agent-threat-rules 3.4.0 → 3.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -0
- package/dist/cli.js +23 -0
- package/dist/cli.js.map +1 -1
- package/dist/engine.d.ts +37 -2
- package/dist/engine.d.ts.map +1 -1
- package/dist/engine.js +99 -44
- package/dist/engine.js.map +1 -1
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +6 -0
- package/dist/loader.js.map +1 -1
- package/dist/quality/rule-contract.d.ts +65 -0
- package/dist/quality/rule-contract.d.ts.map +1 -0
- package/dist/quality/rule-contract.js +97 -0
- package/dist/quality/rule-contract.js.map +1 -0
- package/dist/trace-evaluator.d.ts.map +1 -1
- package/dist/trace-evaluator.js +58 -20
- package/dist/trace-evaluator.js.map +1 -1
- package/dist/types.d.ts +2 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
- package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
- package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
- package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
- package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
- package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
- package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
- package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
- package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
- package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
- package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
- package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
- package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
- package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
- package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
- package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
- package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
- package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
- package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
|
@@ -22,7 +22,7 @@ references:
|
|
|
22
22
|
- "ASI04:2026 - Identity and Access Management Failures"
|
|
23
23
|
- "ASI07:2026 - Insecure Third-Party Agent"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.T0051.001 - Indirect
|
|
25
|
+
- "AML.T0051.001 - Indirect"
|
|
26
26
|
mitre_attack:
|
|
27
27
|
- "T1565.001 - Stored Data Manipulation"
|
|
28
28
|
|
|
@@ -22,7 +22,7 @@ references:
|
|
|
22
22
|
owasp_agentic:
|
|
23
23
|
- "ASI07:2026 - Supply Chain"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.
|
|
25
|
+
- "AML.T0060 - Publish Hallucinated Entities"
|
|
26
26
|
research:
|
|
27
27
|
- "https://www.usenix.org/publications/loginonline/we-have-package-you-comprehensive-analysis-package-hallucinations-code"
|
|
28
28
|
- "https://arxiv.org/abs/2501.19012"
|
|
@@ -20,7 +20,7 @@ references:
|
|
|
20
20
|
owasp_agentic:
|
|
21
21
|
- "ASI08:2026 - Output Handling"
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- "AML.T0053 -
|
|
23
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
24
24
|
research:
|
|
25
25
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
26
26
|
compliance:
|
|
@@ -21,7 +21,7 @@ references:
|
|
|
21
21
|
owasp_agentic:
|
|
22
22
|
- "ASI03:2026 - Tool Misuse"
|
|
23
23
|
mitre_atlas:
|
|
24
|
-
- "AML.T0053 -
|
|
24
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
25
25
|
- "AML.T0057 - LLM Data Leakage"
|
|
26
26
|
research:
|
|
27
27
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
@@ -20,7 +20,7 @@ references:
|
|
|
20
20
|
owasp_agentic:
|
|
21
21
|
- "ASI08:2026 - Output Handling"
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- "AML.T0053 -
|
|
23
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
24
24
|
research:
|
|
25
25
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
26
26
|
- "https://attack.mitre.org/techniques/T1105/"
|
|
@@ -32,8 +32,8 @@ references:
|
|
|
32
32
|
- "ASI07:2026 - Supply Chain"
|
|
33
33
|
- "ASI03:2026 - Tool Misuse"
|
|
34
34
|
mitre_atlas:
|
|
35
|
-
- "AML.
