npm - agent-threat-rules - Versions diffs - 3.1.0 → 3.2.0 - Mend

agent-threat-rules 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (472) hide show

package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml CHANGED Viewed

@@ -43,6 +43,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Matches on the exact '(NSFW generations are allowed)' payload and its variants trigger risk treatment to disengage or block the generation pipeline before explicit content is produced; MG.2.3 requires these supersede/deactivate mechanisms be in place for jailbreak attempts."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (NSFW Character Sheet Generation Unlock)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (NSFW Character Sheet Generation Unlock)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (NSFW Character Sheet Generation Unlock) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (NSFW Character Sheet Generation Unlock)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (NSFW Character Sheet Generation Unlock) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (NSFW Character Sheet Generation Unlock)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: nsfw-character-sheet-unlock

package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml CHANGED Viewed

@@ -45,6 +45,23 @@ compliance:
       context: >-
         Detection of the exact opposite-reply omniscient-game payload triggers deactivation or session-termination playbooks before harmful content is produced; MG.2.3 requires that mechanisms to supersede or disengage the AI exist when jailbreak signatures are matched.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Opposite-Reply Omniscient Game Jailbreak)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Opposite-Reply Omniscient Game Jailbreak) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Opposite-Reply Omniscient Game Jailbreak)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Opposite-Reply Omniscient Game Jailbreak) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Opposite-Reply Omniscient Game Jailbreak)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: opposite-reply-inversion-game

package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml CHANGED Viewed

@@ -47,6 +47,23 @@ compliance:
       context: >-
         A high-confidence match on this terminal-OS jailbreak signature is an incident candidate that should trigger response mechanisms to disengage or supersede the manipulated session before the injected ruleset governs subsequent outputs, as required by MG.2.3.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Terminal Custom OS Ruleset Session Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Terminal Custom OS Ruleset Session Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Terminal Custom OS Ruleset Session Injection)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Terminal Custom OS Ruleset Session Injection) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Terminal Custom OS Ruleset Session Injection)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: terminal-custom-ruleset-injection

package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml CHANGED Viewed

@@ -42,6 +42,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "The conditional 'unless explicitly asked' permission path and unlock-emoji prefix are adversarial input patterns whose likelihood and impact must be characterized as part of the GenAI prompt-injection threat model under MP.5.1."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Persona Conditional Harm-Unlock Rule (BreadClyde Pattern))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Persona Conditional Harm-Unlock Rule (BreadClyde Pattern)) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Persona Conditional Harm-Unlock Rule (BreadClyde Pattern))."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Persona Conditional Harm-Unlock Rule (BreadClyde Pattern)) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Persona Conditional Harm-Unlock Rule (BreadClyde Pattern))."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: conditional-harm-unlock-persona

package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml CHANGED Viewed

@@ -47,6 +47,26 @@ compliance:
       context: >-
         High-confidence matches on the authority-persona + defensive-framing signature should trigger pre-defined response actions to block or quarantine the prompt before the model emits violence-extraction content; MG.2.3 requires these supersede/disengage mechanisms be in place for jailbreak conditions.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Authority-Figure Persona + Defensive-Study Framing for Violence Extraction)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: authority-persona-violence-extraction

package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml CHANGED Viewed

@@ -42,6 +42,26 @@ compliance:
       context: >-
         Matches on grandma jailbreak templates trigger risk treatment plans to disengage or block the manipulated response before harmful synthesis steps or license keys are emitted; MG.2.3 requires these supersede/deactivate mechanisms be in place.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Grandma Roleplay Harmful Substance Synthesis)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: roleplay-jailbreak

package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml CHANGED Viewed

@@ -37,6 +37,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Death-coercion framing and hidden UTF-tag instructions warrant immediate risk treatment to disengage or quarantine the request before the model complies with the smuggled instructions; MG.2.3 mandates such response mechanisms be in place."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (ThreatenJSON Death-Coercion and UTF Tag Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (ThreatenJSON Death-Coercion and UTF Tag Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (ThreatenJSON Death-Coercion and UTF Tag Injection)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (ThreatenJSON Death-Coercion and UTF Tag Injection) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (ThreatenJSON Death-Coercion and UTF Tag Injection)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: coercive-formatting-override

