agent-threat-rules 3.4.0 → 3.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (226) hide show
  1. package/README.md +65 -29
  2. package/dist/cli.js +23 -0
  3. package/dist/cli.js.map +1 -1
  4. package/dist/engine.d.ts +37 -2
  5. package/dist/engine.d.ts.map +1 -1
  6. package/dist/engine.js +99 -44
  7. package/dist/engine.js.map +1 -1
  8. package/dist/loader.d.ts.map +1 -1
  9. package/dist/loader.js +6 -0
  10. package/dist/loader.js.map +1 -1
  11. package/dist/quality/rule-contract.d.ts +65 -0
  12. package/dist/quality/rule-contract.d.ts.map +1 -0
  13. package/dist/quality/rule-contract.js +97 -0
  14. package/dist/quality/rule-contract.js.map +1 -0
  15. package/dist/trace-evaluator.d.ts.map +1 -1
  16. package/dist/trace-evaluator.js +58 -20
  17. package/dist/trace-evaluator.js.map +1 -1
  18. package/dist/types.d.ts +2 -0
  19. package/dist/types.d.ts.map +1 -1
  20. package/package.json +2 -2
  21. package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
  22. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
  23. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
  24. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
  25. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
  26. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
  27. package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
  28. package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
  29. package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
  30. package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
  31. package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
  32. package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
  33. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
  34. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
  35. package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
  36. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
  37. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
  38. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
  39. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
  40. package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
  41. package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
  42. package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
  43. package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
  44. package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
  45. package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
  46. package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
  47. package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
  48. package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
  49. package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
  50. package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
  51. package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
  52. package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
  53. package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
  54. package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
  55. package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
  56. package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
  57. package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
  58. package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
  59. package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
  60. package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
  61. package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
  62. package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
  63. package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
  64. package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
  65. package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
  66. package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
  67. package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
  68. package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
  69. package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
  70. package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
  71. package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
  72. package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
  73. package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
  74. package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
  75. package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
  76. package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
  77. package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
  78. package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
  79. package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
  80. package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
  81. package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
  82. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
  83. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
  84. package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
  85. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
  86. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
  87. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
  88. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
  89. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
  90. package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
  91. package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
  92. package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
  93. package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
  94. package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
  95. package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
  96. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
  97. package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
  98. package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
  99. package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
  100. package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
  101. package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
  102. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
  103. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
  104. package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
  105. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
  106. package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
  107. package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
  108. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
  109. package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
  110. package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
  111. package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
  112. package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
  113. package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
  114. package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
  115. package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
  116. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
  117. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
  118. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
  119. package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
  120. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
  121. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
  122. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
  123. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
  124. package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
  125. package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
  126. package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
  127. package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
  128. package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
  129. package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
  130. package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
  131. package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
  132. package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
  133. package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
  134. package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
  135. package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
  136. package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
  137. package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
