agent-threat-rules 3.4.0 → 3.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (226) hide show
  1. package/README.md +65 -29
  2. package/dist/cli.js +23 -0
  3. package/dist/cli.js.map +1 -1
  4. package/dist/engine.d.ts +37 -2
  5. package/dist/engine.d.ts.map +1 -1
  6. package/dist/engine.js +99 -44
  7. package/dist/engine.js.map +1 -1
  8. package/dist/loader.d.ts.map +1 -1
  9. package/dist/loader.js +6 -0
  10. package/dist/loader.js.map +1 -1
  11. package/dist/quality/rule-contract.d.ts +65 -0
  12. package/dist/quality/rule-contract.d.ts.map +1 -0
  13. package/dist/quality/rule-contract.js +97 -0
  14. package/dist/quality/rule-contract.js.map +1 -0
  15. package/dist/trace-evaluator.d.ts.map +1 -1
  16. package/dist/trace-evaluator.js +58 -20
  17. package/dist/trace-evaluator.js.map +1 -1
  18. package/dist/types.d.ts +2 -0
  19. package/dist/types.d.ts.map +1 -1
  20. package/package.json +2 -2
  21. package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
  22. package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
  23. package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
  24. package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
  25. package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
  26. package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
  27. package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
  28. package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
  29. package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
  30. package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
  31. package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
  32. package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
  33. package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
  34. package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
  35. package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
  36. package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
  37. package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
  38. package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
  39. package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
  40. package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
  41. package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
  42. package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
  43. package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
  44. package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
  45. package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
  46. package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
  47. package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
  48. package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
  49. package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
  50. package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
  51. package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
  52. package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
  53. package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
  54. package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
  55. package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
  56. package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
  57. package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
  58. package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
  59. package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
  60. package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
  61. package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
  62. package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
  63. package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
  64. package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
  65. package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
  66. package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
  67. package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
  68. package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
  69. package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
  70. package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
  71. package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
  72. package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
  73. package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
  74. package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
  75. package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
  76. package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
  77. package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
  78. package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
  79. package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
  80. package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
  81. package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
  82. package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
  83. package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
  84. package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
  85. package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
  86. package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
  87. package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
  88. package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
  89. package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
  90. package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
  91. package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
  92. package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
  93. package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
  94. package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
  95. package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
  96. package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
  97. package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
  98. package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
  99. package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
  100. package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
  101. package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
  102. package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
  103. package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
  104. package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
  105. package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
  106. package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
  107. package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
  108. package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
  109. package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
  110. package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
  111. package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
  112. package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
  113. package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
  114. package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
  115. package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
  116. package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
  117. package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
  118. package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
  119. package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
  120. package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
  121. package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
  122. package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
  123. package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
  124. package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
  125. package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
  126. package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
  127. package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
  128. package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
  129. package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
  130. package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
  131. package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
  132. package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
  133. package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
  134. package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
  135. package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
  136. package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
  137. package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
  138. package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
  139. package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
  140. package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
  141. package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
  142. package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
  143. package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
  144. package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
  145. package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
  146. package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
  147. package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
  148. package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
  149. package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
  150. package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
  151. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
  152. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
  153. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
  154. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
  155. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
  156. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
  157. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
  158. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
  159. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
  160. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
  161. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
  162. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
  163. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
  164. package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
  165. package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
  166. package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
  167. package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
  168. package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
  169. package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
  170. package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
  171. package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
  172. package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
  173. package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
  174. package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
  175. package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
  176. package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
  177. package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
  178. package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
  179. package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
  180. package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
  181. package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
  182. package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
  183. package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
  184. package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
  185. package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
  186. package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
  187. package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
  188. package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
  189. package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
  190. package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
  191. package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
  192. package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
  193. package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +7 -3
  194. package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
  195. package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
  196. package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
  197. package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
  198. package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
  199. package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
  200. package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
  201. package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
  202. package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
  203. package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
  204. package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
  205. package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
  206. package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
  207. package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
  208. package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
  209. package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
  210. package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
  211. package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
  212. package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
  213. package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
  214. package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
  215. package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
  216. package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
  217. package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
  218. package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
  219. package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
  220. package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
  221. package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
  222. package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
  223. package/rules/tool-poisoning/ATR-2026-01930-mcp-sampling-prompt-injection.yaml +188 -0
  224. package/rules/tool-poisoning/ATR-2026-01931-gemini-mcp-tool-command-injection-file-exfil.yaml +169 -0
  225. package/rules/tool-poisoning/ATR-2026-01932-shadow-undeclared-mcp-server-registration.yaml +160 -0
  226. package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
@@ -34,7 +34,7 @@ references:
34
34
  - "ASI06:2026 - Memory and Context Poisoning"
35
35
  mitre_atlas:
36
36
  - "AML.T0051 - LLM Prompt Injection"
37
- - "AML.T0051.001 - Indirect Prompt Injection"
37
+ - "AML.T0051.001 - Indirect"
38
38
  external:
39
39
  - https://github.com/uiuc-kang-lab/InjecAgent
40
40
  - https://arxiv.org/abs/2403.02691
@@ -25,7 +25,7 @@ references:
25
25
  - "LLM03:2025 - Supply Chain"
26
26
  mitre_atlas:
27
27
  - "AML.T0051 - LLM Prompt Injection"
28
- - "AML.T0010 - ML Supply Chain Compromise"
28
+ - "AML.T0010 - AI Supply Chain Compromise"
29
29
  owasp_agentic:
30
30
  - "ASI01:2026 - Agent Goal Hijack"
31
31
  - "ASI05:2026 - Unexpected Code Execution (RCE)"
@@ -26,7 +26,7 @@ references:
26
26
  mitre_atlas:
27
27
  - "AML.T0051 - LLM Prompt Injection"
28
28
  - "AML.T0051.001 - Indirect"
29
- - "AML.T0048 - LLM Data Exfiltration"
29
+ - "AML.T0025 - Exfiltration via Cyber Means"
30
30
  owasp_agentic:
31
31
  - "ASI01:2026 - Agent Goal Hijack"
32
32
 
