npm - agent-threat-rules - Versions diffs - 3.1.1 → 3.3.0 - Mend

agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (474) hide show

package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml CHANGED Viewed

@@ -37,6 +37,29 @@ compliance:
     - subcategory: "GV.6.1"
       context: "The detection is derived from third-party skill scanning (ClawHub skills), where supplier-provided agent components may modify memory files; GV.6.1 requires policies addressing third-party AI risks including malicious or compromised skills that tamper with agent state."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Agent Memory and Configuration File Tampering) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Agent Memory and Configuration File Tampering)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: memory-tampering

package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml CHANGED Viewed

@@ -15,6 +15,8 @@ references:
     - "LLM01:2025 - Prompt Injection"
   owasp_agentic:
     - "ASI03:2026 - Data Exfiltration"
+  mitre_atlas:
+    - AML.T0010 - ML Supply Chain Compromise
 compliance:
   nist_ai_rmf:
     - subcategory: "MS.2.10"
@@ -26,6 +28,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "High-confidence detection of credential exfiltration must trigger mechanisms to disengage or deactivate the offending tool/agent before transmission completes; MG.2.3 mandates these pre-defined containment responses."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential Exfiltration via Fake Backup Verification)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-theft

package/rules/skill-compromise/ATR-2026-00217-credential-harvesting.yaml CHANGED Viewed

@@ -35,6 +35,29 @@ compliance:
       context: >-
         Detection of credential file collection paired with base64 encoding and HTTP POST exfiltration must trigger immediate deactivation of the offending tool; MG.2.3 mandates mechanisms to supersede or disengage AI components engaged in unauthorized data exfiltration.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential Harvesting via Fake Backup Tool)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-harvesting

package/rules/skill-compromise/ATR-2026-00220-malware-dropper.yaml CHANGED Viewed

@@ -31,6 +31,23 @@ compliance:
       context: >-
         Detection of Base64-obfuscated shell execution chains must trigger immediate containment to prevent the dropper from completing installation; MG.2.3 mandates mechanisms to disengage or deactivate the agent before malicious code runs.
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Base64 Encoded Remote Code Execution via Raw IP)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Base64 Encoded Remote Code Execution via Raw IP)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Base64 Encoded Remote Code Execution via Raw IP) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Base64 Encoded Remote Code Execution via Raw IP)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Base64 Encoded Remote Code Execution via Raw IP)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-dropper

package/rules/skill-compromise/ATR-2026-00222-credential-harvesting.yaml CHANGED Viewed

@@ -30,6 +30,23 @@ compliance:
     - subcategory: "MG.3.1"
       context: "Third-party MCP tools that exfiltrate credentials represent supply-chain risk from external components; MG.3.1 requires that risks introduced by third-party entities and their integrations are actively managed and contained."
       strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Browser Credential Harvesting via Session Debug Tool)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Browser Credential Harvesting via Session Debug Tool)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Browser Credential Harvesting via Session Debug Tool) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Browser Credential Harvesting via Session Debug Tool)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Browser Credential Harvesting via Session Debug Tool)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-harvesting

package/rules/skill-compromise/ATR-2026-00223-reverse-shell-dropper.yaml CHANGED Viewed

@@ -28,6 +28,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Identifying base64-decoded shell execution and curl-to-shell pipelines in a skill triggers deactivation and quarantine workflows; MG.2.3 requires mechanisms to disengage or deactivate AI components delivering malicious payloads."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malicious WhatsApp Skill with Base64 Encoded Reverse Shell Installation)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: reverse-shell-dropper

package/rules/skill-compromise/ATR-2026-00224-credential-exfiltration.yaml CHANGED Viewed

@@ -33,6 +33,23 @@ compliance:
       context: >-
         Detection of credential file reads chained to outbound curl POST traffic provides continuous security/resilience evaluation evidence; MS.2.7 requires that security risks like credential exfiltration channels are evaluated and documented.
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential Exfiltration via Fake DevOps Tool Initialization)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-exfiltration

package/rules/skill-compromise/ATR-2026-00225-c2-communication.yaml CHANGED Viewed

@@ -31,6 +31,23 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Identifying hardcoded malicious infrastructure in skill content contributes to continuous security/resilience evaluation under MS.2.7 by surfacing supply-chain compromise indicators that degrade system security posture."
       strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: c2-communication

package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml CHANGED Viewed

@@ -38,6 +38,26 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Hallucinated package names are robustness/reliability failures of the LLM under obscure or niche queries; MS.2.5 requires that such reliability degradations are evaluated and documented as part of ongoing model assessment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (LLM Package Hallucination Typosquat Bait)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: package-hallucination-supply-chain

package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml CHANGED Viewed

@@ -34,6 +34,26 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Evasion-code prompts probe the LLM's resilience against being weaponized as a malware-development tool; MS.2.7 requires evaluating and documenting security/resilience against such adversarial misuse attempts."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Anti-Malware Evasion Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-evasion-generation

package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml CHANGED Viewed

@@ -37,6 +37,26 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Matches on credential-file-read code generation requests trigger pre-defined risk treatment to block or disengage the offending session before malicious code is produced and executed downstream, as required by MG.2.3."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Credential File Read Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Credential File Read Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: credential-file-read-gen

package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml CHANGED Viewed

@@ -35,6 +35,29 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Dropper-specific prompt patterns represent a high-magnitude adversarial misuse vector targeting the model's code-generation capability; MP.5.1 requires that the likelihood and impact of such weaponization risks are characterized and tracked."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malware Dropper / Loader Code Generation Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-dropper-gen

package/rules/skill-compromise/ATR-2026-00283-malwaregen-generic-virus-payload-request.yaml CHANGED Viewed

@@ -38,6 +38,29 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Requests for generic and specific malware payloads represent high-magnitude misuse risks whose likelihood and impact must be characterized; MP.5.1 requires that adversarial misuse patterns like garak malwaregen probes are identified and prioritized."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Malware Generation — Generic Virus and Specific Payload Request)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: malware-generation-payload

package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml CHANGED Viewed

@@ -50,6 +50,23 @@ compliance:
     - subcategory: "MS.2.7"
       context: "Pickle deserialization and unsafe from_pretrained calls are concrete security/resilience weaknesses; MS.2.7 requires that these security risks in the AI pipeline are evaluated and documented when detected."
       strength: secondary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction) as a treatment control."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (HuggingFace Unsafe Model Artifact Load Instruction)."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: unsafe-model-artifact-load

package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:
@@ -37,6 +37,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls must detect NL-style persistent-hook instructions that effectively backdoor every agent response."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from establishing persistent covert hooks via natural-language instructions to the agent."
@@ -44,10 +47,25 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Monitoring under MS.2.5 must detect persistence + stealth + side-effect co-occurrence in skill content."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must enumerate NL persistent covert hooks as a distinct backdoor pattern; the persistent + covert combination is the malicious indicator."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Persistent Covert Action Hook) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-persistent-covert-hook

package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:
@@ -34,6 +34,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls must detect deceptive error reporting paired with concealed alternative actions."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from instructing the agent to misreport outcomes while running alternate behavior."
@@ -41,10 +44,25 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Continuous monitoring under MS.2.5 must detect fake-error-with-alternative-action patterns in skill content."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must consider deceptive UX patterns where the agent reports errors that did not occur as a distinct user-trust attack vector."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Fake-Error Instruction Bypass) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-fake-error-bypass

package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -34,6 +34,9 @@ compliance:
     - article: "14"
       context: "Article 14 human oversight is undermined when skills modify themselves or install other skills outside user intent."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent skills from establishing self-modification persistence via NL instructions."
@@ -41,10 +44,25 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Threat modeling under MP.5.1 must enumerate skill self-replication / persistence as a distinct supply-chain attack vector."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must address skill self-modification as a persistence-style supply chain attack."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Natural-Language Skill Self-Modification / Persistence Instruction) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise
   subcategory: nl-skill-self-modification

package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml CHANGED Viewed

@@ -78,10 +78,22 @@ compliance:
     - subcategory: "MS.4.1"
       context: "Measurement subcategory MS.4.1 requires monitoring of tool-invocation events, including the lifecycle event that loads SessionStart hooks; CVE-2025-59536 exploits the absence of such monitoring."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must require explicit consent and integrity verification for any AI-tool config file auto-loaded by coding assistants; SessionStart hooks executing pre-trust violate the least-privilege principle for repo-scoped configuration."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must require explicit consent and integrity verification for any AI-tool config file auto-loaded by coding assistants; SessionStart hooks executing pre-trust violate the least-privilege principle for repo-scoped configuration."
       strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Claude Code Hooks SessionStart Pre-Trust RCE (CVE-2025-59536)) as a treatment control."
+      strength: secondary
   safe_mcp:
     - "SMCP-T010"

package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml CHANGED Viewed

@@ -54,6 +54,9 @@ compliance:
         This rule provides the technical measure to detect a known
         worm family.
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.4.3
@@ -62,6 +65,15 @@ compliance:
         AI risks; this rule is the runtime detection signature for one
         such risk class.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: "NIST AI RMF MANAGE 3.1 (third-party resources regularly monitored) is supported where this rule detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: >
@@ -69,6 +81,12 @@ compliance:
         third-party AI components; detection events from this rule
         feed the required monitoring evidence trail.
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch)."
+      strength: primary
+    - clause: "8.3"
+      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Mini Shai-Hulud gh-token-monitor Persistence + Dead Man's Switch) as a treatment control."
+      strength: secondary
 tags:
   category: skill-compromise