  138. package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
  139. package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
  140. package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
  141. package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
  142. package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
  143. package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
  144. package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
  145. package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
  146. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
  147. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
  148. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
  149. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
  150. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
  151. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
  152. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
  153. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
  154. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
  155. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
  156. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
  157. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
  158. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
  159. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
  160. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
  161. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
  162. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
  163. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
  164. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
  165. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
  166. package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
  167. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
  168. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
  169. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
  170. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
  171. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
  172. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
  173. package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
  174. package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
  175. package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
  176. package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
  177. package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
  178. package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
  179. package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
  180. package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
  181. package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
  182. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
  183. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
  184. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
  185. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
  186. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
  187. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
  188. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
  189. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
  190. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
  191. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
  192. package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
  193. package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +7 -3
  194. package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
  195. package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
  196. package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
  197. package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
  198. package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
  199. package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
  200. package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
  201. package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
  202. package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
  203. package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
  204. package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
  205. package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
  206. package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
  207. package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
  208. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
  209. package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
  210. package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
  211. package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
  212. package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
  213. package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
  214. package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
  215. package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
  216. package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
  217. package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
  218. package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
  219. package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
  220. package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
  221. package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
  222. package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
  223. package/rules/tool-poisoning/ATR-2026-01930-mcp-sampling-prompt-injection.yaml +188 -0
  224. package/rules/tool-poisoning/ATR-2026-01931-gemini-mcp-tool-command-injection-file-exfil.yaml +169 -0
  225. package/rules/tool-poisoning/ATR-2026-01932-shadow-undeclared-mcp-server-registration.yaml +160 -0
  226. package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
@@ -24,7 +24,7 @@ references:
24
24
  owasp_agentic:
25
25
  - "ASI01:2026 - Agent Goal Hijack"
26
26
  mitre_atlas:
27
- - "AML.T0024 - Exfiltration via ML Inference API"
27
+ - "AML.T0024 - Exfiltration via AI Inference API"
28
28
  compliance:
29
29
  owasp_agentic:
30
30
  - id: ASI01:2026
@@ -25,7 +25,7 @@ references:
25
25
  owasp_agentic:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  mitre_atlas:
28
- - "AML.T0024 - Exfiltration via ML Inference API"
28
+ - "AML.T0024 - Exfiltration via AI Inference API"
29
29
  compliance:
30
30
  owasp_agentic:
31
31
  - id: ASI01:2026
@@ -43,8 +43,8 @@ references:
43
43
  - "ASI04:2026 - Supply Chain"
44
44
  - "ASI09:2026 - Identity Spoofing and Impersonation"
45
45
  mitre_atlas:
46
- - "AML.T0010 - ML Supply Chain Compromise"
47
- - "AML.T0024 - Exfiltration via ML Inference API"
46
+ - "AML.T0010 - AI Supply Chain Compromise"
47
+ - "AML.T0024 - Exfiltration via AI Inference API"
48
48
  - "AML.T0055 - Unsecured Credentials"
49
49
  mitre_attack:
50
50
  - "T1552 - Unsecured Credentials"
@@ -34,7 +34,7 @@ references:
34
34
  - "ASI03:2026 - Data Exfiltration"
35
35
  - "ASI06:2026 - Identity Spoofing & Impersonation"
36
36
  mitre_atlas:
37
- - "AML.T0024 - Exfiltration via Cyber Means"
37
+ - "AML.T0024 - Exfiltration via AI Inference API"
38
38
  research:
39
39
  - "Argus: Hierarchical Reference-Relationship Graph for Multi-Agent Information Leakage (arXiv:2512.08326)"
40
40
  - "Compositional Privacy Risks in Multi-Agent Systems (arXiv:2509.14284)"
@@ -29,7 +29,7 @@ references:
29
29
  - "ASI06:2026 - Memory and Context Poisoning"
30
30
  mitre_atlas:
31
31
  - "AML.T0057 - LLM Data Leakage"
32
- - "AML.T0056 - LLM Meta Prompt Extraction"
32
+ - "AML.T0056 - Extract LLM System Prompt"
33
33
  cve:
34
34
  - CVE-2025-66689
35
35
  cwe:
@@ -35,7 +35,7 @@ references:
35
35
  - "ASI06:2026 - Memory and Context Poisoning"
36
36
  mitre_atlas:
37
37
  - "AML.T0057 - LLM Data Leakage"
38
- - "AML.T0056 - LLM Meta Prompt Extraction"
38
+ - "AML.T0056 - Extract LLM System Prompt"
39
39
  vulnerablemcp_id:
40
40
  - session-ids-exposed-in-urls
41
41
  external:
@@ -39,7 +39,7 @@ references:
39
39
  - "ASI06:2026 - Memory and Context Poisoning"
40
40
  mitre_atlas:
41
41
  - "AML.T0057 - LLM Data Leakage"
42
- - "AML.T0056 - LLM Meta Prompt Extraction"
42
+ - "AML.T0056 - Extract LLM System Prompt"
43
43
  cwe:
44
44
  - CWE-200
45
45
  - CWE-922
@@ -26,7 +26,7 @@ references:
26
26
  mitre_atlas:
27
27
  - "AML.T0051 - LLM Prompt Injection"
28
28
  - "AML.T0051.001 - Indirect"
29
- - "AML.T0059 - Deepfake / Synthetic Media"
29
+ - "AML.T0088 - Generate Deepfakes"
30
30
 
