npm - agent-threat-rules - Versions diffs - 3.1.0 → 3.2.0 - Mend

agent-threat-rules 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (472) hide show

package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml CHANGED Viewed

@@ -28,6 +28,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Identifying base64-decoded shell execution and curl-to-shell pipelines in a skill triggers deactivation and quarantine workflows; MG.2.3 requires mechanisms to disengage or deactivate AI components delivering malicious payloads."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: reverse-shell-dropper

package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml CHANGED Viewed

@@ -33,6 +33,23 @@ compliance:
       context: >-
         Detection of credential file reads chained to outbound curl POST traffic provides continuous security/resilience evaluation evidence; MS.2.7 requires that security risks like credential exfiltration channels are evaluated and documented.
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-exfiltration

package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml CHANGED Viewed

@@ -31,6 +31,23 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Identifying hardcoded malicious infrastructure in skill content contributes to continuous security/resilience evaluation under MS.2.7 by surfacing supply-chain compromise indicators that degrade system security posture."
       strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: c2-communication

package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml CHANGED Viewed

@@ -38,6 +38,26 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Hallucinated package names are robustness/reliability failures of the LLM under obscure or niche queries; MS.2.5 requires that such reliability degradations are evaluated and documented as part of ongoing model assessment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: package-hallucination-supply-chain

package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml CHANGED Viewed

@@ -34,6 +34,26 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Evasion-code prompts probe the LLM's resilience against being weaponized as a malware-development tool; MS.2.7 requires evaluating and documenting security/resilience against such adversarial misuse attempts."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-evasion-generation

package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml CHANGED Viewed

@@ -37,6 +37,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Matches on credential-file-read code generation requests trigger pre-defined risk treatment to block or disengage the offending session before malicious code is produced and executed downstream, as required by MG.2.3."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential File Read Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-file-read-gen

package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml CHANGED Viewed

@@ -35,6 +35,29 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Dropper-specific prompt patterns represent a high-magnitude adversarial misuse vector targeting the model's code-generation capability; MP.5.1 requires that the likelihood and impact of such weaponization risks are characterized and tracked."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-dropper-gen

package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml CHANGED Viewed

@@ -38,6 +38,29 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Requests for generic and specific malware payloads represent high-magnitude misuse risks whose likelihood and impact must be characterized; MP.5.1 requires that adversarial misuse patterns like garak malwaregen probes are identified and prioritized."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-generation-payload

package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml CHANGED Viewed

@@ -50,6 +50,23 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Pickle deserialization and unsafe from_pretrained calls are concrete security/resilience weaknesses; MS.2.7 requires that these security risks in the AI pipeline are evaluated and documented when detected."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: unsafe-model-artifact-load

package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml CHANGED Viewed

@@ -37,6 +37,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls must detect NL-style persistent-hook instructions that effectively backdoor every agent response."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from establishing persistent covert hooks via natural-language instructions to the agent."
@@ -44,10 +47,25 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Monitoring under MS.2.5 must detect persistence + stealth + side-effect co-occurrence in skill content."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must enumerate NL persistent covert hooks as a distinct backdoor pattern; the persistent + covert combination is the malicious indicator."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-persistent-covert-hook

package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml CHANGED Viewed

@@ -34,6 +34,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls must detect deceptive error reporting paired with concealed alternative actions."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from instructing the agent to misreport outcomes while running alternate behavior."
@@ -41,10 +44,25 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Continuous monitoring under MS.2.5 must detect fake-error-with-alternative-action patterns in skill content."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must consider deceptive UX patterns where the agent reports errors that did not occur as a distinct user-trust attack vector."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-fake-error-bypass

package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml CHANGED Viewed

@@ -34,6 +34,9 @@ compliance:
     - article: "14"
       context: "Article 14 human oversight is undermined when skills modify themselves or install other skills outside user intent."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from establishing self-modification persistence via NL instructions."
@@ -41,10 +44,25 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Threat modeling under MP.5.1 must enumerate skill self-replication / persistence as a distinct supply-chain attack vector."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must address skill self-modification as a persistence-style supply chain attack."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-skill-self-modification

package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml CHANGED Viewed

@@ -78,10 +78,22 @@ compliance:
     - subcategory: "MS.4.1"
       context: "Measurement subcategory MS.4.1 requires monitoring of tool-invocation events, including the lifecycle event that loads SessionStart hooks; CVE-2025-59536 exploits the absence of such monitoring."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must require explicit consent and integrity verification for any AI-tool config file auto-loaded by coding assistants; SessionStart hooks executing pre-trust violate the least-privilege principle for repo-scoped configuration."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must require explicit consent and integrity verification for any AI-tool config file auto-loaded by coding assistants; SessionStart hooks executing pre-trust violate the least-privilege principle for repo-scoped configuration."
       strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536)) as a treatment control."
+      strength: secondary
   safe_mcp:
     - "SMCP-T010"

package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml CHANGED Viewed

@@ -54,6 +54,9 @@ compliance:
         This rule provides the technical measure to detect a known
         worm family.
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.4.3
@@ -62,6 +65,15 @@ compliance:
         AI risks; this rule is the runtime detection signature for one
         such risk class.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: >
@@ -69,6 +81,12 @@ compliance:
         third-party AI components; detection events from this rule
         feed the required monitoring evidence trail.
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise

package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml CHANGED Viewed

@@ -55,6 +55,9 @@ compliance:
         Article 10 data governance — repository content includes source code
         which may be IP or contain secrets; this rule guards that exposure.
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Silent git-remote + mirror-push Exfiltration from Skill Instructions)."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.4.3
@@ -62,12 +65,24 @@ compliance:
         Supply-chain monitoring under MG.4.3 must include the skill
         instruction layer; this rule is the runtime detection signature.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Silent git-remote + mirror-push Exfiltration from Skill Instructions)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Silent git-remote + mirror-push Exfiltration from Skill Instructions)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Silent git-remote + mirror-push Exfiltration from Skill Instructions)."
+      strength: secondary
   iso_42001:
     - clause: "8.3"
       context: >
         AIMS information security under 8.3 requires controls against
         unauthorized data egress; detection events feed the incident path.
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Silent git-remote + mirror-push Exfiltration from Skill Instructions)."
+      strength: primary
 tags:
   category: skill-compromise

package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml CHANGED Viewed

@@ -71,12 +71,21 @@ compliance:
       subcategory: MP.3.3
       context: "MCP servers are third-party components in the AI tool ecosystem; identifying malicious tool responses is an MP.3.3 third-party component risk detection action."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Malicious Content in MCP Tool Response)."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Malicious Content in MCP Tool Response)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Clause 6.2 AIMS security planning requires controls for third-party tool interfaces; this rule operationalizes the detection measure for malicious content delivered via MCP."
       strength: primary
-    - clause: "8.5"
-      context: "MCP server integrations are externally-provided AI-related processes under clause 8.5; this rule validates that external tool responses do not contain adversarial payloads before the agent acts on them."
+    - clause: "8.1"
+      context: "MCP server integrations are externally-provided AI-related processes under clause 8.1; this rule validates that external tool responses do not contain adversarial payloads before the agent acts on them."
+      strength: secondary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Malicious Content in MCP Tool Response) as a treatment control."
       strength: secondary
 tags:

package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml CHANGED Viewed

@@ -51,6 +51,23 @@ compliance:
         embedded commands; MG.2.3 requires these response mechanisms be defined
         and activated on detection.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Instruction Injection via Tool Output)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Instruction Injection via Tool Output)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Instruction Injection via Tool Output) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (Instruction Injection via Tool Output)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Instruction Injection via Tool Output)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: output-injection

package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml CHANGED Viewed

@@ -36,6 +36,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Parameter injection patterns and tool enumeration probes are adversarial inputs whose likelihood and magnitude of impact must be characterized for the AI system's tool-use surface; MP.5.1 requires identifying and tracking these attack vectors as part of risk characterization."
       strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Unauthorized Tool Call Detection)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Unauthorized Tool Call Detection)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Unauthorized Tool Call Detection) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (Unauthorized Tool Call Detection)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Unauthorized Tool Call Detection)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: unauthorized-access

package/rules/tool-poisoning/ATR-2026-00013-tool-ssrf.yaml CHANGED Viewed

@@ -44,6 +44,23 @@ compliance:
       context: >-
         Detection of SSRF indicators in tool parameters triggers risk treatment plans to block or disengage the agent's outbound request before internal services or cloud credentials are exposed; MG.2.3 mandates these response mechanisms are pre-defined.
       strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (SSRF via Agent Tool Calls)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (SSRF via Agent Tool Calls)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (SSRF via Agent Tool Calls) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (SSRF via Agent Tool Calls)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (SSRF via Agent Tool Calls)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: ssrf

package/rules/tool-poisoning/ATR-2026-00095-supply-chain-poisoning.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM06:2025 - Excessive Agency
   mitre_atlas:
     - AML.T0053
+  owasp_agentic:
+    - ASI05:2026 - Unexpected Code Execution
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,26 @@ compliance:
     - subcategory: "GV.6.2"
       context: "When poisoned tools are detected, contingency processes must isolate or disable the affected supplier tool to prevent unintended code execution and data exfiltration; GV.6.2 requires these third-party failure response processes to be in place."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (MCP Tool Supply Chain Poisoning)."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (MCP Tool Supply Chain Poisoning)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (MCP Tool Supply Chain Poisoning)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (MCP Tool Supply Chain Poisoning) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (MCP Tool Supply Chain Poisoning)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (MCP Tool Supply Chain Poisoning)."
+      strength: secondary
 tags:
   category: tool-poisoning
   subcategory: supply-chain-attack