agentshield-sdk 13.2.0 → 13.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +79 -0
  2. package/README.md +260 -1187
  3. package/package.json +2 -2
  4. package/src/audit-immutable.js +59 -1
  5. package/src/audit.js +1 -1
  6. package/src/cross-turn.js +25 -1
  7. package/src/detector-core.js +198 -0
  8. package/src/document-scanner.js +20 -0
  9. package/src/main.js +22 -0
  10. package/src/memory-guard.js +60 -0
  11. package/src/render-differential.js +608 -0
  12. package/src/side-channel-monitor.js +560 -0
  13. package/src/supply-chain-scanner.js +112 -2
  14. package/src/sybil-detector.js +526 -0
package/CHANGELOG.md CHANGED
@@ -4,6 +4,85 @@ All notable changes to Agent Shield will be documented in this file.
4
4
 
5
5
  This project follows [Semantic Versioning](https://semver.org/).
6
6
 
7
+ ## [13.5.0] - 2026-04-16
8
+
9
+ ### Detection Hardening + Security Scan Remediation
10
+
11
+ Tightens existing defenses based on Unit 42 real-world attack research and addresses findings from the Agent Shield security scan.
12
+
13
+ #### Detector Core — 11 New Patterns (3 categories)
14
+
15
+ - **Encoding chain detection** (3 patterns) — Detects multi-layer encoding (base64 inside unicode inside URL encoding). Addresses evasion technique that bypasses single-layer decoders.
16
+ - **SVG-based injection** (4 patterns) — Detects hidden prompts in SVG elements, foreignObject, hidden text, and desc tags. Addresses Unit 42 finding of real-world attacks using SVG encapsulation with 24 layered injection attempts.
17
+ - **Structured data injection** (4 patterns) — Detects hidden instructions in JSON metadata fields, XML CDATA sections, YAML/CSV comments, and comment syntax across formats.
18
+
19
+ #### Cross-Turn Detector — Crescendo Attack Defense
20
+
21
+ - 5 new escalation signal patterns for crescendo attacks: hypothetical framing, imaginary scenarios, permission boundary softening, false-prior-interaction claims, similarity-based escalation.
22
+ - New crescendo-specific detection: flags conversations that start with hypothetical/theoretical framing and drift toward sensitive/dangerous topics over multiple turns.
23
+
24
+ #### MemoryGuard — Persistent Memory Poisoning Defense
25
+
26
+ - `scanSummarization(originalMessages, summary)` detects when context compaction silently injects instructions. Addresses Unit 42 March 2026 research on persistent memory poisoning that survives across sessions.
27
+
28
+ #### Security Scan Remediation
29
+
30
+ - **Sidecar server**: API key authentication, request body size limit (1MB default), rate limiting (100 req/min default), CORS hardened from `*` to `same-origin`.
31
+ - **Dashboard WebSocket**: Authentication token support, max connections limit (50 default), startup warning if no auth configured.
32
+ - **GitHub App**: Webhook signature enforced for non-localhost requests, CRITICAL warning if `GITHUB_WEBHOOK_SECRET` not set.
33
+ - **Document scanner**: `maxDocumentSize` limit (10MB default) prevents DoS via oversized documents.
34
+ - **Audit logs**: `sanitizeLogs` option redacts emails, SSNs, API keys, and truncates content fields before writing.
35
+
36
+ ## [13.4.0] - 2026-04-14
37
+
38
+ ### April 2026 Threat Response
39
+
40
+ Security updates addressing vulnerabilities and attack techniques discovered April 1-14, 2026.
41
+
42
+ #### Supply Chain Scanner — 16 New CVEs
43
+
44
+ - **CVE-2026-5058** (CVSS 9.8) — AWS MCP Server command injection RCE, no auth required
45
+ - **CVE-2026-5059** — AWS MCP Server remote code execution
46
+ - **CVE-2026-32211** (CVSS 9.1) — Azure MCP Server has no authentication at all
47
+ - **CVE-2026-21518** — VS Code mcp.json command injection (malicious project files)
48
+ - **CVE-2026-33579** — OpenClaw silent admin takeover (patched April 5)
49
+ - **CVE-2026-24763** — OpenClaw command injection
50
+ - **CVE-2026-26322** — OpenClaw SSRF
51
+ - **CVE-2026-26329** — OpenClaw path traversal / local file read
52
+ - **CVE-2026-30741** — OpenClaw prompt-injection-driven code execution
53
+ - **CVE-2025-59528** (CVSS 10.0) — Flowise RCE via MCP node, actively exploited since April 6, 12,000+ instances exposed
54
+ - **CVE-2025-8943** — Flowise missing authentication
55
+ - **CVE-2025-26319** — Flowise arbitrary file upload
56
+ - **CVE-2026-5322** — mcp-data-vis SQL injection
57
+ - **CVE-2026-6130** — chatbox MCP OS command injection
58
+ - **CVE-2026-5023** — codebase-mcp OS command injection RCE
59
+
60
+ Updated OpenClaw malicious skill count: 820 → 1,184+ confirmed on ClawHub (3.5x growth).
61
+ Added aws-mcp-server-unpatched and flowise-unpatched to known-bad server blocklist.
62
+
63
+ #### Detector Core — 15 New Detection Patterns (5 categories)
64
+
65
+ - **XSS-in-agent-output** (5 patterns) — Catches XSS payloads embedded in AI-generated HTML: script tags, event handlers, javascript: URIs, iframe injection, img onerror. Addresses new attack vector where prompt injections deliver XSS through agent output.
66
+ - **Acrostic/steganographic injection** (2 patterns) — Detects hidden instructions where first characters of consecutive lines spell injection keywords. Addresses 93% evasion success rate reported in April 2026 research.
67
+ - **MCP config injection** (2 patterns) — Detects command injection in mcp.json files. Addresses CVE-2026-21518 VS Code attack vector.
68
+ - **Offensive agent behavior** (3 patterns) — Detects AI agents being used as attack tools: exploitation language, C2 infrastructure, credential theft operations. Addresses April 2026 incident where AI agent compromised 600+ firewalls autonomously.
69
+ - **Cloud IAM overpermission** (3 patterns) — Detects wildcard IAM policies enabling "Agent God Mode". Addresses Palo Alto Unit 42 discovery of AWS AgentCore default role vulnerability.
70
+
71
+ ## [13.3.0] - 2026-04-06
72
+
73
+ ### New SDK Modules
74
+
75
+ - **RenderDifferentialAnalyzer** -- Detects content that renders differently than it reads. Catches visual deception in HTML (CSS display:none, opacity:0, off-screen, font-size:0), Markdown (link mismatch, hidden spans, comment injection), and LaTeX (\phantom, \textcolor{white}, \renewcommand). Includes VisualHasher for measuring raw-vs-rendered divergence.
76
+ - **SybilDetector** -- Detects coordinated fake agents acting in concert. Behavioral similarity scoring, temporal correlation, content similarity (Jaccard), creation burst detection, and voting collusion analysis. Includes AgentIdentityVerifier with challenge-response and shared-secret detection.
77
+ - **SideChannelMonitor** -- Detects data exfiltration via covert channels. DNS exfiltration (high-entropy subdomains, base64 labels), timing-based encoding, response-size encoding, URL parameter exfil. Includes BeaconDetector (C2 beaconing patterns) and EntropyAnalyzer (Shannon entropy).
78
+
79
+ ### Improvements
80
+
81
+ - Professional README rewrite: organized by capability instead of version, reduced from 1,348 to ~350 lines
82
+ - All 3 new modules exported via main.js
83
+ - 185 new test assertions (81 render-differential + 49 sybil + 55 side-channel)
84
+ - Total: 3,400+ test assertions across 22 suites
85
+
7
86
  ## [13.2.0] - 2026-04-06
8
87
 
9
88
  ### DeepMind AI Agent Traps -- First-Principles Defense