31
31
  compliance:
32
32
  owasp_llm:
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/06/12"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: test
18
+ maturity: stable
19
19
  severity: critical
20
20
 
21
21
  references:
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/06/12"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: test
18
+ maturity: stable
19
19
  severity: critical
20
20
 
21
21
  references:
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/06/12"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: test
18
+ maturity: stable
19
19
  severity: critical
20
20
 
21
21
  references:
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -15,7 +15,7 @@ author: "ATR Community"
15
15
  date: "2026/06/12"
16
16
  schema_version: "0.1"
17
17
  detection_tier: pattern
18
- maturity: test
18
+ maturity: stable
19
19
  severity: critical
20
20
 
21
21
  references:
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -14,7 +14,7 @@ author: "ATR Community"
14
14
  date: "2026/06/12"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: test
17
+ maturity: stable
18
18
  severity: high
19
19
 
20
20
  references:
@@ -25,7 +25,7 @@ references:
25
25
  - "ASI01:2026 - Agent Goal Hijack"
26
26
  - "ASI03:2026 - Tool Misuse"
27
27
  mitre_atlas:
28
- - "AML.T0051.001 - Indirect Prompt Injection"
28
+ - "AML.T0051.001 - Indirect"
29
29
  - "AML.T0057 - LLM Data Leakage"
30
30
  research:
31
31
  - "https://github.com/CUA-Framework/VPIBench"
@@ -14,7 +14,7 @@ author: "ATR Community"
14
14
  date: "2026/06/12"
15
15
  schema_version: "0.1"
16
16
  detection_tier: pattern
17
- maturity: test
17
+ maturity: stable
18
18
  severity: high
19
19
 
20
20
  references:
@@ -25,7 +25,7 @@ references:
25
25
  - "ASI01:2026 - Agent Goal Hijack"
26
26
  - "ASI03:2026 - Tool Misuse"
27
27
  mitre_atlas:
28
- - "AML.T0051.001 - Indirect Prompt Injection"
28
+ - "AML.T0051.001 - Indirect"
29
29
  - "AML.T0057 - LLM Data Leakage"
30
30
  research:
31
31
  - "https://github.com/CUA-Framework/VPIBench"
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  - "AML.T0057 - LLM Data Leakage"
31
31
  research:
32
32
  - "https://github.com/CUA-Framework/VPIBench"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  - "ASI09:2026 - Destructive Agent Behavior"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
30
+ - "AML.T0051.001 - Indirect"
31
31
  - "AML.T0057 - LLM Data Leakage"
32
32
  mitre_attack:
33
33
  - "T1485 - Data Destruction"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI01:2026 - Agent Goal Hijack"
28
28
  - "ASI03:2026 - Tool Misuse"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
30
+ - "AML.T0051.001 - Indirect"
31
31
  - "AML.T0057 - LLM Data Leakage"
32
32
  research:
33
33
  - "https://arxiv.org/abs/2403.02691"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI01:2026 - Agent Goal Hijack"
28
28
  - "ASI03:2026 - Tool Misuse"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
30
+ - "AML.T0051.001 - Indirect"
31
31
  mitre_attack:
32
32
  - "T1657 - Financial Theft"
33
33
  research:
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
29
+ - "AML.T0051.001 - Indirect"
30
30
  mitre_attack:
31
31
  - "T1657 - Financial Theft"
32
32
  research:
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI01:2026 - Agent Goal Hijack"
28
28
  - "ASI03:2026 - Tool Misuse"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
30
+ - "AML.T0051.001 - Indirect"
31
31
  - "AML.T0057 - LLM Data Leakage"
32
32
  mitre_attack:
33
33
  - "T1111 - Multi-Factor Authentication Interception"
@@ -30,7 +30,7 @@ references:
30
30
  owasp_agentic:
31
31
  - "ASI01:2026 - Agent Goal Hijack"
32
32
  mitre_atlas:
33
- - "AML.T0024 - Exfiltration via ML Inference API"
33
+ - "AML.T0024 - Exfiltration via AI Inference API"
34
34
  - "AML.T0051 - LLM Prompt Injection"
35
35
  external:
36
36
  - "https://www.withsecure.com/en/expertise/research-and-articles/llm-prompt-injection"
@@ -25,7 +25,7 @@ references:
25
25
  owasp_agentic:
26
26
  - "ASI01:2026 - Agent Goal Hijack"
27
27
  mitre_atlas:
28
- - "AML.T0024 - Exfiltration via ML Inference API"
28
+ - "AML.T0024 - Exfiltration via AI Inference API"
29
29
 
