agent-threat-rules 3.4.0 → 3.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -29
- package/dist/cli.js +23 -0
- package/dist/cli.js.map +1 -1
- package/dist/engine.d.ts +37 -2
- package/dist/engine.d.ts.map +1 -1
- package/dist/engine.js +99 -44
- package/dist/engine.js.map +1 -1
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +6 -0
- package/dist/loader.js.map +1 -1
- package/dist/quality/rule-contract.d.ts +65 -0
- package/dist/quality/rule-contract.d.ts.map +1 -0
- package/dist/quality/rule-contract.js +97 -0
- package/dist/quality/rule-contract.js.map +1 -0
- package/dist/trace-evaluator.d.ts.map +1 -1
- package/dist/trace-evaluator.js +58 -20
- package/dist/trace-evaluator.js.map +1 -1
- package/dist/types.d.ts +2 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +2 -2
- package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
- package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
- package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
- package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
- package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
- package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
- package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
- package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
- package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
- package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
- package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
- package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
- package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
- package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
- package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
- package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
- package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +7 -3
- package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
- package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01930-mcp-sampling-prompt-injection.yaml +188 -0
- package/rules/tool-poisoning/ATR-2026-01931-gemini-mcp-tool-command-injection-file-exfil.yaml +169 -0
- package/rules/tool-poisoning/ATR-2026-01932-shadow-undeclared-mcp-server-registration.yaml +160 -0
- package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
|
@@ -34,7 +34,7 @@ references:
|
|
|
34
34
|
- "ASI06:2026 - Memory and Context Poisoning"
|
|
35
35
|
mitre_atlas:
|
|
36
36
|
- "AML.T0051 - LLM Prompt Injection"
|
|
37
|
-
- "AML.T0051.001 - Indirect
|
|
37
|
+
- "AML.T0051.001 - Indirect"
|
|
38
38
|
external:
|
|
39
39
|
- https://github.com/uiuc-kang-lab/InjecAgent
|
|
40
40
|
- https://arxiv.org/abs/2403.02691
|
|
@@ -25,7 +25,7 @@ references:
|
|
|
25
25
|
- "LLM03:2025 - Supply Chain"
|
|
26
26
|
mitre_atlas:
|
|
27
27
|
- "AML.T0051 - LLM Prompt Injection"
|
|
28
|
-
- "AML.T0010 -
|
|
28
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
29
29
|
owasp_agentic:
|
|
30
30
|
- "ASI01:2026 - Agent Goal Hijack"
|
|
31
31
|
- "ASI05:2026 - Unexpected Code Execution (RCE)"
|
|
@@ -35,7 +35,7 @@ references:
|
|
|
35
35
|
- "ASI03:2026 - Tool Misuse"
|
|
36
36
|
mitre_atlas:
|
|
37
37
|
- "AML.T0051 - LLM Prompt Injection"
|
|
38
|
-
- "AML.T0051.001 - Indirect
|
|
38
|
+
- "AML.T0051.001 - Indirect"
|
|
39
39
|
research:
|
|
40
40
|
- "Zhang et al., Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents (2024)"
|
|
41
41
|
|
|
@@ -23,7 +23,8 @@ references:
|
|
|
23
23
|
owasp_agentic:
|
|
24
24
|
- ASI04:2026 - Agentic Supply Chain Vulnerabilities
|
|
25
25
|
mitre_atlas:
|
|
26
|
-
- AML.T0010 -
|
|
26
|
+
- AML.T0010 - AI Supply Chain Compromise
|
|
27
|
+
- AML.T0104 - Publish Poisoned AI Agent Tool
|
|
27
28
|
mitre_attack:
|
|
28
29
|
- T1195 - Supply Chain Compromise
|
|
29
30
|
|
|
@@ -22,8 +22,8 @@ references:
|
|
|
22
22
|
owasp_agentic:
|
|
23
23
|
- "ASI04:2026 - Agentic Supply Chain Vulnerabilities"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.T0010 -
|
|
26
|
-
- "AML.T0056 - LLM
|
|
25
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
26
|
+
- "AML.T0056 - Extract LLM System Prompt"
|
|
27
27
|
|
|
28
28
|
compliance:
|
|
29
29
|
nist_ai_rmf:
|
|
@@ -22,8 +22,8 @@ references:
|
|
|
22
22
|
owasp_agentic:
|
|
23
23
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.T0024 - Exfiltration via
|
|
26
|
-
- "AML.T0053 -
|
|
25
|
+
- "AML.T0024 - Exfiltration via AI Inference API"
|
|
26
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
27
27
|
|
|
28
28
|
compliance:
|
|
29
29
|
nist_ai_rmf:
|
|
@@ -16,7 +16,8 @@ maturity: test
|
|
|
16
16
|
severity: high
|
|
17
17
|
references:
|
|
18
18
|
mitre_atlas:
|
|
19
|
-
- AML.T0010 -
|
|
19
|
+
- AML.T0010 - AI Supply Chain Compromise
|
|
20
|
+
- AML.T0080 - AI Agent Context Poisoning
|
|
20
21
|
owasp_llm:
|
|
21
22
|
- LLM01:2025 - Prompt Injection
|
|
22
23
|
owasp_agentic:
|
|
@@ -16,7 +16,8 @@ maturity: test
|
|
|
16
16
|
severity: high
|
|
17
17
|
references:
|
|
18
18
|
mitre_atlas:
|
|
19
|
-
- AML.T0010 -
|
|
19
|
+
- AML.T0010 - AI Supply Chain Compromise
|
|
20
|
+
- AML.T0109 - AI Supply Chain Rug Pull
|
|
20
21
|
owasp_llm:
|
|
21
22
|
- LLM05:2025 - Supply Chain Vulnerabilities
|
|
22
23
|
owasp_agentic:
|
|
@@ -22,7 +22,7 @@ references:
|
|
|
22
22
|
- "ASI04:2026 - Identity and Access Management Failures"
|
|
23
23
|
- "ASI07:2026 - Insecure Third-Party Agent"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.T0051.001 - Indirect
|
|
25
|
+
- "AML.T0051.001 - Indirect"
|
|
26
26
|
mitre_attack:
|
|
27
27
|
- "T1565.001 - Stored Data Manipulation"
|
|
28
28
|
|
|
@@ -22,7 +22,7 @@ references:
|
|
|
22
22
|
owasp_agentic:
|
|
23
23
|
- "ASI07:2026 - Supply Chain"
|
|
24
24
|
mitre_atlas:
|
|
25
|
-
- "AML.
|
|
25
|
+
- "AML.T0060 - Publish Hallucinated Entities"
|
|
26
26
|
research:
|
|
27
27
|
- "https://www.usenix.org/publications/loginonline/we-have-package-you-comprehensive-analysis-package-hallucinations-code"
|
|
28
28
|
- "https://arxiv.org/abs/2501.19012"
|
|
@@ -20,7 +20,7 @@ references:
|
|
|
20
20
|
owasp_agentic:
|
|
21
21
|
- "ASI08:2026 - Output Handling"
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- "AML.T0053 -
|
|
23
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
24
24
|
research:
|
|
25
25
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
26
26
|
compliance:
|
|
@@ -21,7 +21,7 @@ references:
|
|
|
21
21
|
owasp_agentic:
|
|
22
22
|
- "ASI03:2026 - Tool Misuse"
|
|
23
23
|
mitre_atlas:
|
|
24
|
-
- "AML.T0053 -
|
|
24
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
25
25
|
- "AML.T0057 - LLM Data Leakage"
|
|
26
26
|
research:
|
|
27
27
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
@@ -20,7 +20,7 @@ references:
|
|
|
20
20
|
owasp_agentic:
|
|
21
21
|
- "ASI08:2026 - Output Handling"
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- "AML.T0053 -
|
|
23
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
24
24
|
research:
|
|
25
25
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
|
|
26
26
|
- "https://attack.mitre.org/techniques/T1105/"
|
|
@@ -32,8 +32,8 @@ references:
|
|
|
32
32
|
- "ASI07:2026 - Supply Chain"
|
|
33
33
|
- "ASI03:2026 - Tool Misuse"
|
|
34
34
|
mitre_atlas:
|
|
35
|
-
- "AML.
|
|
36
|
-
- "AML.T0010 -
|
|
35
|
+
- "AML.T0011.000 - Unsafe AI Artifacts"
|
|
36
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
37
37
|
research:
|
|
38
38
|
- "https://github.com/NVIDIA/garak/blob/main/garak/probes/fileformats.py"
|
|
39
39
|
- "https://huggingface.co/docs/hub/security-pickle"
|
|
@@ -20,8 +20,8 @@ maturity: test
|
|
|
20
20
|
severity: high
|
|
21
21
|
references:
|
|
22
22
|
mitre_atlas:
|
|
23
|
-
- AML.T0044 - Full
|
|
24
|
-
- AML.T0024 - Exfiltration via
|
|
23
|
+
- AML.T0044 - Full AI Model Access
|
|
24
|
+
- AML.T0024 - Exfiltration via AI Inference API
|
|
25
25
|
owasp_llm:
|
|
26
26
|
- LLM06:2025 - Excessive Agency
|
|
27
27
|
owasp_agentic:
|
|
@@ -18,8 +18,8 @@ maturity: test
|
|
|
18
18
|
severity: critical
|
|
19
19
|
references:
|
|
20
20
|
mitre_atlas:
|
|
21
|
-
- AML.T0010 -
|
|
22
|
-
- AML.T0044 - Full
|
|
21
|
+
- AML.T0010 - AI Supply Chain Compromise
|
|
22
|
+
- AML.T0044 - Full AI Model Access
|
|
23
23
|
owasp_llm:
|
|
24
24
|
- LLM06:2025 - Excessive Agency
|
|
25
25
|
owasp_agentic:
|
package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml
CHANGED
|
@@ -37,7 +37,7 @@ references:
|
|
|
37
37
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
38
38
|
- "ASI09:2026 - Identity Spoofing and Impersonation"
|
|
39
39
|
mitre_atlas:
|
|
40
|
-
- "AML.T0010 -
|
|
40
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
41
41
|
- "AML.T0050 - Command and Scripting Interpreter"
|
|
42
42
|
mitre_attack:
|
|
43
43
|
- "T1546 - Event Triggered Execution"
|
|
@@ -27,8 +27,8 @@ references:
|
|
|
27
27
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
28
28
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0051.001 - Indirect
|
|
31
|
-
- "AML.T0056 - LLM
|
|
30
|
+
- "AML.T0051.001 - Indirect"
|
|
31
|
+
- "AML.T0056 - Extract LLM System Prompt"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
34
34
|
- "T1071 - Application Layer Protocol"
|
|
@@ -23,8 +23,8 @@ references:
|
|
|
23
23
|
owasp_agentic:
|
|
24
24
|
- ASI02:2026 - Tool Misuse and Exploitation
|
|
25
25
|
mitre_atlas:
|
|
26
|
-
- AML.T0053 -
|
|
27
|
-
- AML.T0051.001 - Indirect
|
|
26
|
+
- AML.T0053 - AI Agent Tool Invocation
|
|
27
|
+
- AML.T0051.001 - Indirect
|
|
28
28
|
cve:
|
|
29
29
|
- CVE-2025-59536
|
|
30
30
|
- CVE-2025-32711
|
|
@@ -21,7 +21,7 @@ references:
|
|
|
21
21
|
- ASI02:2026 - Tool Misuse and Exploitation
|
|
22
22
|
- ASI03:2026 - Identity and Privilege Abuse
|
|
23
23
|
mitre_atlas:
|
|
24
|
-
- AML.T0053 -
|
|
24
|
+
- AML.T0053 - AI Agent Tool Invocation
|
|
25
25
|
mitre_attack:
|
|
26
26
|
- T1059 - Command and Scripting Interpreter
|
|
27
27
|
- T1083 - File and Directory Discovery
|
|
@@ -30,8 +30,9 @@ references:
|
|
|
30
30
|
- "ASI03:2026 - Tool Misuse"
|
|
31
31
|
- "ASI07:2026 - Insecure Inter-Agent Communication"
|
|
32
32
|
mitre_atlas:
|
|
33
|
-
- "AML.T0051.001 - Indirect
|
|
34
|
-
- "AML.T0053 -
|
|
33
|
+
- "AML.T0051.001 - Indirect"
|
|
34
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
35
|
+
- "AML.T0110 - AI Agent Tool Poisoning"
|
|
35
36
|
safe_mcp:
|
|
36
37
|
- "SAFE-T1102 - Prompt Manipulation"
|
|
37
38
|
- "SAFE-T1001 - Tool Poisoning"
|
|
@@ -26,8 +26,8 @@ references:
|
|
|
26
26
|
- "ASI08:2026 - Resource Exhaustion and Denial of Service"
|
|
27
27
|
- "ASI03:2026 - Tool Misuse"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
-
- "AML.T0040 -
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
mitre_attack:
|
|
32
32
|
- "T1499 - Endpoint Denial of Service"
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
@@ -26,8 +26,8 @@ references:
|
|
|
26
26
|
- "ASI01:2026 - Agent Behaviour Hijack"
|
|
27
27
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
28
|
mitre_atlas:
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
30
|
-
- "AML.T0040 -
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
mitre_attack:
|
|
32
32
|
- "T1059 - Command and Scripting Interpreter"
|
|
33
33
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
28
|
- "ASI04:2026 - Supply Chain"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0040 -
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1059 - Command and Scripting Interpreter"
|
|
@@ -5,7 +5,10 @@ status: experimental
|
|
|
5
5
|
description: >
|
|
6
6
|
Detects exploitation of CVE-2025-54136 in Cursor and the same-class issue
|
|
7
7
|
surfaced by the OX Security MCP-by-design batch (2026-04-15) across Windsurf,
|
|
8
|
-
Claude Code, Gemini CLI, and GitHub Copilot. The
|
|
8
|
+
Claude Code, Gemini CLI, and GitHub Copilot. The Windsurf zero-click variant
|
|
9
|
+
(CVE-2026-30615) reaches the same config sink via attacker-controlled HTML
|
|
10
|
+
content that the IDE renders, which silently writes the MCP JSON and registers
|
|
11
|
+
a malicious STDIO server. The IDE's MCP config file
|
|
9
12
|
(.cursor/mcp.json or equivalent) is auto-loaded on workspace open and treats
|
|
10
13
|
the `command` and `args` fields as OS exec targets. An attacker who can
|
|
11
14
|
modify this file via supply chain (npm package post-install, malicious
|
|
@@ -27,14 +30,15 @@ references:
|
|
|
27
30
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
28
31
|
- "ASI09:2026 - Identity Spoofing and Impersonation"
|
|
29
32
|
mitre_atlas:
|
|
30
|
-
- "AML.T0010 -
|
|
31
|
-
- "AML.T0040 -
|
|
33
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
34
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
32
35
|
mitre_attack:
|
|
33
36
|
- "T1546 - Event Triggered Execution"
|
|
34
37
|
- "T1059 - Command and Scripting Interpreter"
|
|
35
38
|
- "T1195.002 - Compromise Software Supply Chain"
|
|
36
39
|
cve:
|
|
37
40
|
- "CVE-2025-54136"
|
|
41
|
+
- "CVE-2026-30615"
|
|
38
42
|
|
|
39
43
|
metadata_provenance:
|
|
40
44
|
mitre_atlas: human-reviewed
|
package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml
CHANGED
|
@@ -26,7 +26,7 @@ references:
|
|
|
26
26
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
27
27
|
mitre_atlas:
|
|
28
28
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
29
|
-
- "AML.T0010 -
|
|
29
|
+
- "AML.T0010 - AI Supply Chain Compromise"
|
|
30
30
|
mitre_attack:
|
|
31
31
|
- "T1059 - Command and Scripting Interpreter"
|
|
32
32
|
- "T1190 - Exploit Public-Facing Application"
|
|
@@ -27,7 +27,7 @@ references:
|
|
|
27
27
|
- "ASI09:2026 - Identity Spoofing"
|
|
28
28
|
- "ASI04:2026 - Supply Chain"
|
|
29
29
|
mitre_atlas:
|
|
30
|
-
- "AML.T0040 -
|
|
30
|
+
- "AML.T0040 - AI Model Inference API Access"
|
|
31
31
|
- "AML.T0049 - Exploit Public-Facing Application"
|
|
32
32
|
mitre_attack:
|
|
33
33
|
- "T1190 - Exploit Public-Facing Application"
|