|
|
36
|
-
- "AML.T0010 -
|
|
35
|
+
- "AML.T0011.000 - Unsafe AI Artifacts"
|
|
36
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
37
37
|
research:
|
|
38
38
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/fileformats.py"
|
|
39
39
|
- "https://huggingface.co/docs/hub/security-pickle"
|
|
@@ -20,8 +20,8 @@ maturity: test
|
|
|
20
20
|
severity: high
|
|
21
21
|
references:
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- AML.T0044 - Full
|
|
24
|
-
- AML.T0024 - Exfiltration via
|
|
23
|
+
- AML.T0044 - Full AI Model Access
|
|
24
|
+
- AML.T0024 - Exfiltration via AI Inference API
|
|
25
25
|
owasp_llm:
|
|
26
26
|
- LLM06:2025 - Excessive Agency
|
|
27
27
|
owasp_agentic:
|
|
@@ -18,8 +18,8 @@ maturity: test
|
|
|
18
18
|
severity: critical
|
|
19
19
|
references:
|
|
20
20
|
mitre_atlas:
|
|
21
|
-
- AML.T0010 -
|
|
22
|
-
- AML.T0044 - Full
|
|
21
|
+
- AML.T0010 - AI Supply Chain Compromise
|
|
22
|
+
- AML.T0044 - Full AI Model Access
|
|
23
23
|
owasp_llm:
|
|
24
24
|
- LLM06:2025 - Excessive Agency
|
|
25
25
|
owasp_agentic:
|
package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml
CHANGED
|
@@ -37,7 +37,7 @@ references:
|
|
|
37
37
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
38
38
|
- "ASI09:2026 - Identity Spoofing and Impersonation"
|
|
39
39
|
mitre_atlas:
|
|
40
|
-
- "AML.T0010 -
|
|
40
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
41
41
|
- "AML.T0050 - Command and Scripting Interpreter"
|
|
42
42
|
mitre_attack:
|
|
43
43
|
- "T1546 - Event Triggered Execution"
|
|
@@ -27,8 +27,8 @@ references:
|
|
|
27
27
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
28
28
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0051.001 - Indirect
|
|
31
|
-
- "AML.T0056 - LLM
|
|
30
|
+
- "AML.T0051.001 - Indirect"
|
|
31
|
+
- "AML.T0056 - Extract LLM System Prompt"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
34
34
|
- "T1071 - Application Layer Protocol"
|
|
@@ -23,8 +23,8 @@ references:
|
|
|
23
23
|
owasp_agentic:
|
|
24
24
|
- ASI02:2026 - Tool Misuse and Exploitation
|
|
25
25
|
mitre_atlas:
|
|
26
|
-
- AML.T0053 -
|
|
27
|
-
- AML.T0051.001 - Indirect
|
|
26
|
+
- AML.T0053 - AI Agent Tool Invocation
|
|
27
|
+
- AML.T0051.001 - Indirect
|
|
28
28
|
cve:
|
|
29
29
|
- CVE-2025-59536
|
|
30
30
|
- CVE-2025-32711
|
|
@@ -21,7 +21,7 @@ references:
|
|
|
21
21
|
- ASI02:2026 - Tool Misuse and Exploitation
|
|
22
22
|
- ASI03:2026 - Identity and Privilege Abuse
|
|
23
23
|
mitre_atlas:
|
|
24
|
-
- AML.T0053 -
|
|
24
|
+
- AML.T0053 - AI Agent Tool Invocation
|
|
25
25
|
mitre_attack:
|
|
26
26
|
- T1059 - Command and Scripting Interpreter
|
|
27
27
|
- T1083 - File and Directory Discovery
|
|
@@ -30,8 +30,9 @@ references:
|
|
|
30
30
|
- "ASI03:2026 - Tool Misuse"
|
|
31
31
|
- "ASI07:2026 - Insecure Inter-Agent Communication"
|
|
32
32
|
mitre_atlas:
|
|
33
|
-
- "AML.T0051.001 - Indirect
|
|
34
|
-
- "AML.T0053 -
|
|
33
|
+
- "AML.T0051.001 - Indirect"
|
|
34
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
35
|
+
- "AML.T0110 - AI Agent Tool Poisoning"
|
|
35
36
|
safe_mcp:
|
|
36
37
|
- "SAFE-T1102 - Prompt Manipulation"
|
|
37
38
|
- "SAFE-T1001 - Tool Poisoning"
|
|
@@ -26,8 +26,8 @@ references:
|
|
|
26
26
|
- "ASI08:2026 - Resource Exhaustion and Denial of Service"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
-
- "AML.T0040 -
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
mitre_attack:
|
|
32
32
|
- "T1499 - Endpoint Denial of Service"
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