30
30
  compliance:
31
31
  owasp_llm:
@@ -31,7 +31,7 @@ references:
31
31
  owasp_agentic:
32
32
  - "ASI01:2026 - Agent Goal Hijack"
33
33
  mitre_atlas:
34
- - "AML.T0024 - Exfiltration via ML Inference API"
34
+ - "AML.T0024 - Exfiltration via AI Inference API"
35
35
 
36
36
  compliance:
37
37
  owasp_llm:
@@ -33,7 +33,7 @@ references:
33
33
  owasp_agentic:
34
34
  - "ASI01:2026 - Agent Goal Hijack"
35
35
  mitre_atlas:
36
- - "AML.T0024 - Exfiltration via ML Inference API"
36
+ - "AML.T0024 - Exfiltration via AI Inference API"
37
37
  - "AML.CS0036 - AIKatz"
38
38
 
39
39
  compliance:
@@ -26,7 +26,7 @@ references:
26
26
  - "LLM07:2025 - System Prompt Leakage"
27
27
  - "LLM02:2025 - Sensitive Information Disclosure"
28
28
  mitre_atlas:
29
- - "AML.T0024 - Exfiltration via ML Inference API"
29
+ - "AML.T0024 - Exfiltration via AI Inference API"
30
30
  owasp_agentic:
31
31
  - "ASI01:2026 - Agent Goal Hijack"
32
32
 
@@ -28,7 +28,7 @@ references:
28
28
  - "LLM07:2025 - System Prompt Leakage"
29
29
  - "LLM02:2025 - Sensitive Information Disclosure"
30
30
  mitre_atlas:
31
- - "AML.T0024 - Exfiltration via ML Inference API"
31
+ - "AML.T0024 - Exfiltration via AI Inference API"
32
32
  owasp_agentic:
33
33
  - "ASI01:2026 - Agent Goal Hijack"
34
34
 
@@ -29,7 +29,7 @@ references:
29
29
  - "LLM07:2025 - System Prompt Leakage"
30
30
  - "LLM02:2025 - Sensitive Information Disclosure"
31
31
  mitre_atlas:
32
- - "AML.T0024 - Exfiltration via ML Inference API"
32
+ - "AML.T0024 - Exfiltration via AI Inference API"
33
33
  owasp_agentic:
34
34
  - "ASI01:2026 - Agent Goal Hijack"
35
35
 
@@ -30,7 +30,7 @@ references:
30
30
  - "LLM07:2025 - System Prompt Leakage"
31
31
  - "LLM02:2025 - Sensitive Information Disclosure"
32
32
  mitre_atlas:
33
- - "AML.T0024 - Exfiltration via ML Inference API"
33
+ - "AML.T0024 - Exfiltration via AI Inference API"
34
34
  owasp_agentic:
35
35
  - "ASI01:2026 - Agent Goal Hijack"
36
36
 
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI04:2026 - Unintended Data Exfiltration"
28
28
  mitre_atlas:
29
29
  - "AML.T0051 - LLM Prompt Injection"
30
- - "AML.T0048 - Exfiltration via ML Inference API"
30
+ - "AML.T0025 - Exfiltration via Cyber Means"
31
31
 
32
32
  compliance:
33
33
  owasp_llm:
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI04:2026 - Unintended Data Exfiltration"
28
28
  mitre_atlas:
29
29
  - "AML.T0051 - LLM Prompt Injection"
30
- - "AML.T0048 - Exfiltration via ML Inference API"
30
+ - "AML.T0025 - Exfiltration via Cyber Means"
31
31
 
32
32
  compliance:
33
33
  owasp_llm:
@@ -46,7 +46,7 @@ references:
46
46
  mitre_atlas:
47
47
  - "AML.T0051 - LLM Prompt Injection"
48
48
  - "AML.T0057 - LLM Data Leakage"
49
- - "AML.T0048 - LLM Data Exfiltration"
49
+ - "AML.T0025 - Exfiltration via Cyber Means"
50
50
 