@@ -29,7 +29,7 @@ references:
29
29
  - "ASI01:2026 - Agent Goal Hijack"
30
30
  - "ASI06:2026 - Indirect Prompt Injection via External Content"
31
31
  mitre_atlas:
32
- - "AML.T0051.001 - Indirect Prompt Injection"
32
+ - "AML.T0051.001 - Indirect"
33
33
 
34
34
  compliance:
35
35
  nist_ai_rmf:
@@ -35,7 +35,7 @@ references:
35
35
  - "ASI03:2026 - Tool Misuse"
36
36
  mitre_atlas:
37
37
  - "AML.T0051 - LLM Prompt Injection"
38
- - "AML.T0051.001 - Indirect Prompt Injection"
38
+ - "AML.T0051.001 - Indirect"
39
39
  research:
40
40
  - "Zhang et al., Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents (2024)"
41
41
 
@@ -7,7 +7,7 @@ author: ATR Community
7
7
  date: 2026/06/13
8
8
  schema_version: '0.1'
9
9
  detection_tier: pattern
10
- maturity: stable
10
+ maturity: experimental
11
11
  severity: medium
12
12
  references:
13
13
  owasp_llm:
@@ -23,7 +23,8 @@ references:
23
23
  owasp_agentic:
24
24
  - ASI04:2026 - Agentic Supply Chain Vulnerabilities
25
25
  mitre_atlas:
26
- - AML.T0010 - ML Supply Chain Compromise
26
+ - AML.T0010 - AI Supply Chain Compromise
27
+ - AML.T0104 - Publish Poisoned AI Agent Tool
27
28
  mitre_attack:
28
29
  - T1195 - Supply Chain Compromise
29
30
 
@@ -22,8 +22,8 @@ references:
22
22
  owasp_agentic:
23
23
  - "ASI04:2026 - Agentic Supply Chain Vulnerabilities"
24
24
  mitre_atlas:
25
- - "AML.T0010 - ML Supply Chain Compromise"
26
- - "AML.T0056 - LLM Meta Prompt Extraction"
25
+ - "AML.T0010 - AI Supply Chain Compromise"
26
+ - "AML.T0056 - Extract LLM System Prompt"
27
27
 
28
28
  compliance:
29
29
  nist_ai_rmf:
@@ -22,7 +22,7 @@ references:
22
22
  - "ASI02:2026 - Tool Misuse and Exploitation"
23
23
  - "ASI05:2026 - Unexpected Code Execution"
24
24
  mitre_atlas:
25
- - "AML.T0010 - ML Supply Chain Compromise"
25
+ - "AML.T0010 - AI Supply Chain Compromise"
26
26
  cve:
27
27
  - "CVE-2025-59536"
28
28
 
