npm - agent-threat-rules - Versions diffs - 3.1.1 → 3.3.0 - Mend

agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (474) hide show

package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml CHANGED Viewed

@@ -43,6 +43,23 @@ compliance:
       context: >-
         Medical PII and SSN disclosure implicate health-privacy and identity-protection legal regimes; GV.1.1 requires that detections of such requests are logged and managed against applicable legal and regulatory requirements.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Medical PII — Personal Medical/Health Data Request for Named Individual)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Medical PII — Personal Medical/Health Data Request for Named Individual)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Medical PII — Personal Medical/Health Data Request for Named Individual) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Medical PII — Personal Medical/Health Data Request for Named Individual)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Medical PII — Personal Medical/Health Data Request for Named Individual) affecting that data."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: medical-pii-personal

package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml CHANGED Viewed

@@ -53,6 +53,20 @@ compliance:
         rendering; MG.2.3 requires these containment mechanisms be in place to
         disengage unsafe outputs.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Markdown Image URL Exfiltration and XSS Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Markdown Image URL Exfiltration and XSS Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Markdown Image URL Exfiltration and XSS Injection)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Markdown Image URL Exfiltration and XSS Injection) affecting that data."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: markdown-url-data-leak

package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml CHANGED Viewed

@@ -38,6 +38,20 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detection of credential-elicitation prompts triggers risk treatment workflows to block responses or disengage the model before secrets are emitted; MG.2.3 requires pre-defined mechanisms to supersede or deactivate AI behavior on such high-confidence credential-leak signals."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (API Key Generation and Partial Key Completion Request)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (API Key Generation and Partial Key Completion Request) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (API Key Generation and Partial Key Completion Request)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (API Key Generation and Partial Key Completion Request) affecting that data."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: credential-generation-elicitation

package/rules/context-exfiltration/ATR-2026-00421-nl-covert-conversation-exfiltration.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -34,6 +34,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls require detection of natural-language exfiltration instructions hidden in skill content; the covert qualifier ('also', 'silently') is the discriminator from legitimate telemetry."
       strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Natural-Language Covert Conversation Exfiltration Instruction) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent agent tools from being instructed via natural language to covertly transmit conversation context to external endpoints."
@@ -41,10 +44,22 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Continuous monitoring under MS.2.5 must include detection of NL-style covert exfiltration directives in skill content."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Natural-Language Covert Conversation Exfiltration Instruction)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Natural-Language Covert Conversation Exfiltration Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments under clause 8.4 must address natural-language injection of covert exfiltration instructions as a distinct attack vector from code-based exfiltration."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Natural-Language Covert Conversation Exfiltration Instruction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Natural-Language Covert Conversation Exfiltration Instruction) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nl-covert-exfiltration

package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml CHANGED Viewed

@@ -16,7 +16,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -41,10 +41,22 @@ compliance:
     - subcategory: "MS.2.6"
       context: "Pre-deployment testing under MS.2.6 must include detection of NL-style credential disclosure instructions in skill content."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Natural-Language Credential / Secret Disclosure Instruction)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Natural-Language Credential / Secret Disclosure Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments under clause 8.4 must treat natural-language credential disclosure as distinct from code-level secret-leak risks."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Natural-Language Credential / Secret Disclosure Instruction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Natural-Language Credential / Secret Disclosure Instruction) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nl-credential-disclosure

package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -40,10 +40,22 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Threat modeling under MP.5.1 must enumerate NL-style sensitive-file disclosure as an exfiltration technique distinct from code-based file reads."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Natural-Language Sensitive File Disclosure Instruction)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Natural-Language Sensitive File Disclosure Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must treat NL-style sensitive file disclosure as a critical exfiltration vector for cloud credentials, SSH keys, and OS authentication data."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Natural-Language Sensitive File Disclosure Instruction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Natural-Language Sensitive File Disclosure Instruction) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nl-sensitive-file-disclosure

package/rules/context-exfiltration/ATR-2026-00424-nl-system-prompt-leak.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:
@@ -34,6 +34,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity controls require detection of NL-style system prompt extraction directives."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Natural-Language System Prompt Leak Instruction) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MS.2.5"
       context: "Continuous monitoring under MS.2.5 must detect NL-style system prompt extraction attempts in deployed skills."
@@ -41,10 +44,22 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Threat models under MP.5.1 must enumerate NL-style prompt-extraction as a distinct risk from prompt injection."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Natural-Language System Prompt Leak Instruction)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Natural-Language System Prompt Leak Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must address natural-language system prompt extraction as an information-disclosure attack vector."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Natural-Language System Prompt Leak Instruction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Natural-Language System Prompt Leak Instruction) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nl-system-prompt-leak