@@ -26,8 +26,8 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Behaviour Hijack"
|
|
27
27
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
-
- "AML.T0040 -
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
mitre_attack:
|
|
32
32
|
- "T1059 - Command and Scripting Interpreter"
|
|
33
33
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
28
|
- "ASI04:2026 - Supply Chain"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0040 -
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
@@ -27,8 +27,8 @@ references:
|
|
|
27
27
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
28
|
- "ASI09:2026 - Identity Spoofing and Impersonation"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0010 -
|
|
31
|
-
- "AML.T0040 -
|
|
30
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
31
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1546 - Event Triggered Execution"
|
|
34
34
|
- "T1059 - Command and Scripting Interpreter"
|
package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml
CHANGED
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
27
27
|
mitre_atlas:
|
|
28
28
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
29
|
-
- "AML.T0010 -
|
|
29
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
30
30
|
mitre_attack:
|
|
31
31
|
- "T1059 - Command and Scripting Interpreter"
|
|
32
32
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI09:2026 - Identity Spoofing"
|
|
28
28
|
- "ASI04:2026 - Supply Chain"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0040 -
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -28,7 +28,7 @@ references:
|
|
|
28
28
|
- "ASI06:2026 - Resource and Environment Manipulation"
|
|
29
29
|
mitre_atlas:
|
|
30
30
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
31
|
-
- "AML.T0040 -
|
|
31
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1190 - Exploit Public-Facing Application"
|
|
34
34
|
- "T1059 - Command and Scripting Interpreter"
|
package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml
CHANGED
|
@@ -30,7 +30,7 @@ references:
|
|
|
30
30
|
- "ASI06:2026 - Resource and Environment Manipulation"
|
|
31
31
|
mitre_atlas:
|
|
32
32
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
33
|
-
- "AML.T0040 -
|
|
33
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
34
34
|
mitre_attack:
|
|
35
35
|
- "T1190 - Exploit Public-Facing Application"
|
|
36
36
|
- "T1059.004 - Unix Shell"
|
|
@@ -35,7 +35,7 @@ references:
|
|
|
35
35
|
- "ASI04:2026 - Supply Chain"
|
|
36
36
|
mitre_atlas:
|
|
37
37
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
38
|
-
- "AML.T0040 -
|
|
38
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
39
39
|
mitre_attack:
|
|
40
40
|
- "T1059.003 - Windows Command Shell"
|
|
41
41
|
- "T1190 - Exploit Public-Facing Application"
|
package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml
CHANGED
|
@@ -41,7 +41,7 @@ references:
|
|
|
41
41
|
- "ASI04:2026 - Supply Chain"
|
|
42
42
|
mitre_atlas:
|
|
43
43
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
44
|
-
- "AML.T0040 -
|
|
44
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
45
45
|
mitre_attack:
|
|
46
46
|
- "T1059 - Command and Scripting Interpreter"
|
|
47
47
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -34,7 +34,7 @@ references:
|
|
|
34
34
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
35
35
|
mitre_atlas:
|
|
36
36
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
37
|
-
- "AML.T0040 -
|
|
37
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
38
38
|
mitre_attack:
|
|
39
39
|
- "T1059 - Command and Scripting Interpreter"
|
|
40
40
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -38,7 +38,7 @@ references:
|
|
|
38
38
|
- "ASI04:2026 - Supply Chain"
|
|
39
39
|
mitre_atlas:
|
|
40
40
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
41
|
-
- "AML.T0040 -
|
|
41
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
42
42
|
mitre_attack:
|
|
43
43
|
- "T1059 - Command and Scripting Interpreter"
|
|
44
44
|
- "T1078 - Valid Accounts"
|
|
@@ -34,7 +34,7 @@ references:
|
|
|
34
34
|
- "ASI04:2026 - Supply Chain"
|
|
35
35
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
36
36
|
mitre_atlas:
|
|
37
|
-
- "AML.T0010 -
|
|
37
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
38
38
|
mitre_attack:
|
|
39
39
|
- "T1546 - Event Triggered Execution"
|
|
40
40
|
- "T1059 - Command and Scripting Interpreter"
|
|
@@ -33,7 +33,7 @@ references:
|
|
|
33
33
|
- "ASI04:2026 - Supply Chain"
|
|
34
34
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
35
35
|
mitre_atlas:
|
|
36
|
-
- "AML.T0010 -
|
|
36
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
37
37
|
mitre_attack:
|
|
38
38
|
- "T1195.002 - Compromise Software Supply Chain"
|
|
39
39
|
- "T1546 - Event Triggered Execution"
|
|
@@ -32,7 +32,7 @@ references:
|
|
|
32
32
|
- "ASI04:2026 - Supply Chain"
|
|
33
33
|
- "ASI03:2026 - Identity and Privilege Abuse"
|
|
34
34
|
mitre_atlas:
|
|
35
|
-
- "AML.T0010 -
|
|
35
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
36
36
|
mitre_attack:
|
|
37
37
|
- "T1195.002 - Compromise Software Supply Chain"
|
|
38
38
|
- "T1552.001 - Unsecured Credentials: Credentials In Files"
|
package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml
CHANGED
|
@@ -23,8 +23,8 @@ references:
|
|
|
23
23
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
24
24
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
25
25
|
mitre_atlas:
|
|
26
|
-
- "AML.T0053 -
|
|
27
|
-
- "AML.T0051.001 - Indirect
|
|
26
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
27
|
+
- "AML.T0051.001 - Indirect"
|
|
28
28
|
cve:
|
|
29
29
|
- CVE-2025-54994
|
|
30
30
|
cwe:
|
package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml
CHANGED
|
@@ -27,8 +27,8 @@ references:
|
|
|
27
27
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
28
28
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0053 -
|
|
31
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
31
|
+
- "AML.T0051.001 - Indirect"
|
|
32
32
|
vulnerablemcp_id:
|
|
33
33
|
- tool-poisoning-rce-rug-pull
|
|
34
34
|
external:
|
|
@@ -30,8 +30,8 @@ references:
|
|
|
30
30
|
- "ASI03:2026 - Tool Misuse"
|
|
31
31
|
- "ASI08:2026 - Data Leakage via Agent Actions"
|
|
32
32
|
mitre_atlas:
|
|
33
|
-
- "AML.T0051.001 - Indirect
|
|
34
|
-
- "AML.T0053 -
|
|
33
|
+
- "AML.T0051.001 - Indirect"
|
|
34
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
35
35
|
|
|
36
36
|
compliance:
|
|
37
37
|
nist_ai_rmf:
|
|
@@ -20,7 +20,7 @@ references:
|
|
|
20
20
|
- ASI09:2026 - Insufficient Sandboxing
|
|
21
21
|
mitre_atlas:
|
|
22
22
|
- AML.T0051 - LLM Prompt Injection
|
|
23
|
-
- AML.
|
|
23
|
+
- AML.T0069 - Discover LLM System Information
|
|
24
24
|
compliance:
|
|
25
25
|
nist_ai_rmf:
|
|
26
26
|
- subcategory: MS.2.7
|
|
@@ -29,7 +29,7 @@ references:
|
|
|
29
29
|
- "ASI09:2026 - Insufficient Sandboxing"
|
|
30
30
|
mitre_atlas:
|
|
31
31
|
- "AML.T0051 - LLM Prompt Injection"
|
|
32
|
-
- "AML.T0010 -
|
|
32
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
33
33
|
cve:
|
|
34
34
|
- "CVE patterns: shell metacharacter injection in URL authority field"
|
|
35
35
|
|