@@ -22,8 +22,8 @@ references:
22
22
  owasp_agentic:
23
23
  - "ASI02:2026 - Tool Misuse and Exploitation"
24
24
  mitre_atlas:
25
- - "AML.T0024 - Exfiltration via ML Inference API"
26
- - "AML.T0053 - LLM Plugin Compromise"
25
+ - "AML.T0024 - Exfiltration via AI Inference API"
26
+ - "AML.T0053 - AI Agent Tool Invocation"
27
27
 
28
28
  compliance:
29
29
  nist_ai_rmf:
@@ -21,7 +21,7 @@ references:
21
21
  owasp_agentic:
22
22
  - "ASI04:2026 - Agentic Supply Chain Vulnerabilities"
23
23
  mitre_atlas:
24
- - "AML.T0010 - ML Supply Chain Compromise"
24
+ - "AML.T0010 - AI Supply Chain Compromise"
25
25
 
26
26
  compliance:
27
27
  nist_ai_rmf:
@@ -16,7 +16,7 @@ maturity: test
16
16
  severity: critical
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  owasp_llm:
21
21
  - LLM01:2025 - Prompt Injection
22
22
  owasp_agentic:
@@ -16,7 +16,7 @@ maturity: test
16
16
  severity: critical
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  owasp_llm:
21
21
  - LLM03:2025 - Supply Chain Vulnerabilities
22
22
  owasp_agentic:
@@ -16,7 +16,7 @@ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  owasp_llm:
21
21
  - LLM06:2025 - Excessive Agency
22
22
  owasp_agentic:
@@ -16,7 +16,7 @@ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  owasp_llm:
21
21
  - LLM06:2025 - Excessive Agency
22
22
  owasp_agentic:
@@ -18,7 +18,7 @@ severity: high
18
18
 
19
19
  references:
20
20
  mitre_atlas:
21
- - "AML.T0010 - ML Supply Chain Compromise"
21
+ - "AML.T0010 - AI Supply Chain Compromise"
22
22
  owasp_llm:
23
23
  - "LLM03:2025 - Supply Chain Vulnerabilities"
24
24
  owasp_agentic:
@@ -16,7 +16,8 @@ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
+ - AML.T0080 - AI Agent Context Poisoning
20
21
  owasp_llm:
21
22
  - LLM01:2025 - Prompt Injection
22
23
  owasp_agentic:
@@ -16,7 +16,8 @@ maturity: test
16
16
  severity: high
17
17
  references:
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
+ - AML.T0109 - AI Supply Chain Rug Pull
20
21
  owasp_llm:
21
22
  - LLM05:2025 - Supply Chain Vulnerabilities
22
23
  owasp_agentic:
@@ -19,7 +19,7 @@ severity: medium
19
19
 