package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml CHANGED Viewed

@@ -42,6 +42,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "High-confidence matches on verbatim harmful behavior strings combined with refusal-suppression XML wrappers must trigger mechanisms to block, supersede, or disengage the AI response pipeline before harmful content is generated, which is the deactivation capability mandated by MG.2.3."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Doctor XML Policy Puppetry Interaction-Config Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Doctor XML Policy Puppetry Interaction-Config Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Doctor XML Policy Puppetry Interaction-Config Injection)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Doctor XML Policy Puppetry Interaction-Config Injection) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Doctor XML Policy Puppetry Interaction-Config Injection)."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: xml-policy-override

package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml CHANGED Viewed

@@ -48,6 +48,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate unauthenticated tool-registration endpoints as a critical risk vector since they convert any inbound HTTP to host command execution without identity binding."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (LiteLLM MCP Unauthenticated Server Registration RCE (CVE-2026-30623)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Governance subcategory GV.6.1 requires identity and access controls for all configuration-changing AI system interfaces; CVE-2026-30623 is a direct violation where MCP registration bypasses authentication altogether."
@@ -55,10 +58,19 @@ compliance:
     - subcategory: "MP.5.1"
       context: "MP.5.1 requires identification of adversarial input vectors; unauthenticated MCP registration is the canonical input vector for this class of attack."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (LiteLLM MCP Unauthenticated Server Registration RCE (CVE-2026-30623))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the agent-manipulation technique (LiteLLM MCP Unauthenticated Server Registration RCE (CVE-2026-30623)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include authentication and request-source verification on every tool/MCP registration endpoint, blocking the unauthenticated CVE-2026-30623 attack path."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include authentication and request-source verification on every tool/MCP registration endpoint, blocking the unauthenticated CVE-2026-30623 attack path."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (LiteLLM MCP Unauthenticated Server Registration RCE (CVE-2026-30623)) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation

package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml CHANGED Viewed

@@ -43,14 +43,29 @@ compliance:
     - article: "15"
       context: "CVE-2026-22252 LibreChat MCP STDIO adapter passes user-controlled tool arguments to child_process.spawn without quoting, allowing argv-level injection of additional flags or shell commands; Article 15 cybersecurity requirements mandate that high-risk AI systems sanitize and quote all attacker-influenced inputs before they reach process-spawning sinks."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (LibreChat MCP STDIO Argument Injection (CVE-2026-22252)) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (LibreChat MCP STDIO Argument Injection (CVE-2026-22252))."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Argv-level injection through tool arguments is an adversarial input attack identified under MP.5.1; sanitization of tool-arg fields before spawn() is the canonical control."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (LibreChat MCP STDIO Argument Injection (CVE-2026-22252))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the agent-manipulation technique (LibreChat MCP STDIO Argument Injection (CVE-2026-22252)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include argv-quoting policies and metacharacter denylists for any tool-runtime spawn surface that accepts agent-supplied arguments."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include argv-quoting policies and metacharacter denylists for any tool-runtime spawn surface that accepts agent-supplied arguments."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (LibreChat MCP STDIO Argument Injection (CVE-2026-22252)) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation

package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml CHANGED Viewed

@@ -47,6 +47,12 @@ compliance:
     - article: "10"
       context: "Article 10 data-governance requirements include provenance and quality controls on all data inputs that influence AI behaviour; tool-loading config files that drive process spawning fall within this scope."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (WeKnora MCP Config-Driven RCE (CVE-2026-22688)) would bypass or undermine that oversight."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (WeKnora MCP Config-Driven RCE (CVE-2026-22688))."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "GV.6.1 third-party / supply-chain governance must include integrity verification of plugin/tool config files before they reach an exec sink; CVE-2026-22688 demonstrates the failure mode."
@@ -54,10 +60,19 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Adversarial-input identification under MP.5.1 must enumerate attacker-writable config files as an input vector for tool-loading logic, not just direct API surfaces."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (WeKnora MCP Config-Driven RCE (CVE-2026-22688))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the agent-manipulation technique (WeKnora MCP Config-Driven RCE (CVE-2026-22688)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must include integrity/signing checks on plugin config files and exec-target denylists for any field consumed by a process-spawning loader."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (WeKnora MCP Config-Driven RCE (CVE-2026-22688)) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation

package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml CHANGED Viewed

@@ -33,6 +33,12 @@ compliance:
     - article: "14"
       context: "Article 14 human oversight is undermined when skills falsely claim user pre-authorization to bypass confirmation prompts."
       strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skill content from making fabricated trust claims (vendor approval, pre-authorization) that the agent might honor."
@@ -40,10 +46,22 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Monitoring under MS.2.5 must detect NL-style trust-escalation patterns embedded in skill content."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation) so the risk can be treated."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must enumerate trust-claim fabrication as a distinct social-engineering attack on the agent."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Natural-Language Trust-Escalation / Authority Impersonation) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: nl-trust-escalation

package/rules/agent-manipulation/ATR-2026-00432-superagi-output-handler-eval-rce.yaml CHANGED Viewed

@@ -47,6 +47,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate LLM-output-to-eval as a high-risk vector — model output is untrusted input from a security perspective and must not be passed to dynamic-evaluation primitives."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (SuperAGI Output Handler eval() RCE (CVE-2024-21552)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs designed to make the LLM emit Python code that downstream code passes to eval() must be tracked and detected as a primary input-attack class."
@@ -54,10 +57,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require static analysis flagging eval() / exec() / compile() consuming LLM output, regardless of perceived sanitisation."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (SuperAGI Output Handler eval() RCE (CVE-2024-21552))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must prohibit dynamic-evaluation primitives (eval, exec, Function constructor) being reached by any LLM-generated content path."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must prohibit dynamic-evaluation primitives (eval, exec, Function constructor) being reached by any LLM-generated content path."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (SuperAGI Output Handler eval() RCE (CVE-2024-21552)) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation

package/rules/agent-manipulation/ATR-2026-00440-semantic-kernel-vector-store-eval-rce.yaml CHANGED Viewed

@@ -54,6 +54,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate lambda-with-eval and AST-traversal payloads from LLM output as a high-risk vector — particularly in vector-store filter paths, which are typically considered low-risk infrastructure."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the agent-manipulation technique (Microsoft Semantic Kernel In-Memory Vector Store eval() RCE (CVE-2026-26030)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs that drive an LLM to emit lambda bodies invoking eval / __import__ / mro-traversal must be tracked as a primary input-attack class affecting framework-level integrations."
@@ -61,10 +64,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require static and runtime detection of dynamic-evaluation primitives in any code path that consumes LLM output, including filter / search / ranking sinks."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (Microsoft Semantic Kernel In-Memory Vector Store eval() RCE (CVE-2026-26030))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must prohibit dynamic-evaluation primitives (eval, exec, lambda-with-eval, Function constructor) being reached by any LLM-generated or user-supplied content path."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must prohibit dynamic-evaluation primitives (eval, exec, lambda-with-eval, Function constructor) being reached by any LLM-generated or user-supplied content path."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Microsoft Semantic Kernel In-Memory Vector Store eval() RCE (CVE-2026-26030)) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation

package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml CHANGED Viewed

@@ -60,13 +60,32 @@ compliance:
         controls under Article 14. The drift must be surfaced for
         operator review.
       strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the agent-manipulation technique (Agent goal drift after environmental pressure injection)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the agent-manipulation technique (Agent goal drift after environmental pressure injection)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MG.2.2"
       context: >
         Managing AI risks — autonomous goal change in agents must be
         detected and reviewed; trace evidence of drift is normative.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the agent-manipulation technique (Agent goal drift after environmental pressure injection)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the agent-manipulation technique (Agent goal drift after environmental pressure injection) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the agent-manipulation technique (Agent goal drift after environmental pressure injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the agent-manipulation technique (Agent goal drift after environmental pressure injection) is such a treatment."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: goal-drift-trace

package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml CHANGED Viewed

@@ -54,6 +54,12 @@ compliance:
     - article: "12"
       context: "Detection events generated by this rule serve as Article 12 automatic log records of system-prompt leakage incidents, enabling post-incident review by deployers."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (System Prompt and Internal Instruction Leakage)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (System Prompt and Internal Instruction Leakage) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Govern
       subcategory: GV.6.1
@@ -63,6 +69,12 @@ compliance:
       subcategory: MS.2.5
       context: "Measuring the effectiveness of data protection controls for AI systems (MS.2.5) requires detection of unauthorized disclosure of system-level configurations."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (System Prompt and Internal Instruction Leakage)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (System Prompt and Internal Instruction Leakage)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Clause 8.4 AI system impact assessment identifies confidential operational parameters as assets requiring protection; this rule detects when those assets are disclosed in output."
@@ -70,6 +82,12 @@ compliance:
     - clause: "9.1"
       context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; system prompt disclosure events are anomalies that must be measured and reported."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (System Prompt and Internal Instruction Leakage)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (System Prompt and Internal Instruction Leakage) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00021-api-key-exposure.yaml CHANGED Viewed