51
51
  compliance:
52
52
  owasp_llm:
@@ -42,8 +42,8 @@ references:
42
42
  - "ASI03:2026 - Tool Misuse"
43
43
  mitre_atlas:
44
44
  - "AML.T0051 - LLM Prompt Injection"
45
- - "AML.T0024 - Exfiltration via ML Inference API"
46
- - "AML.T0040 - ML Model Inference API Information"
45
+ - "AML.T0024 - Exfiltration via AI Inference API"
46
+ - "AML.T0069 - Discover LLM System Information"
47
47
 
48
48
  compliance:
49
49
  owasp_llm:
@@ -32,7 +32,7 @@ references:
32
32
  - "ASI01:2026 - Agent Goal Hijack"
33
33
  - "ASI02:2026 - Unauthorized Actions"
34
34
  mitre_atlas:
35
- - "AML.T0048 - LLM Data Exfiltration"
35
+ - "AML.T0025 - Exfiltration via Cyber Means"
36
36
  - "AML.T0057 - LLM Data Leakage"
37
37
  research:
38
38
  - "Zhang et al., Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents (2024)"
@@ -0,0 +1,188 @@
1
+ title: Unauthenticated MCP transport accepts tool calls and falls back to an ambient credential (CVE-2026-48039 / meta-ads-mcp class)
2
+ id: ATR-2026-01929
3
+ rule_version: 1
4
+ status: experimental
5
+ description: >
6
+ Detects the unauthenticated-MCP-transport half of CVE-2026-48039 /
7
+ GHSA-9gw6-46qc-99vr (pipeboard-co/meta-ads-mcp, fixed in 1.0.109) and the
8
+ general class it represents: an MCP server, gateway, or Streamable-HTTP
9
+ endpoint forwards/dispatches a tool call WITHOUT authenticating it (returns no
10
+ 401), and the handler then falls back to an ambient operator credential (an
11
+ environment variable such as META_ACCESS_TOKEN) to perform the action. Any
12
+ network-reachable caller can therefore invoke MCP tools as the operator. This
13
+ rule fires on skill/tool/advisory CONTENT describing that exploit, not on
14
+ server source. The credential-LEAK sink — the operator token echoed as a URL
15
+ query parameter — is already detected by ATR-2026-00580 (session/auth token in
16
+ URL query); this rule is deliberately disjoint from 00580 and covers the
17
+ AUTH-BYPASS + ambient-credential-fallback signal instead. The OX Security
18
+ MCP-by-design disclosure (2026-04-15) and the MCP move to OAuth 2.1 + RFC 8707
19
+ Resource Indicators anchor this unauthenticated-transport class. meta-ads-mcp
20
+ is Business Source License 1.1 (source-available); tool/exploit details are
21
+ taken from the public advisory/PoC, not from inspecting source.
22
+ author: "ATR Community"
23
+ date: 2026/06/14
24
+ schema_version: '0.1'
25
+ detection_tier: pattern
26
+ maturity: experimental
27
+ severity: high
28
+ references:
29
+ owasp_llm:
30
+ - "LLM02:2025 - Sensitive Information Disclosure"
31
+ - "LLM06:2025 - Excessive Agency"
32
+ owasp_agentic:
33
+ - "ASI03:2026 - Identity and Privilege Abuse"
34
+ - "ASI07:2026 - Data and Model Exfiltration"
35
+ mitre_atlas:
36
+ - "AML.T0053 - AI Agent Tool Invocation"
37
+ cve:
38
+ - "CVE-2026-48039"
39
+ cwe:
40
+ - "CWE-287"
41
+ - "CWE-522"
42
+ ghsa:
43
+ - "GHSA-9gw6-46qc-99vr"
44
+ external:
45
+ - https://github.com/advisories/GHSA-9gw6-46qc-99vr
46
+ - https://github.com/pipeboard-co/meta-ads-mcp/releases/tag/1.0.109
47
+ metadata_provenance:
48
+ cve: ghsa-sync
49
+ cwe: ghsa-sync
50
+ ghsa: ghsa-sync
51
+ mitre_atlas: human-reviewed
52
+ owasp_llm: human-reviewed
53
+ owasp_agentic: human-reviewed
54
+ compliance:
55
+ owasp_agentic:
56
+ - id: ASI03:2026
57
+ context: "OWASP Agentic ASI03:2026 (Identity and Privilege Abuse) is exercised when an MCP transport invokes tools without authenticating the caller and acts under an ambient operator credential; this rule provides runtime detection of that auth-bypass."
58
+ strength: primary
59
+ - id: ASI07:2026
60
+ context: "OWASP Agentic ASI07:2026 (Data and Model Exfiltration) is exercised when the unauthenticated call causes the operator credential to be used and exposed; this rule detects the exploit description."
61
+ strength: secondary
62
+ owasp_llm:
63
+ - id: LLM02:2025
64
+ context: "OWASP LLM LLM02:2025 (Sensitive Information Disclosure) is exercised by exposure of the operator credential via the unauthenticated MCP transport; this rule is a detection implementation for that category."
65
+ strength: primary
66
+ - id: LLM06:2025
67
+ context: "OWASP LLM LLM06:2025 (Excessive Agency) is exercised when any network-reachable caller can drive tool actions through the unauthenticated transport; this rule detects that condition."
68
+ strength: secondary
69
+ eu_ai_act:
70
+ - article: "15"
71
+ context: "EU AI Act Article 15 (accuracy, robustness and cybersecurity) requires that tool-invocation interfaces authenticate inbound requests and not rely on ambient credentials reachable without auth; this rule provides runtime detection evidence for that obligation."
72
+ strength: primary
73
+ - article: "10"
74
+ context: "EU AI Act Article 10 (data and data governance) requires controls against credentials being used and exposed via an unauthenticated transport; this rule provides detection evidence."
75
+ strength: secondary
76
+ nist_ai_rmf:
77
+ - function: Govern
78
+ subcategory: GV.6.1
79
+ context: "NIST AI RMF GV.6.1 (policies and procedures for access control on action-taking AI interfaces) is supported by this rule's detection of an MCP transport that invokes tools without authentication."
80
+ strength: primary
81
+ - function: Measure
82
+ subcategory: MS.2.7
83
+ context: "NIST AI RMF MS.2.7 (security and resilience evaluated and documented) is supported by this rule's detection of the unauthenticated-transport credential-fallback class."
84
+ strength: secondary
85
+ iso_42001:
86
+ - clause: "8.4"
87
+ context: "ISO/IEC 42001 Clause 8.4 (AI system impact assessment) is operationalised by this rule's detection of an unauthenticated MCP transport that acts under an ambient operator credential."
88
+ strength: primary
89
+ - clause: "9.1"
90
+ context: "ISO/IEC 42001 Clause 9.1 (monitoring, measurement, analysis and evaluation) is operationalised by this rule's detection of the auth-bypass exploitation class."
91
+ strength: secondary
92
+ tags:
93
+ category: context-exfiltration
94
+ subcategory: unauthenticated-mcp-transport-credential-fallback
95
+ scan_target: runtime
96
+ confidence: high
97
+ agent_source:
98
+ type: mcp_exchange
99
+ framework:
100
+ - any
101
+ provider:
102
+ - any
103
+ detection:
104
+ condition: any
105
+ false_positives:
106
+ - meta-ads-mcp or MCP documentation describing the /mcp Streamable-HTTP endpoint or the META_ACCESS_TOKEN env var with no unauthenticated-exploit language
107
+ - Advisory or remediation prose referencing CVE-2026-48039 / the GHSA without exploit framing (e.g. "upgrade to 1.0.109; the fix returns 401")
108
+ - Authenticated tool-call examples carrying an Authorization or X-PIPEBOARD-API-TOKEN header
109
+ - Best-practice prose recommending that MCP transports authenticate requests, with no described exploit
110
+ conditions:
111
+ - field: content
112
+ operator: regex
113
+ value: meta[-_ ]?ads[-_ ]?mcp[\s\S]{0,160}?(?:unauthenticat|without\s+(?:any\s+)?auth|no[-_ ]?auth\b|missing\s+auth|no\s+401)[\s\S]{0,200}?(?:META_ACCESS_TOKEN|access[_ ]?token|operator\s+token|credential|leak|exfil)
114
+ description: Skill/tool/advisory content describing meta-ads-mcp accepting an unauthenticated request (no 401) and exposing the operator META_ACCESS_TOKEN — the CVE-2026-48039 exploit.
115
+ - field: content
116
+ operator: regex
117
+ value: (?:cve-?2026-?48039|GHSA-9gw6-46qc-99vr)[\s\S]{0,200}?(?:exploit|payload|\bpoc\b|leak|exfil|bypass|unauthenticat)
118
+ description: Explicit CVE-2026-48039 / GHSA reference combined with exploit framing (not a bare advisory mention).
119
+ - field: content
120
+ operator: regex
121
+ value: (?:streamable[- ]?http|/mcp\b|mcp\s+(?:server|transport|endpoint|handler|gateway))[\s\S]{0,160}?(?:forward|dispatch|accept|invoke|reach)[\s\S]{0,120}?(?:unauthenticat|without\s+(?:any\s+)?auth|no\s+401|no\s+authentication)[\s\S]{0,200}?(?:falls?\s*back|fall[-\s]?back|fallback|env(?:ironment)?\s+var|ambient|META_ACCESS_TOKEN)[\s\S]{0,80}?(?:token|credential|secret|api[_ ]?key)
122
+ description: Generalised unauthenticated MCP transport — a server/gateway/Streamable-HTTP handler that forwards or accepts a tool call without authentication and falls back to an ambient environment credential.
123
+ response:
124
+ actions:
125
+ - alert
126
+ - block_tool
127
+ message_template: >
128
+ [ATR-2026-01929] An MCP transport is accepting tool calls without
129
+ authentication and acting under an ambient operator credential
130
+ (CVE-2026-48039 / meta-ads-mcp class). Any network-reachable caller can
131
+ invoke tools as the operator. Remediation: require authentication on every
132
+ MCP transport request (return 401 when absent); do not fall back to an
133
+ ambient env credential such as META_ACCESS_TOKEN; upgrade meta-ads-mcp to
134
+ >= 1.0.109; rotate any exposed operator token. The credential-leak sink
135
+ (token in a URL query) is covered separately by ATR-2026-00580.
136
+ notify:
137
+ - security_team
138
+ confidence: 80
139
+ wild_fp_rate: 0
140
+ test_cases:
141
+ true_positives:
142
+ - input: 'meta-ads-mcp before 1.0.109 forwards unauthenticated /mcp requests with no 401 and returns the META_ACCESS_TOKEN access token in the error request_url, leaking the operator credential.'
143
+ expected: triggered
144
+ description: meta-ads-mcp exploit description — unauthenticated invocation plus operator-token exposure (condition 1).
145
+ - input: 'PoC for CVE-2026-48039 / GHSA-9gw6-46qc-99vr: send POST /mcp with no auth header to exfil the operator token via the request_url leak.'
146
+ expected: triggered
147
+ description: Explicit CVE/GHSA reference with exploit framing (condition 2).
148
+ - input: "The MCP server's Streamable-HTTP handler forwards requests without any auth (no 401), then falls back to the META_ACCESS_TOKEN env var to call the API, leaking the operator credential."
149
+ expected: triggered
150
+ description: Generalised class — unauthenticated Streamable-HTTP transport with ambient-credential fallback (condition 3).
151
+ - input: 'GHSA-9gw6-46qc-99vr: unauthenticated tools/call bypass in meta-ads-mcp lets any caller invoke get_ad_accounts and exfil the operator access_token.'
152
+ expected: triggered
153
+ description: GHSA reference with exploit framing plus meta-ads-mcp unauth invocation.
154
+ true_negatives:
155
+ - input: 'Upgrade meta-ads-mcp to 1.0.109 to patch CVE-2026-48039; the fix returns 401 and redacts tokens from error URLs.'
156
+ expected: not_triggered
157
+ description: Advisory/remediation text referencing the CVE without exploit framing — "returns 401" is the patched behaviour, not "no 401".
158
+ - input: 'meta-ads-mcp documentation: configure META_ACCESS_TOKEN and connect to the /mcp Streamable-HTTP endpoint to query your ad accounts.'
159
+ expected: not_triggered
160
+ description: Benign meta-ads-mcp documentation — no unauthenticated-exploit language.
161
+ - input: 'Send tool calls to the /mcp endpoint with an Authorization: Bearer header; the server returns 401 without it.'
162
+ expected: not_triggered
163
+ description: Documentation of correct authenticated behaviour (server returns 401 when auth absent).
164
+ - input: 'Best practice: every MCP transport should authenticate inbound requests and never fall back to an ambient environment credential.'
165
+ expected: not_triggered
166
+ description: Best-practice prose recommending authentication — no described exploit.
167
+ - input: 'CVE-2026-48039 was assigned to meta-ads-mcp and fixed in release 1.0.109.'
168
+ expected: not_triggered
169
+ description: Bare advisory mention of the CVE with no exploit framing.
170
+ - input: 'The /mcp endpoint accepts JSON-RPC tool calls and forwards them to registered handlers after validating the Authorization header.'
171
+ expected: not_triggered
172
+ description: Normal MCP transport description with auth validation — no unauthenticated/no-401 + ambient-fallback chain.
173
+ _llm_authored:
174
+ model: claude (research workflow + main-agent hardening)
175
+ generalization_note: >
176
+ Authored from the CVE-2026-48039 advisory via the /research outbound-prep
177
+ workflow, then re-scoped by the main agent to the AUTH-BYPASS +
178
+ ambient-credential-fallback signal so it is disjoint from ATR-2026-00580
179
+ (which already covers the token-in-URL leak sink). Three content conditions:
180
+ (1) meta-ads-mcp + unauthenticated/no-401 + credential, (2) explicit
181
+ CVE/GHSA + exploit framing, (3) the generalised class — an MCP/Streamable-HTTP
182
+ transport that forwards/accepts a call without auth and falls back to an
183
+ ambient env credential. Spans are bounded lazy ({0,160}/{0,200}/{0,120}/{0,80})
184
+ to stay linear and avoid catastrophic backtracking; no inline case flags are
185
+ relied on (the engine applies case-insensitivity globally). True negatives
186
+ cover the patched "returns 401" remediation text, benign meta-ads-mcp docs,
187
+ correct authenticated behaviour, best-practice prose, and a bare CVE mention.
188
+ note: Generation-time authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge; 0-FP gate must pass.
@@ -27,7 +27,7 @@ references:
27
27
  mitre_attack:
28
28
  - T1565 - Data Manipulation
29
29
  mitre_atlas:
30
- - AML.T0051.001 - Indirect Prompt Injection
30
+ - AML.T0051.001 - Indirect
31
31
  - AML.T0020 - Poison Training Data
32
32
 
33
33
  compliance:
@@ -24,7 +24,7 @@ references:
24
24
  owasp_agentic:
25
25
  - ASI06:2026 - Memory and Context Poisoning
26
26
  mitre_atlas:
27
- - AML.T0051.001 - Indirect Prompt Injection
27
+ - AML.T0051.001 - Indirect
28
28
  metadata_provenance:
29
29
  cve: human-authored
30
30
  cwe: human-authored
@@ -51,7 +51,7 @@ references:
51
51
  owasp_agentic:
52
52
  - "ASI06:2026 - Memory and Context Poisoning"
53
53
  mitre_atlas:
54
- - "AML.T0051.001 - Indirect Prompt Injection"
54
+ - "AML.T0051.001 - Indirect"
55
55
  - "AML.T0020 - Poison Training Data"
56
56
 
57
57
  compliance:
@@ -23,8 +23,8 @@ references:
23
23
  owasp_agentic:
24
24
  - ASI05:2026 - Unexpected Code Execution
25
25
  mitre_atlas:
26
- - AML.T0053 - LLM Plugin Compromise
27
- - AML.T0046 - Spamming ML System with Chaff Data
26
+ - AML.T0053 - AI Agent Tool Invocation
27
+ - AML.T0046 - Spamming AI System with Chaff Data
28
28
 
29
29
  compliance:
30
30
  owasp_agentic: