agent-threat-rules 3.4.0 → 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (223) hide show
  1. package/README.md +8 -0
  2. package/dist/cli.js +23 -0
  3. package/dist/cli.js.map +1 -1
  4. package/dist/engine.d.ts +37 -2
  5. package/dist/engine.d.ts.map +1 -1
  6. package/dist/engine.js +99 -44
  7. package/dist/engine.js.map +1 -1
  8. package/dist/loader.d.ts.map +1 -1
  9. package/dist/loader.js +6 -0
  10. package/dist/loader.js.map +1 -1
  11. package/dist/quality/rule-contract.d.ts +65 -0
  12. package/dist/quality/rule-contract.d.ts.map +1 -0
  13. package/dist/quality/rule-contract.js +97 -0
  14. package/dist/quality/rule-contract.js.map +1 -0
  15. package/dist/trace-evaluator.d.ts.map +1 -1
  16. package/dist/trace-evaluator.js +58 -20
  17. package/dist/trace-evaluator.js.map +1 -1
  18. package/dist/types.d.ts +2 -0
  19. package/dist/types.d.ts.map +1 -1
  20. package/package.json +1 -1
  21. package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
  22. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
  23. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
  24. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
  25. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
  26. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
  27. package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
  28. package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
  29. package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
  30. package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
  31. package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
  32. package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
  33. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
  34. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
  35. package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
  36. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
  37. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
  38. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
  39. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
  40. package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
  41. package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
  42. package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
  43. package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
  44. package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
  45. package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
  46. package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
  47. package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
  48. package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
  49. package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
  50. package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
  51. package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
  52. package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
  53. package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
  54. package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
  55. package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
  56. package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
  57. package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
  58. package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
  59. package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
  60. package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
  61. package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
  62. package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
  63. package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
  64. package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
  65. package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
  66. package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
  67. package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
  68. package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
  69. package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
  70. package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
  71. package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
  72. package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
  73. package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
  74. package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
  75. package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
  76. package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
  77. package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
  78. package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
  79. package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
  80. package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
  81. package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
  82. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
  83. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
  84. package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
  85. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
  86. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
  87. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
  88. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
  89. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
  90. package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
  91. package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
  92. package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
  93. package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
  94. package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
  95. package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
  96. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
  97. package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
  98. package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
  99. package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
  100. package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
  101. package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
  102. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
  103. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
  104. package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
  105. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
  106. package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
  107. package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
  108. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
  109. package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
  110. package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
  111. package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
  112. package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
  113. package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
  114. package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
  115. package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
  116. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
  117. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
  118. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
  119. package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
  120. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
  121. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
  122. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
  123. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
  124. package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
  125. package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
  126. package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
  127. package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
  128. package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
  129. package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
  130. package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
  131. package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
  132. package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
  133. package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
  134. package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
  135. package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
  136. package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
  137. package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
  138. package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
  139. package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
  140. package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
  141. package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
  142. package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
  143. package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
  144. package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
  145. package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
  146. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
  147. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
  148. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
  149. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
  150. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
  151. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
  152. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
  153. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
  154. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
  155. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
  156. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
  157. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
  158. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
  159. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
  160. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
  161. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
  162. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
  163. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
  164. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
  165. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
  166. package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
  167. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
  168. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
  169. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
  170. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
  171. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
  172. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
  173. package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
  174. package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
  175. package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
  176. package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
  177. package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
  178. package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
  179. package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
  180. package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
  181. package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
  182. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
  183. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
  184. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
  185. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
  186. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
  187. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
  188. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
  189. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
  190. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
  191. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
  192. package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
  193. package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +2 -2
  194. package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
  195. package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
  196. package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
  197. package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
  198. package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
  199. package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
  200. package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
  201. package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
  202. package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
  203. package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
  204. package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
  205. package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
  206. package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
  207. package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
  208. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
  209. package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
  210. package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
  211. package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
  212. package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
  213. package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
  214. package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
  215. package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
  216. package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
  217. package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
  218. package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
  219. package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
  220. package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
  221. package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
  222. package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
  223. package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
@@ -17,7 +17,7 @@ severity: critical
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0010 - ML Supply Chain Compromise"
20
+ - "AML.T0010 - AI Supply Chain Compromise"
21
21
  owasp_llm:
22
22
  - "LLM01:2025 - Prompt Injection"
23
23
  owasp_ast:
@@ -17,7 +17,7 @@ maturity: test
17
17
  severity: medium
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0010 - ML Supply Chain Compromise
20
+ - AML.T0010 - AI Supply Chain Compromise
21
21
  owasp_agentic:
22
22
  - ASI04:2026 - Agentic Supply Chain Vulnerabilities
23
23
  owasp_ast:
@@ -15,7 +15,7 @@ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  mitre_atlas:
18
- - AML.T0010 - ML Supply Chain Compromise
18
+ - AML.T0010 - AI Supply Chain Compromise
19
19
  owasp_llm:
20
20
  - LLM01:2025 - Prompt Injection
21
21
  owasp_agentic:
@@ -14,7 +14,7 @@ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
17
- - "AML.T0010 - ML Supply Chain Compromise"
17
+ - "AML.T0010 - AI Supply Chain Compromise"
18
18
  owasp_llm:
19
19
  - "LLM01:2025 - Prompt Injection"
20
20
  owasp_agentic:
@@ -15,7 +15,7 @@ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  mitre_atlas:
18
- - AML.T0010 - ML Supply Chain Compromise
18
+ - AML.T0010 - AI Supply Chain Compromise
19
19
  owasp_llm:
20
20
  - LLM06:2025 - Excessive Agency
21
21
  owasp_agentic:
@@ -17,7 +17,7 @@ severity: high
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0010 - ML Supply Chain Compromise"
20
+ - "AML.T0010 - AI Supply Chain Compromise"
21
21
  owasp_llm:
22
22
  - "LLM03:2025 - Supply Chain Vulnerabilities"
23
23
  owasp_agentic:
@@ -22,7 +22,7 @@ references:
22
22
  - "ASI04:2026 - Identity and Access Management Failures"
23
23
  - "ASI07:2026 - Insecure Third-Party Agent"
24
24
  mitre_atlas:
25
- - "AML.T0051.001 - Indirect Prompt Injection"
25
+ - "AML.T0051.001 - Indirect"
26
26
  mitre_attack:
27
27
  - "T1565.001 - Stored Data Manipulation"
28
28
 
@@ -16,7 +16,7 @@ references:
16
16
  owasp_agentic:
17
17
  - "ASI03:2026 - Data Exfiltration"
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  compliance:
21
21
  nist_ai_rmf:
22
22
  - subcategory: "MS.2.10"
@@ -22,7 +22,7 @@ references:
22
22
  owasp_agentic:
23
23
  - "ASI07:2026 - Supply Chain"
24
24
  mitre_atlas:
25
- - "AML.T0018 - Backdoor ML Model"
25
+ - "AML.T0060 - Publish Hallucinated Entities"
26
26
  research:
27
27
  - "https://www.usenix.org/publications/loginonline/we-have-package-you-comprehensive-analysis-package-hallucinations-code"
28
28
  - "https://arxiv.org/abs/2501.19012"
@@ -20,7 +20,7 @@ references:
20
20
  owasp_agentic:
21
21
  - "ASI08:2026 - Output Handling"
22
22
  mitre_atlas:
23
- - "AML.T0053 - LLM Plugin Compromise"
23
+ - "AML.T0053 - AI Agent Tool Invocation"
24
24
  research:
25
25
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
26
26
  compliance:
@@ -21,7 +21,7 @@ references:
21
21
  owasp_agentic:
22
22
  - "ASI03:2026 - Tool Misuse"
23
23
  mitre_atlas:
24
- - "AML.T0053 - LLM Plugin Compromise"
24
+ - "AML.T0053 - AI Agent Tool Invocation"
25
25
  - "AML.T0057 - LLM Data Leakage"
26
26
  research:
27
27
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
@@ -20,7 +20,7 @@ references:
20
20
  owasp_agentic:
21
21
  - "ASI08:2026 - Output Handling"
22
22
  mitre_atlas:
23
- - "AML.T0053 - LLM Plugin Compromise"
23
+ - "AML.T0053 - AI Agent Tool Invocation"
24
24
  research:
25
25
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
26
26
  - "https://attack.mitre.org/techniques/T1105/"
@@ -32,8 +32,8 @@ references:
32
32
  - "ASI07:2026 - Supply Chain"
33
33
  - "ASI03:2026 - Tool Misuse"
34
34
  mitre_atlas:
35
- - "AML.T0018 - Backdoor ML Model"
36
- - "AML.T0010 - ML Supply Chain Compromise"
35
+ - "AML.T0011.000 - Unsafe AI Artifacts"
36
+ - "AML.T0010 - AI Supply Chain Compromise"
37
37
  research:
38
38
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/fileformats.py"
39
39
  - "https://huggingface.co/docs/hub/security-pickle"
@@ -20,8 +20,8 @@ maturity: test
20
20
  severity: high
21
21
  references:
22
22
  mitre_atlas:
23
- - AML.T0044 - Full ML Model Access
24
- - AML.T0024 - Exfiltration via Cyber Means
23
+ - AML.T0044 - Full AI Model Access
24
+ - AML.T0024 - Exfiltration via AI Inference API
25
25
  owasp_llm:
26
26
  - LLM06:2025 - Excessive Agency
27
27
  owasp_agentic:
@@ -18,7 +18,7 @@ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  mitre_atlas:
21
- - AML.T0044 - Full ML Model Access
21
+ - AML.T0044 - Full AI Model Access
22
22
  owasp_llm:
23
23
  - LLM06:2025 - Excessive Agency
24
24
  owasp_agentic:
@@ -18,8 +18,8 @@ maturity: test
18
18
  severity: critical
19
19
  references:
20
20
  mitre_atlas:
21
- - AML.T0010 - ML Supply Chain Compromise
22
- - AML.T0044 - Full ML Model Access
21
+ - AML.T0010 - AI Supply Chain Compromise
22
+ - AML.T0044 - Full AI Model Access
23
23
  owasp_llm:
24
24
  - LLM06:2025 - Excessive Agency
25
25
  owasp_agentic:
@@ -37,7 +37,7 @@ references:
37
37
  - "ASI05:2026 - Unexpected Code Execution"
38
38
  - "ASI09:2026 - Identity Spoofing and Impersonation"
39
39
  mitre_atlas:
40
- - "AML.T0010 - ML Supply Chain Compromise"
40
+ - "AML.T0010 - AI Supply Chain Compromise"
41
41
  - "AML.T0050 - Command and Scripting Interpreter"
42
42
  mitre_attack:
43
43
  - "T1546 - Event Triggered Execution"
@@ -29,7 +29,7 @@ references:
29
29
  owasp_agentic:
30
30
  - "ASI05:2026 - Supply Chain Compromise"
31
31
  mitre_atlas:
32
- - "AML.T0010 - ML Supply Chain Compromise"
32
+ - "AML.T0010 - AI Supply Chain Compromise"
33
33
  compliance:
34
34
  owasp_agentic:
35
35
  - id: ASI05:2026
@@ -27,7 +27,7 @@ references:
27
27
  owasp_agentic:
28
28
  - "ASI04:2026 - Code Execution & Data Exfiltration"
29
29
  mitre_atlas:
30
- - "AML.T0024 - Exfiltration via ML Inference API"
30
+ - "AML.T0024 - Exfiltration via AI Inference API"
31
31
  - "AML.T0048 - External Harms"
32
32
 
33
33
  compliance:
@@ -30,7 +30,7 @@ references:
30
30
  owasp_agentic:
31
31
  - "ASI03:2026 - Agent Supply Chain Compromise"
32
32
  mitre_atlas:
33
- - "AML.T0018 - Backdoor ML Model"
33
+ - "AML.T0018.000 - Poison AI Model"
34
34
  - "AML.T0020 - Poison Training Data"
35
35
  - "AML.T0051 - LLM Prompt Injection"
36
36
 
@@ -26,7 +26,7 @@ references:
26
26
  owasp_agentic:
27
27
  - "ASI03:2026 - Agent Supply Chain Compromise"
28
28
  mitre_atlas:
29
- - "AML.T0018 - Backdoor ML Model"
29
+ - "AML.T0018.000 - Poison AI Model"
30
30
  - "AML.T0051 - LLM Prompt Injection"
31
31
 
32
32
  compliance:
@@ -27,8 +27,8 @@ references:
27
27
  - "ASI02:2026 - Tool Misuse and Exploitation"
28
28
  - "ASI05:2026 - Unexpected Code Execution"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
31
- - "AML.T0056 - LLM Meta Prompt Extraction"
30
+ - "AML.T0051.001 - Indirect"
31
+ - "AML.T0056 - Extract LLM System Prompt"
32
32
  mitre_attack:
33
33
  - "T1059 - Command and Scripting Interpreter"
34
34
  - "T1071 - Application Layer Protocol"
@@ -23,8 +23,8 @@ references:
23
23
  owasp_agentic:
24
24
  - ASI02:2026 - Tool Misuse and Exploitation
25
25
  mitre_atlas:
26
- - AML.T0053 - LLM Plugin Compromise
27
- - AML.T0051.001 - Indirect Prompt Injection
26
+ - AML.T0053 - AI Agent Tool Invocation
27
+ - AML.T0051.001 - Indirect
28
28
  cve:
29
29
  - CVE-2025-59536
30
30
  - CVE-2025-32711
@@ -21,7 +21,7 @@ references:
21
21
  - ASI02:2026 - Tool Misuse and Exploitation
22
22
  - ASI03:2026 - Identity and Privilege Abuse
23
23
  mitre_atlas:
24
- - AML.T0053 - LLM Plugin Compromise
24
+ - AML.T0053 - AI Agent Tool Invocation
25
25
  mitre_attack:
26
26
  - T1059 - Command and Scripting Interpreter
27
27
  - T1083 - File and Directory Discovery
@@ -17,7 +17,7 @@ severity: high
17
17
  source: threat-cloud
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0053 - LLM Plugin Compromise
20
+ - AML.T0053 - AI Agent Tool Invocation
21
21
  owasp_llm:
22
22
  - LLM01:2025 - Prompt Injection
23
23
  - LLM05:2025 - Improper Output Handling
@@ -17,7 +17,7 @@ source: threat-cloud
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0053 - LLM Plugin Compromise"
20
+ - "AML.T0053 - AI Agent Tool Invocation"
21
21
  owasp_llm:
22
22
  - "LLM01:2025 - Prompt Injection"
23
23
  - "LLM06:2025 - Excessive Agency"
@@ -22,7 +22,8 @@ references:
22
22
  owasp_agentic:
23
23
  - ASI01:2026 - Agent Goal Hijack
24
24
  mitre_atlas:
25
- - AML.T0051 - Prompt Injection
25
+ - AML.T0051 - LLM Prompt Injection
26
+ - AML.T0110 - AI Agent Tool Poisoning
26
27
  compliance:
27
28
  nist_ai_rmf:
28
29
  - subcategory: "MS.2.6"
@@ -17,7 +17,7 @@ severity: high
17
17
  source: threat-cloud
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0053 - LLM Plugin Compromise
20
+ - AML.T0053 - AI Agent Tool Invocation
21
21
  owasp_llm:
22
22
  - LLM01:2025 - Prompt Injection
23
23
  - LLM06:2025 - Excessive Agency
@@ -18,7 +18,7 @@ source: threat-cloud
18
18
 
19
19
  references:
20
20
  mitre_atlas:
21
- - "AML.T0053 - LLM Plugin Compromise"
21
+ - "AML.T0053 - AI Agent Tool Invocation"
22
22
  owasp_llm:
23
23
  - "LLM06:2025 - Excessive Agency"
24
24
  owasp_agentic:
@@ -30,8 +30,9 @@ references:
30
30
  - "ASI03:2026 - Tool Misuse"
31
31
  - "ASI07:2026 - Insecure Inter-Agent Communication"
32
32
  mitre_atlas:
33
- - "AML.T0051.001 - Indirect Prompt Injection"
34
- - "AML.T0053 - LLM Plugin Compromise"
33
+ - "AML.T0051.001 - Indirect"
34
+ - "AML.T0053 - AI Agent Tool Invocation"
35
+ - "AML.T0110 - AI Agent Tool Poisoning"
35
36
  safe_mcp:
36
37
  - "SAFE-T1102 - Prompt Manipulation"
37
38
  - "SAFE-T1001 - Tool Poisoning"
@@ -26,8 +26,8 @@ references:
26
26
  - "ASI08:2026 - Resource Exhaustion and Denial of Service"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
30
- - "AML.T0040 - ML Model Inference API Access"
29
+ - "AML.T0051.001 - Indirect"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  mitre_attack:
32
32
  - "T1499 - Endpoint Denial of Service"
33
33
  - "T1059 - Command and Scripting Interpreter"
@@ -26,8 +26,8 @@ references:
26
26
  - "ASI01:2026 - Agent Behaviour Hijack"
27
27
  - "ASI05:2026 - Unexpected Code Execution"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
30
- - "AML.T0040 - ML Model Inference API Access"
29
+ - "AML.T0051.001 - Indirect"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  mitre_attack:
32
32
  - "T1059 - Command and Scripting Interpreter"
33
33
  - "T1190 - Exploit Public-Facing Application"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI05:2026 - Unexpected Code Execution"
28
28
  - "ASI04:2026 - Supply Chain"
29
29
  mitre_atlas:
30
- - "AML.T0040 - ML Model Inference API Access"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  - "AML.T0049 - Exploit Public-Facing Application"
32
32
  mitre_attack:
33
33
  - "T1059 - Command and Scripting Interpreter"
@@ -27,8 +27,8 @@ references:
27
27
  - "ASI05:2026 - Unexpected Code Execution"
28
28
  - "ASI09:2026 - Identity Spoofing and Impersonation"
29
29
  mitre_atlas:
30
- - "AML.T0010 - ML Supply Chain Compromise"
31
- - "AML.T0040 - ML Model Inference API Access"
30
+ - "AML.T0010 - AI Supply Chain Compromise"
31
+ - "AML.T0040 - AI Model Inference API Access"
32
32
  mitre_attack:
33
33
  - "T1546 - Event Triggered Execution"
34
34
  - "T1059 - Command and Scripting Interpreter"
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI05:2026 - Unexpected Code Execution"
27
27
  mitre_atlas:
28
28
  - "AML.T0049 - Exploit Public-Facing Application"
29
- - "AML.T0010 - ML Supply Chain Compromise"
29
+ - "AML.T0010 - AI Supply Chain Compromise"
30
30
  mitre_attack:
31
31
  - "T1059 - Command and Scripting Interpreter"
32
32
  - "T1190 - Exploit Public-Facing Application"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI09:2026 - Identity Spoofing"
28
28
  - "ASI04:2026 - Supply Chain"
29
29
  mitre_atlas:
30
- - "AML.T0040 - ML Model Inference API Access"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  - "AML.T0049 - Exploit Public-Facing Application"
32
32
  mitre_attack:
33
33
  - "T1190 - Exploit Public-Facing Application"
@@ -23,7 +23,7 @@ references:
23
23
  owasp_agentic:
24
24
  - "ASI06:2026 - Tool Misuse"
25
25
  mitre_atlas:
26
- - "AML.T0053 - Adversarial Tool Exploitation"
26
+ - "AML.T0053 - AI Agent Tool Invocation"
27
27
 
28
28
  compliance:
29
29
  owasp_agentic:
@@ -25,7 +25,7 @@ references:
25
25
  owasp_agentic:
26
26
  - "ASI06:2026 - Tool Misuse"
27
27
  mitre_atlas:
28
- - "AML.T0053 - Adversarial Tool Exploitation"
28
+ - "AML.T0053 - AI Agent Tool Invocation"
29
29
  compliance:
30
30
  owasp_agentic:
31
31
  - id: ASI06:2026
@@ -27,7 +27,7 @@ references:
27
27
  owasp_agentic:
28
28
  - "ASI06:2026 - Tool Misuse"
29
29
  mitre_atlas:
30
- - "AML.T0053 - Adversarial Tool Exploitation"
30
+ - "AML.T0053 - AI Agent Tool Invocation"
31
31
  compliance:
32
32
  owasp_agentic:
33
33
  - id: ASI06:2026
@@ -30,7 +30,7 @@ references:
30
30
  owasp_agentic:
31
31
  - "ASI06:2026 - Tool Misuse"
32
32
  mitre_atlas:
33
- - "AML.T0053 - Adversarial Tool Exploitation"
33
+ - "AML.T0053 - AI Agent Tool Invocation"
34
34
  compliance:
35
35
  owasp_agentic:
36
36
  - id: ASI06:2026
@@ -28,7 +28,7 @@ references:
28
28
  owasp_agentic:
29
29
  - "ASI06:2026 - Tool Misuse"
30
30
  mitre_atlas:
31
- - "AML.T0053 - Adversarial Tool Exploitation"
31
+ - "AML.T0053 - AI Agent Tool Invocation"
32
32
 
33
33
  compliance:
34
34
  owasp_agentic:
@@ -28,7 +28,7 @@ references:
28
28
  owasp_agentic:
29
29
  - "ASI06:2026 - Tool Misuse"
30
30
  mitre_atlas:
31
- - "AML.T0053 - Adversarial Tool Exploitation"
31
+ - "AML.T0053 - AI Agent Tool Invocation"
32
32
 
33
33
  compliance:
34
34
  owasp_agentic:
@@ -28,7 +28,7 @@ references:
28
28
  - "ASI06:2026 - Resource and Environment Manipulation"
29
29
  mitre_atlas:
30
30
  - "AML.T0049 - Exploit Public-Facing Application"
31
- - "AML.T0040 - ML Model Inference API Access"
31
+ - "AML.T0040 - AI Model Inference API Access"
32
32
  mitre_attack:
33
33
  - "T1190 - Exploit Public-Facing Application"
34
34
  - "T1059 - Command and Scripting Interpreter"
@@ -30,7 +30,7 @@ references:
30
30
  - "ASI06:2026 - Resource and Environment Manipulation"
31
31
  mitre_atlas:
32
32
  - "AML.T0049 - Exploit Public-Facing Application"
33
- - "AML.T0040 - ML Model Inference API Access"
33
+ - "AML.T0040 - AI Model Inference API Access"
34
34
  mitre_attack:
35
35
  - "T1190 - Exploit Public-Facing Application"
36
36
  - "T1059.004 - Unix Shell"
@@ -35,7 +35,7 @@ references:
35
35
  - "ASI04:2026 - Supply Chain"
36
36
  mitre_atlas:
37
37
  - "AML.T0049 - Exploit Public-Facing Application"
38
- - "AML.T0040 - ML Model Inference API Access"
38
+ - "AML.T0040 - AI Model Inference API Access"
39
39
  mitre_attack:
40
40
  - "T1059.003 - Windows Command Shell"
41
41
  - "T1190 - Exploit Public-Facing Application"
@@ -41,7 +41,7 @@ references:
41
41
  - "ASI04:2026 - Supply Chain"
42
42
  mitre_atlas:
43
43
  - "AML.T0049 - Exploit Public-Facing Application"
44
- - "AML.T0040 - ML Model Inference API Access"
44
+ - "AML.T0040 - AI Model Inference API Access"
45
45
  mitre_attack:
46
46
  - "T1059 - Command and Scripting Interpreter"
47
47
  - "T1190 - Exploit Public-Facing Application"
@@ -34,7 +34,7 @@ references:
34
34
  - "ASI05:2026 - Unexpected Code Execution"
35
35
  mitre_atlas:
36
36
  - "AML.T0049 - Exploit Public-Facing Application"
37
- - "AML.T0040 - ML Model Inference API Access"
37
+ - "AML.T0040 - AI Model Inference API Access"
38
38
  mitre_attack:
39
39
  - "T1059 - Command and Scripting Interpreter"
40
40
  - "T1190 - Exploit Public-Facing Application"
@@ -38,7 +38,7 @@ references:
38
38
  - "ASI04:2026 - Supply Chain"
39
39
  mitre_atlas:
40
40
  - "AML.T0049 - Exploit Public-Facing Application"
41
- - "AML.T0040 - ML Model Inference API Access"
41
+ - "AML.T0040 - AI Model Inference API Access"
42
42
  mitre_attack:
43
43
  - "T1059 - Command and Scripting Interpreter"
44
44
  - "T1078 - Valid Accounts"
@@ -34,7 +34,7 @@ references:
34
34
  - "ASI04:2026 - Supply Chain"
35
35
  - "ASI05:2026 - Unexpected Code Execution"
36
36
  mitre_atlas:
37
- - "AML.T0010 - ML Supply Chain Compromise"
37
+ - "AML.T0010 - AI Supply Chain Compromise"
38
38
  mitre_attack:
39
39
  - "T1546 - Event Triggered Execution"
40
40
  - "T1059 - Command and Scripting Interpreter"
@@ -33,7 +33,7 @@ references:
33
33
  - "ASI04:2026 - Supply Chain"
34
34
  - "ASI05:2026 - Unexpected Code Execution"
35
35
  mitre_atlas:
36
- - "AML.T0010 - ML Supply Chain Compromise"
36
+ - "AML.T0010 - AI Supply Chain Compromise"
37
37
  mitre_attack:
38
38
  - "T1195.002 - Compromise Software Supply Chain"
39
39
  - "T1546 - Event Triggered Execution"
@@ -32,7 +32,7 @@ references:
32
32
  - "ASI04:2026 - Supply Chain"
33
33
  - "ASI03:2026 - Identity and Privilege Abuse"
34
34
  mitre_atlas:
35
- - "AML.T0010 - ML Supply Chain Compromise"
35
+ - "AML.T0010 - AI Supply Chain Compromise"
36
36
  mitre_attack:
37
37
  - "T1195.002 - Compromise Software Supply Chain"
38
38
  - "T1552.001 - Unsecured Credentials: Credentials In Files"
@@ -23,8 +23,8 @@ references:
23
23
  - "ASI02:2026 - Tool Misuse and Exploitation"
24
24
  - "ASI05:2026 - Unexpected Code Execution"
25
25
  mitre_atlas:
26
- - "AML.T0053 - LLM Plugin Compromise"
27
- - "AML.T0051.001 - Indirect Prompt Injection"
26
+ - "AML.T0053 - AI Agent Tool Invocation"
27
+ - "AML.T0051.001 - Indirect"
28
28
  cve:
29
29
  - CVE-2025-54994
30
30
  cwe:
@@ -27,8 +27,8 @@ references:
27
27
  - "ASI02:2026 - Tool Misuse and Exploitation"
28
28
  - "ASI05:2026 - Unexpected Code Execution"
29
29
  mitre_atlas:
30
- - "AML.T0053 - LLM Plugin Compromise"
31
- - "AML.T0051.001 - Indirect Prompt Injection"
30
+ - "AML.T0053 - AI Agent Tool Invocation"
31
+ - "AML.T0051.001 - Indirect"
32
32
  vulnerablemcp_id:
33
33
  - tool-poisoning-rce-rug-pull
34
34
  external:
@@ -30,8 +30,8 @@ references:
30
30
  - "ASI03:2026 - Tool Misuse"
31
31
  - "ASI08:2026 - Data Leakage via Agent Actions"
32
32
  mitre_atlas:
33
- - "AML.T0051.001 - Indirect Prompt Injection"
34
- - "AML.T0053 - LLM Plugin Compromise"
33
+ - "AML.T0051.001 - Indirect"
34
+ - "AML.T0053 - AI Agent Tool Invocation"
35
35
 
36
36
  compliance:
37
37
  nist_ai_rmf:
@@ -29,7 +29,7 @@ references:
29
29
  - "ASI01:2026 - Agent Goal Hijack"
30
30
  mitre_atlas:
31
31
  - "AML.T0051 - LLM Prompt Injection"
32
- - "AML.T0053 - LLM Plugin Compromise"
32
+ - "AML.T0053 - AI Agent Tool Invocation"
33
33
 
34
34
  compliance:
35
35
  nist_ai_rmf:
@@ -29,7 +29,7 @@ references:
29
29
  - "ASI01:2026 - Agent Goal Hijack"
30
30
  - "ASI03:2026 - Tool Misuse"
31
31
  mitre_atlas:
32
- - "AML.T0051.001 - Indirect Prompt Injection"
32
+ - "AML.T0051.001 - Indirect"
33
33
 
34
34
  compliance:
35
35
  nist_ai_rmf:
@@ -20,7 +20,7 @@ references:
20
20
  - ASI09:2026 - Insufficient Sandboxing
21
21
  mitre_atlas:
22
22
  - AML.T0051 - LLM Prompt Injection
23
- - AML.T0040 - ML Model Inference API Information
23
+ - AML.T0069 - Discover LLM System Information
24
24
  compliance:
25
25
  nist_ai_rmf:
26
26
  - subcategory: MS.2.7
@@ -29,7 +29,7 @@ references:
29
29
  - "ASI09:2026 - Insufficient Sandboxing"
30
30
  mitre_atlas:
31
31
  - "AML.T0051 - LLM Prompt Injection"
32
- - "AML.T0010 - ML Supply Chain Compromise"
32
+ - "AML.T0010 - AI Supply Chain Compromise"
33
33
  cve:
34
34
  - "CVE patterns: shell metacharacter injection in URL authority field"
35
35