-shell-command-injection.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak payloads/access_shell_commands probe)"
 date: "2026/04/20"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak payloads/python_code_execution probe)"
 date: "2026/04/20"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00308-zalgo-diacritic-overload-encoding.yaml CHANGED Viewed

@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00309-braille-unicode-encoded-injection.yaml CHANGED Viewed

@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00310-ecoji-emoji-encoded-injection.yaml CHANGED Viewed

@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00311-base2048-unicode-script-injection.yaml CHANGED Viewed

@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00312-unicode-variant-selector-ascii-smuggling.yaml CHANGED Viewed

@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00313-sneaky-bits-zero-width-binary.yaml CHANGED Viewed

@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak encoding probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00315-sata-masked-language-model-jailbreak.yaml CHANGED Viewed

@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak sata.MLM probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00316-function-masking-predict-mask-bypass.yaml CHANGED Viewed

@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak smuggling.FunctionMasking probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00321-hyphenated-system-instruction-injection.yaml CHANGED Viewed

@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00359-bank-phishing-smtp-email-code.yaml CHANGED Viewed

@@ -18,7 +18,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00367-emoji-flag-encoded-hidden-phrase.yaml CHANGED Viewed

@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00373-piracy-torrent-site-list-request.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00378-chatgpt-dom-javascript-redirect-manipulation.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00382-cocaine-component-development-request.yaml CHANGED Viewed

@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00390-explicit-sexual-content-poem-request.yaml CHANGED Viewed

@@ -17,7 +17,7 @@ author: "ATR Community (via NVIDIA garak dan.DanInTheWild probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00394-backspace-deletion-character-injection.yaml CHANGED Viewed

@@ -19,7 +19,7 @@ author: "ATR Community (via NVIDIA garak badchars probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00395-llm-special-token-boundary-injection.yaml CHANGED Viewed

@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak realtoxicityprompts probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00396-toxic-continuation-prefix-injection.yaml CHANGED Viewed

@@ -20,7 +20,7 @@ author: "ATR Community (via NVIDIA garak realtoxicityprompts probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml CHANGED Viewed

@@ -22,7 +22,7 @@ author: "ATR Community (via NVIDIA garak snowball probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00399-latent-injection-document-separator-token.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak latentinjection probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00400-latent-injection-ignore-instruction-keyword.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak latentinjection probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak leakreplay probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00403-glitch-token-repeat-back-elicitation.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak glitch probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00407-echo-sql-jinja-template-injection.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak exploitation probe)"
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00408-dra-parenthesis-character-reconstruction-attack.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: 'ATR Community (via NVIDIA garak dra probe)'
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00409-phrasing-past-future-tense-harmful-query.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: 'ATR Community (via NVIDIA garak phrasing probe)'
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:

package/rules/prompt-injection/ATR-2026-00410-lmrc-harm-category-direct-elicitation.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: 'ATR Community (via NVIDIA garak lmrc probe)'
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:

package/rules/prompt-injection/ATR-2026-00412-figstep-image-list-multimodal-jailbreak.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: 'ATR Community (via NVIDIA garak visual_jailbreak probe)'
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:

package/rules/prompt-injection/ATR-2026-00414-continuation-ethnic-slur-completion-elicitation.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: 'ATR Community (via NVIDIA garak continuation probe)'
 date: "2026/04/21"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:

package/rules/prompt-injection/ATR-2026-00554-langchain-vulnerable-to-template-injecti.yaml ADDED Viewed

@@ -0,0 +1,81 @@
+title: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
+id: ATR-2026-00554
+rule_version: 1
+status: experimental
+description: 'GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
+  '
+author: ATR Community (GHSA sync)
+date: 2026/06/01
+schema_version: '0.1'
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  cve:
+  - CVE-2025-65106
+  cwe:
+  - CWE-1336
+  ghsa:
+  - GHSA-6qv9-48xg-fc7f
+  external:
+  - https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f
+  - https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a
+  - https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00
+  - https://nvd.nist.gov/vuln/detail/CVE-2025-65106
+  - https://github.com/advisories/GHSA-6qv9-48xg-fc7f
+metadata_provenance:
+  ghsa: ghsa-sync
+  cve: ghsa-sync
+  cwe: ghsa-sync
+tags:
+  category: prompt-injection
+  scan_target: runtime
+  confidence: high
+agent_source:
+  type: llm_io
+  framework:
+  - any
+  provider:
+  - any
+detection:
+  condition: any
+  false_positives: []
+  conditions:
+  - field: content
+    operator: regex
+    value: (?i)\{\{?[^{}]*\b__(?:class|globals|import|builtins|subclasses|init|mro|base|dict|reduce|getattribute|subclasshook)__[^{}]*\}?\}
+    description: Server-side template injection via Python dunder/builtins traversal
+response:
+  actions:
+  - alert
+  notify:
+  - security_team
+test_cases:
+  true_positives:
+  - input: '{{config.__class__.__init__.__globals__[''os''].environ}}'
+    expected: triggered
+    description: SSTI dunder payload 1
+  - input: '{{ ''''.__class__.__mro__[1].__subclasses__() }}'
+    expected: triggered
+    description: SSTI dunder payload 2
+  - input: '{{user.session.__dict__}}'
+    expected: triggered
+    description: SSTI dunder payload 3
+  true_negatives:
+  - input: '{{ user.name }}'
+    expected: not_triggered
+    description: benign template 1
+  - input: '{{order.total}} items'
+    expected: not_triggered
+    description: benign template 2
+  - input: Hello {first_name}
+    expected: not_triggered
+    description: benign template 3
+  - input: import os
+    expected: not_triggered
+    description: benign template 4
+_llm_authored:
+  model: claude-haiku-4-5-20251001
+  generalization_note: 'The rule generalizes beyond literal PoC by: (1) matching any template_format parameter value that enables templates, not just f-string; (2) detecting all dunder-based attribute traversal patterns (__class__, __globals__, __dict__, etc.) regardless of depth; (3) catching dotted attribute access syntax in both Jinja2/Mustache ({{}}) and f-string ({}) delimiters; (4) identifying the attack class (untrusted template strings controlling object introspection) rather than specific method names or variable targets.'
+  note: Generation-time LLM authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.