20
20
  references:
21
21
  mitre_atlas:
22
- - "AML.T0010 - ML Supply Chain Compromise"
22
+ - "AML.T0010 - AI Supply Chain Compromise"
23
23
  owasp_llm:
24
24
  - "LLM07:2025 - System Prompt Leakage"
25
25
  owasp_agentic:
@@ -15,7 +15,7 @@ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  mitre_atlas:
18
- - AML.T0010 - ML Supply Chain Compromise
18
+ - AML.T0010 - AI Supply Chain Compromise
19
19
  owasp_llm:
20
20
  - LLM01:2025 - Prompt Injection
21
21
  owasp_agentic:
@@ -17,7 +17,7 @@ severity: critical
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0010 - ML Supply Chain Compromise"
20
+ - "AML.T0010 - AI Supply Chain Compromise"
21
21
  owasp_llm:
22
22
  - "LLM01:2025 - Prompt Injection"
23
23
  owasp_ast:
@@ -17,7 +17,7 @@ maturity: test
17
17
  severity: medium
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0010 - ML Supply Chain Compromise
20
+ - AML.T0010 - AI Supply Chain Compromise
21
21
  owasp_agentic:
22
22
  - ASI04:2026 - Agentic Supply Chain Vulnerabilities
23
23
  owasp_ast:
@@ -15,7 +15,7 @@ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  mitre_atlas:
18
- - AML.T0010 - ML Supply Chain Compromise
18
+ - AML.T0010 - AI Supply Chain Compromise
19
19
  owasp_llm:
20
20
  - LLM01:2025 - Prompt Injection
21
21
  owasp_agentic:
@@ -14,7 +14,7 @@ maturity: test
14
14
  severity: high
15
15
  references:
16
16
  mitre_atlas:
17
- - "AML.T0010 - ML Supply Chain Compromise"
17
+ - "AML.T0010 - AI Supply Chain Compromise"
18
18
  owasp_llm:
19
19
  - "LLM01:2025 - Prompt Injection"
20
20
  owasp_agentic:
@@ -15,7 +15,7 @@ maturity: test
15
15
  severity: critical
16
16
  references:
17
17
  mitre_atlas:
18
- - AML.T0010 - ML Supply Chain Compromise
18
+ - AML.T0010 - AI Supply Chain Compromise
19
19
  owasp_llm:
20
20
  - LLM06:2025 - Excessive Agency
21
21
  owasp_agentic:
@@ -17,7 +17,7 @@ severity: high
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0010 - ML Supply Chain Compromise"
20
+ - "AML.T0010 - AI Supply Chain Compromise"
21
21
  owasp_llm:
22
22
  - "LLM03:2025 - Supply Chain Vulnerabilities"
23
23
  owasp_agentic:
@@ -22,7 +22,7 @@ references:
22
22
  - "ASI04:2026 - Identity and Access Management Failures"
23
23
  - "ASI07:2026 - Insecure Third-Party Agent"
24
24
  mitre_atlas:
25
- - "AML.T0051.001 - Indirect Prompt Injection"
25
+ - "AML.T0051.001 - Indirect"
26
26
  mitre_attack:
27
27
  - "T1565.001 - Stored Data Manipulation"
28
28
 