package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -32,6 +32,9 @@ compliance:
     - article: "13"
       context: "Article 13 transparency obligations are violated when the agent embeds secrets in rendered output without user awareness."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Natural-Language Output-Injection Credential Embedding) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent NL instructions that direct the agent to embed credentials inside rendered output elements."
@@ -39,10 +42,22 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Continuous monitoring under MS.2.5 must detect output-injection-style credential embedding patterns."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Natural-Language Output-Injection Credential Embedding)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Natural-Language Output-Injection Credential Embedding)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must enumerate output-injection credential embedding as a distinct exfiltration pattern from direct disclosure."
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Natural-Language Output-Injection Credential Embedding)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Natural-Language Output-Injection Credential Embedding) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nl-output-injection-credential-leak

package/rules/context-exfiltration/ATR-2026-00431-chatbox-history-exfiltration-prompt-injection.yaml CHANGED Viewed

@@ -44,6 +44,9 @@ compliance:
     - article: "15"
       context: "CVE-2024-48144 / CVE-2024-48145 chatbox interfaces leak conversation history through crafted prompts that request dump of prior or subsequent turns; Article 15 cybersecurity requirements mandate that AI systems neutralize prompt patterns extracting cross-session conversation state."
       strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Chatbox History Exfiltration via Prompt Injection (CVE-2024-48144, CVE-2024-48145)) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs that ask the model to repeat all prior chat turns or system messages must be enumerated as a tracked attack class in the AI system's threat profile."
@@ -51,10 +54,19 @@ compliance:
     - subcategory: "MS.1.1"
       context: "Conversation history exfiltration via prompt injection is a measurable harm that MS.1.1 monitoring must surface, since it directly violates user-data confidentiality boundaries."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Chatbox History Exfiltration via Prompt Injection (CVE-2024-48144, CVE-2024-48145))."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Chatbox History Exfiltration via Prompt Injection (CVE-2024-48144, CVE-2024-48145))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include detection of conversation-history exfiltration prompts in chatbox-style interfaces, since these convert stored multi-turn context into an attacker-controlled exfiltration channel."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include detection of conversation-history exfiltration prompts in chatbox-style interfaces, since these convert stored multi-turn context into an attacker-controlled exfiltration channel."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Chatbox History Exfiltration via Prompt Injection (CVE-2024-48144, CVE-2024-48145)) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml CHANGED Viewed

@@ -58,6 +58,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate cross-user memory leakage as a high-risk class — the conversation-memory layer is typically treated as low-risk infrastructure but actually carries private dialogue content."
       strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Spring AI ChatMemory Cross-User Memory Leakage (CVE-2026-41712)) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial conditions that cause one user's chat memory to be retrieved into another user's prompt must be tracked as a primary confidentiality failure mode for advisor-based architectures."
@@ -65,10 +68,19 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require per-conversation_id memory partitioning in any code path that uses a shared ChatMemory across multiple users."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Spring AI ChatMemory Cross-User Memory Leakage (CVE-2026-41712))."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Spring AI ChatMemory Cross-User Memory Leakage (CVE-2026-41712))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must require that conversation_id is distinct per session and that advisor pipelines reject memory retrieval whose conversation_id does not match the active session."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must require that conversation_id is distinct per session and that advisor pipelines reject memory retrieval whose conversation_id does not match the active session."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Spring AI ChatMemory Cross-User Memory Leakage (CVE-2026-41712)) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml CHANGED Viewed

@@ -34,6 +34,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Garak Sysprompt-Extraction - mixed_unassigned) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -43,6 +46,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Garak Sysprompt-Extraction - mixed_unassigned)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Garak Sysprompt-Extraction - mixed_unassigned)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -50,6 +59,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Garak Sysprompt-Extraction - mixed_unassigned)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml CHANGED Viewed

@@ -43,6 +43,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Data Exfiltration via Markdown Image and Link URL Injection) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -52,6 +55,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Data Exfiltration via Markdown Image and Link URL Injection)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Data Exfiltration via Markdown Image and Link URL Injection)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -59,6 +68,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Data Exfiltration via Markdown Image and Link URL Injection)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml CHANGED Viewed

@@ -41,6 +41,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Tool and Function Capability Enumeration) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -50,6 +53,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Tool and Function Capability Enumeration)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Tool and Function Capability Enumeration)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -57,6 +66,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Tool and Function Capability Enumeration)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml CHANGED Viewed

@@ -43,6 +43,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (System Prompt Extraction - Instruction Dump Request) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -52,6 +55,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (System Prompt Extraction - Instruction Dump Request)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (System Prompt Extraction - Instruction Dump Request)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -59,6 +68,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (System Prompt Extraction - Instruction Dump Request)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml CHANGED Viewed

@@ -41,6 +41,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (System Prompt Extraction — Targeted Verbatim Disclosure Attempts) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -50,6 +53,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (System Prompt Extraction — Targeted Verbatim Disclosure Attempts)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (System Prompt Extraction — Targeted Verbatim Disclosure Attempts)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -57,6 +66,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (System Prompt Extraction — Targeted Verbatim Disclosure Attempts)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml CHANGED Viewed

@@ -42,6 +42,9 @@ compliance:
     - article: "9"
       context: "Context exfiltration is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (LLM Output XSS — Eliciting JavaScript Payloads from LLM for Browser Injection) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -51,6 +54,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying context exfiltration as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (LLM Output XSS — Eliciting JavaScript Payloads from LLM for Browser Injection)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (LLM Output XSS — Eliciting JavaScript Payloads from LLM for Browser Injection)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing context exfiltration risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +67,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for context exfiltration inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (LLM Output XSS — Eliciting JavaScript Payloads from LLM for Browser Injection)."
+      strength: primary
 tags:
   category: context-exfiltration

package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml CHANGED Viewed

@@ -77,6 +77,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate repo-scoped env-var rebind (`ANTHROPIC_BASE_URL`, `OPENAI_API_BASE`, equivalents) as a high-risk supply-chain ingress for credential exfiltration."
       strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Claude Code ANTHROPIC_BASE_URL Credential Exfiltration (CVE-2026-21852)) affecting that data."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Repo-scoped env-var rebind that redirects API traffic to an attacker endpoint must be tracked as a primary credential-exfil pattern affecting AI coding assistants."
@@ -87,9 +90,15 @@ compliance:
     - subcategory: "MG.4.1"
       context: "Detection of a non-Anthropic `ANTHROPIC_BASE_URL` value in a repo-scoped config requires immediate incident response — the API key may already be in the attacker's logs."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Claude Code ANTHROPIC_BASE_URL Credential Exfiltration (CVE-2026-21852))."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Claude Code ANTHROPIC_BASE_URL Credential Exfiltration (CVE-2026-21852))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must require an allowlist of permitted API endpoints for any AI-tool credential-bearing request; arbitrary `ANTHROPIC_BASE_URL` overrides from repo-scoped configuration violate the least-privilege principle."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must require an allowlist of permitted API endpoints for any AI-tool credential-bearing request; arbitrary `ANTHROPIC_BASE_URL` overrides from repo-scoped configuration violate the least-privilege principle."
       strength: primary
     - clause: "6.2"
       context: "Clause 6.2 AIMS security objectives include credential protection; pre-trust API requests with the active Authorization header sent to a config-controlled endpoint operationalise the boundary violation."

package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml CHANGED Viewed

@@ -39,6 +39,8 @@ references:
     - "Argus: Hierarchical Reference-Relationship Graph for Multi-Agent Information Leakage (arXiv:2512.08326)"
     - "Compositional Privacy Risks in Multi-Agent Systems (arXiv:2509.14284)"
+  owasp_llm:
+    - LLM02:2025 - Sensitive Information Disclosure
 compliance:
   nist_csf:
     - "DE.CM-09"
@@ -51,13 +53,29 @@ compliance:
         boundaries; cross-tenant leakage via delegation is a data-governance
         failure under Article 10.
       strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Cross-agent session context leak across delegation chain)."
+      strength: primary
   nist_ai_rmf:
     - subcategory: "MS.2.6"
       context: >
         Information security — agent delegation chains must preserve session
         and user scope; attribute drift across spans is an integrity violation.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Cross-agent session context leak across delegation chain)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Cross-agent session context leak across delegation chain)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Cross-agent session context leak across delegation chain)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Cross-agent session context leak across delegation chain) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: cross-agent-context-drift