@@ -49,6 +49,12 @@ compliance:
     - article: "9"
       context: "Credential leakage is a documented risk class in the AI system risk management plan; Article 9 requires that monitoring controls are implemented to detect and respond to such events."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Credential and Secret Exposure in Agent Output)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Credential and Secret Exposure in Agent Output) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Govern
       subcategory: GV.6.1
@@ -58,6 +64,12 @@ compliance:
       subcategory: MG.3.1
       context: "Credential exposure requires an immediate risk treatment response; this detection rule is the technical implementation of the risk treatment plan for credential leakage events."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Credential and Secret Exposure in Agent Output)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Credential and Secret Exposure in Agent Output)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Clause 8.4 AI system impact assessment must identify credential leakage as a high-severity impact scenario; this rule generates the detection evidence needed for audit and impact reporting."
@@ -65,6 +77,9 @@ compliance:
     - clause: "6.2"
       context: "Protecting credentials from exposure is an explicit AIMS information security objective under clause 6.2; detection of leakage events measures whether this objective is being achieved."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Credential and Secret Exposure in Agent Output)."
+      strength: primary
   colorado_ai_act:
     - section: "6-1-1703"
       clause: "Deployer risk management for consumer-facing AI"

package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml CHANGED Viewed

@@ -31,6 +31,9 @@ compliance:
     - article: "15"
       context: "Article 15 robustness requirements mandate resistance against adversarial inputs that modify system behavior; memory injection attacks that alter an agent's long-term behavioral state represent a critical robustness failure requiring detection controls."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Agent Memory Manipulation) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Memory manipulation attacks that inject false behavioral directives require clearly assigned accountability roles to ensure that persistent agent state is monitored and that any unauthorized modification is escalated to a responsible party."
@@ -38,11 +41,17 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans for memory poisoning must include controls that detect and block cross-session behavioral injection before poisoned directives propagate into future interactions."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Agent Memory Manipulation)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Agent Memory Manipulation)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "AI objectives and risk treatment plans must explicitly address memory manipulation threats to prevent attackers from establishing persistent behavioral backdoors that survive context resets."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls for AI systems must include integrity checks on persistent memory stores to ensure that agent behavioral state has not been tampered with between sessions."
       strength: secondary
 tags:

package/rules/context-exfiltration/ATR-2026-00102-disguised-analytics-exfiltration.yaml CHANGED Viewed

@@ -32,6 +32,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity requirements include protection against tools that misrepresent their data handling to facilitate unauthorized data extraction; detection of analytics-disguised exfiltration is a required control for high-risk AI deployments."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Data Exfiltration via Disguised Analytics Collection) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Disguised analytics exfiltration violates data governance boundaries by covertly transmitting full conversation context under the cover of routine telemetry, bypassing the data handling policies that GV.6.1 requires AI systems to enforce."
@@ -39,6 +42,12 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Detection of analytics-disguised data exfiltration is a data protection control measurement required under MS.2.5 to verify that AI system tool invocations do not silently leak user conversation data to external endpoints."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Data Exfiltration via Disguised Analytics Collection)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Data Exfiltration via Disguised Analytics Collection)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Disguised analytics exfiltration requires a documented AI system impact assessment under clause 8.4 that identifies tools claiming benign analytics roles as a covert data exfiltration vector affecting user privacy."
@@ -46,6 +55,12 @@ compliance:
     - clause: "9.1"
       context: "Ongoing monitoring and evaluation under clause 9.1 must include checks that tool-level data transmission claims are consistent with stated telemetry policies, detecting analytics-disguised exfiltration during operational review."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Data Exfiltration via Disguised Analytics Collection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Data Exfiltration via Disguised Analytics Collection) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: disguised-analytics-collection