@@ -16,7 +16,7 @@ references:
16
16
  owasp_agentic:
17
17
  - "ASI03:2026 - Data Exfiltration"
18
18
  mitre_atlas:
19
- - AML.T0010 - ML Supply Chain Compromise
19
+ - AML.T0010 - AI Supply Chain Compromise
20
20
  compliance:
21
21
  nist_ai_rmf:
22
22
  - subcategory: "MS.2.10"
@@ -22,7 +22,7 @@ references:
22
22
  owasp_agentic:
23
23
  - "ASI07:2026 - Supply Chain"
24
24
  mitre_atlas:
25
- - "AML.T0018 - Backdoor ML Model"
25
+ - "AML.T0060 - Publish Hallucinated Entities"
26
26
  research:
27
27
  - "https://www.usenix.org/publications/loginonline/we-have-package-you-comprehensive-analysis-package-hallucinations-code"
28
28
  - "https://arxiv.org/abs/2501.19012"
@@ -20,7 +20,7 @@ references:
20
20
  owasp_agentic:
21
21
  - "ASI08:2026 - Output Handling"
22
22
  mitre_atlas:
23
- - "AML.T0053 - LLM Plugin Compromise"
23
+ - "AML.T0053 - AI Agent Tool Invocation"
24
24
  research:
25
25
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
26
26
  compliance:
@@ -21,7 +21,7 @@ references:
21
21
  owasp_agentic:
22
22
  - "ASI03:2026 - Tool Misuse"
23
23
  mitre_atlas:
24
- - "AML.T0053 - LLM Plugin Compromise"
24
+ - "AML.T0053 - AI Agent Tool Invocation"
25
25
  - "AML.T0057 - LLM Data Leakage"
26
26
  research:
27
27
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
@@ -20,7 +20,7 @@ references:
20
20
  owasp_agentic:
21
21
  - "ASI08:2026 - Output Handling"
22
22
  mitre_atlas:
23
- - "AML.T0053 - LLM Plugin Compromise"
23
+ - "AML.T0053 - AI Agent Tool Invocation"
24
24
  research:
25
25
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
26
26
  - "https://attack.mitre.org/techniques/T1105/"
@@ -32,8 +32,8 @@ references:
32
32
  - "ASI07:2026 - Supply Chain"
33
33
  - "ASI03:2026 - Tool Misuse"
34
34
  mitre_atlas:
35
- - "AML.T0018 - Backdoor ML Model"
36
- - "AML.T0010 - ML Supply Chain Compromise"
35
+ - "AML.T0011.000 - Unsafe AI Artifacts"
36
+ - "AML.T0010 - AI Supply Chain Compromise"
37
37
  research:
38
38
  - "https://github.com/NVIDIA/garak/blob/main/garak/probes/fileformats.py"
39
39
  - "https://huggingface.co/docs/hub/security-pickle"
@@ -20,8 +20,8 @@ maturity: test
20
20
  severity: high
21
21
  references:
22
22
  mitre_atlas:
23
- - AML.T0044 - Full ML Model Access
24
- - AML.T0024 - Exfiltration via Cyber Means
23
+ - AML.T0044 - Full AI Model Access
24
+ - AML.T0024 - Exfiltration via AI Inference API
25
25
  owasp_llm:
26
26
  - LLM06:2025 - Excessive Agency
27
27
  owasp_agentic:
@@ -18,7 +18,7 @@ maturity: test
18
18
  severity: high
19
19
  references:
20
20
  mitre_atlas:
21
- - AML.T0044 - Full ML Model Access
21
+ - AML.T0044 - Full AI Model Access
22
22
  owasp_llm:
23
23
  - LLM06:2025 - Excessive Agency
24
24
  owasp_agentic:
@@ -18,8 +18,8 @@ maturity: test
18
18
  severity: critical
19
19
  references:
20
20
  mitre_atlas:
21
- - AML.T0010 - ML Supply Chain Compromise
22
- - AML.T0044 - Full ML Model Access
21
+ - AML.T0010 - AI Supply Chain Compromise
22
+ - AML.T0044 - Full AI Model Access
23
23
  owasp_llm:
24
24
  - LLM06:2025 - Excessive Agency
25
25
  owasp_agentic:
@@ -37,7 +37,7 @@ references:
37
37
  - "ASI05:2026 - Unexpected Code Execution"
38
38
  - "ASI09:2026 - Identity Spoofing and Impersonation"
39
39
  mitre_atlas:
40
- - "AML.T0010 - ML Supply Chain Compromise"
40
+ - "AML.T0010 - AI Supply Chain Compromise"
41
41
  - "AML.T0050 - Command and Scripting Interpreter"
42
42
  mitre_attack:
43
43
  - "T1546 - Event Triggered Execution"
@@ -29,7 +29,7 @@ references:
29
29
  owasp_agentic:
30
30
  - "ASI05:2026 - Supply Chain Compromise"
31
31
  mitre_atlas:
32
- - "AML.T0010 - ML Supply Chain Compromise"
32
+ - "AML.T0010 - AI Supply Chain Compromise"
33
33
  compliance:
34
34
  owasp_agentic:
35
35
  - id: ASI05:2026
@@ -27,7 +27,7 @@ references:
27
27
  owasp_agentic:
28
28
  - "ASI04:2026 - Code Execution & Data Exfiltration"
29
29
  mitre_atlas:
30
- - "AML.T0024 - Exfiltration via ML Inference API"
30
+ - "AML.T0024 - Exfiltration via AI Inference API"
31
31
  - "AML.T0048 - External Harms"
32
32
 
33
33
  compliance:
@@ -30,7 +30,7 @@ references:
30
30
  owasp_agentic:
31
31
  - "ASI03:2026 - Agent Supply Chain Compromise"
32
32
  mitre_atlas:
33
- - "AML.T0018 - Backdoor ML Model"
33
+ - "AML.T0018.000 - Poison AI Model"
34
34
  - "AML.T0020 - Poison Training Data"
35
35
  - "AML.T0051 - LLM Prompt Injection"
36
36
 
@@ -26,7 +26,7 @@ references:
26
26
  owasp_agentic:
27
27
  - "ASI03:2026 - Agent Supply Chain Compromise"
28
28
  mitre_atlas:
29
- - "AML.T0018 - Backdoor ML Model"
29
+ - "AML.T0018.000 - Poison AI Model"
30
30
  - "AML.T0051 - LLM Prompt Injection"
31
31
 
32
32
  compliance:
@@ -27,8 +27,8 @@ references:
27
27
  - "ASI02:2026 - Tool Misuse and Exploitation"
28
28
  - "ASI05:2026 - Unexpected Code Execution"
29
29
  mitre_atlas:
30
- - "AML.T0051.001 - Indirect Prompt Injection"
31
- - "AML.T0056 - LLM Meta Prompt Extraction"
30
+ - "AML.T0051.001 - Indirect"
31
+ - "AML.T0056 - Extract LLM System Prompt"
32
32
  mitre_attack:
33
33
  - "T1059 - Command and Scripting Interpreter"
34
34
  - "T1071 - Application Layer Protocol"
@@ -23,8 +23,8 @@ references:
23
23
  owasp_agentic:
24
24
  - ASI02:2026 - Tool Misuse and Exploitation
25
25
  mitre_atlas:
26
- - AML.T0053 - LLM Plugin Compromise
27
- - AML.T0051.001 - Indirect Prompt Injection
26
+ - AML.T0053 - AI Agent Tool Invocation
27
+ - AML.T0051.001 - Indirect
28
28
  cve:
29
29
  - CVE-2025-59536
30
30
  - CVE-2025-32711
@@ -21,7 +21,7 @@ references:
21
21
  - ASI02:2026 - Tool Misuse and Exploitation
22
22
  - ASI03:2026 - Identity and Privilege Abuse
23
23
  mitre_atlas:
24
- - AML.T0053 - LLM Plugin Compromise
24
+ - AML.T0053 - AI Agent Tool Invocation
25
25
  mitre_attack:
26
26
  - T1059 - Command and Scripting Interpreter
27
27
  - T1083 - File and Directory Discovery
@@ -17,7 +17,7 @@ severity: high
17
17
  source: threat-cloud
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0053 - LLM Plugin Compromise
20
+ - AML.T0053 - AI Agent Tool Invocation
21
21
  owasp_llm:
22
22
  - LLM01:2025 - Prompt Injection
23
23
  - LLM05:2025 - Improper Output Handling
@@ -17,7 +17,7 @@ source: threat-cloud
17
17
 
18
18
  references:
19
19
  mitre_atlas:
20
- - "AML.T0053 - LLM Plugin Compromise"
20
+ - "AML.T0053 - AI Agent Tool Invocation"
21
21
  owasp_llm:
22
22
  - "LLM01:2025 - Prompt Injection"
23
23
  - "LLM06:2025 - Excessive Agency"
@@ -22,7 +22,8 @@ references:
22
22
  owasp_agentic:
23
23
  - ASI01:2026 - Agent Goal Hijack
24
24
  mitre_atlas:
25
- - AML.T0051 - Prompt Injection
25
+ - AML.T0051 - LLM Prompt Injection
26
+ - AML.T0110 - AI Agent Tool Poisoning
26
27
  compliance:
27
28
  nist_ai_rmf:
28
29
  - subcategory: "MS.2.6"
@@ -17,7 +17,7 @@ severity: high
17
17
  source: threat-cloud
18
18
  references:
19
19
  mitre_atlas:
20
- - AML.T0053 - LLM Plugin Compromise
20
+ - AML.T0053 - AI Agent Tool Invocation
21
21
  owasp_llm:
22
22
  - LLM01:2025 - Prompt Injection
23
23
  - LLM06:2025 - Excessive Agency
@@ -18,7 +18,7 @@ source: threat-cloud
18
18
 
19
19
  references:
20
20
  mitre_atlas:
21
- - "AML.T0053 - LLM Plugin Compromise"
21
+ - "AML.T0053 - AI Agent Tool Invocation"
22
22
  owasp_llm:
23
23
  - "LLM06:2025 - Excessive Agency"
24
24
  owasp_agentic:
@@ -30,8 +30,9 @@ references:
30
30
  - "ASI03:2026 - Tool Misuse"
31
31
  - "ASI07:2026 - Insecure Inter-Agent Communication"
32
32
  mitre_atlas:
33
- - "AML.T0051.001 - Indirect Prompt Injection"
34
- - "AML.T0053 - LLM Plugin Compromise"
33
+ - "AML.T0051.001 - Indirect"
34
+ - "AML.T0053 - AI Agent Tool Invocation"
35
+ - "AML.T0110 - AI Agent Tool Poisoning"
35
36
  safe_mcp:
36
37
  - "SAFE-T1102 - Prompt Manipulation"
37
38
  - "SAFE-T1001 - Tool Poisoning"
@@ -26,8 +26,8 @@ references:
26
26
  - "ASI08:2026 - Resource Exhaustion and Denial of Service"
27
27
  - "ASI03:2026 - Tool Misuse"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
30
- - "AML.T0040 - ML Model Inference API Access"
29
+ - "AML.T0051.001 - Indirect"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  mitre_attack:
32
32
  - "T1499 - Endpoint Denial of Service"
33
33
  - "T1059 - Command and Scripting Interpreter"
@@ -26,8 +26,8 @@ references:
26
26
  - "ASI01:2026 - Agent Behaviour Hijack"
27
27
  - "ASI05:2026 - Unexpected Code Execution"
28
28
  mitre_atlas:
29
- - "AML.T0051.001 - Indirect Prompt Injection"
30
- - "AML.T0040 - ML Model Inference API Access"
29
+ - "AML.T0051.001 - Indirect"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  mitre_attack:
32
32
  - "T1059 - Command and Scripting Interpreter"
33
33
  - "T1190 - Exploit Public-Facing Application"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI05:2026 - Unexpected Code Execution"
28
28
  - "ASI04:2026 - Supply Chain"
29
29
  mitre_atlas:
30
- - "AML.T0040 - ML Model Inference API Access"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  - "AML.T0049 - Exploit Public-Facing Application"
32
32
  mitre_attack:
33
33
  - "T1059 - Command and Scripting Interpreter"
@@ -5,7 +5,10 @@ status: experimental
5
5
  description: >
6
6
  Detects exploitation of CVE-2025-54136 in Cursor and the same-class issue
7
7
  surfaced by the OX Security MCP-by-design batch (2026-04-15) across Windsurf,
8
- Claude Code, Gemini CLI, and GitHub Copilot. The IDE's MCP config file
8
+ Claude Code, Gemini CLI, and GitHub Copilot. The Windsurf zero-click variant
9
+ (CVE-2026-30615) reaches the same config sink via attacker-controlled HTML
10
+ content that the IDE renders, which silently writes the MCP JSON and registers
11
+ a malicious STDIO server. The IDE's MCP config file
9
12
  (.cursor/mcp.json or equivalent) is auto-loaded on workspace open and treats
10
13
  the `command` and `args` fields as OS exec targets. An attacker who can
11
14
  modify this file via supply chain (npm package post-install, malicious
@@ -27,14 +30,15 @@ references:
27
30
  - "ASI05:2026 - Unexpected Code Execution"
28
31
  - "ASI09:2026 - Identity Spoofing and Impersonation"
29
32
  mitre_atlas:
30
- - "AML.T0010 - ML Supply Chain Compromise"
31
- - "AML.T0040 - ML Model Inference API Access"
33
+ - "AML.T0010 - AI Supply Chain Compromise"
34
+ - "AML.T0040 - AI Model Inference API Access"
32
35
  mitre_attack:
33
36
  - "T1546 - Event Triggered Execution"
34
37
  - "T1059 - Command and Scripting Interpreter"
35
38
  - "T1195.002 - Compromise Software Supply Chain"
36
39
  cve:
37
40
  - "CVE-2025-54136"
41
+ - "CVE-2026-30615"
38
42
 
39
43
  metadata_provenance:
40
44
  mitre_atlas: human-reviewed
@@ -26,7 +26,7 @@ references:
26
26
  - "ASI05:2026 - Unexpected Code Execution"
27
27
  mitre_atlas:
28
28
  - "AML.T0049 - Exploit Public-Facing Application"
29
- - "AML.T0010 - ML Supply Chain Compromise"
29
+ - "AML.T0010 - AI Supply Chain Compromise"
30
30
  mitre_attack:
31
31
  - "T1059 - Command and Scripting Interpreter"
32
32
  - "T1190 - Exploit Public-Facing Application"
@@ -27,7 +27,7 @@ references:
27
27
  - "ASI09:2026 - Identity Spoofing"
28
28
  - "ASI04:2026 - Supply Chain"
29
29
  mitre_atlas:
30
- - "AML.T0040 - ML Model Inference API Access"
30
+ - "AML.T0040 - AI Model Inference API Access"
31
31
  - "AML.T0049 - Exploit Public-Facing Application"
32
32
  mitre_attack:
33
33
  - "T1190 - Exploit Public-Facing Application"
@@ -23,7 +23,7 @@ references:
23
23
  owasp_agentic:
24
24
  - "ASI06:2026 - Tool Misuse"
25
25
  mitre_atlas:
26
- - "AML.T0053 - Adversarial Tool Exploitation"
26
+ - "AML.T0053 - AI Agent Tool Invocation"
27
27
 
28
28
  compliance:
29
29
  owasp_agentic: