TLCTC v2.1 Golden — Claude Code Plugin

TLCTC v2.1 (Golden)

Marks the v2.1 framework as Golden — the canonical, stable release of the v2.1 specification, now distributable as a Claude Code plugin.

What's New

Claude Code Plugin Scaffold (commit 2f761bf):

• .claude-plugin/marketplace.json — repo-level marketplace manifest
• plugins/tlctc/.claude-plugin/plugin.json — plugin manifest (v2.1.0, CC-BY-4.0)
• plugins/tlctc/skills/tlctc-classify/SKILL.md — full v2.1 master prompt as an auto-loading skill (10 axioms, 10 clusters, all R-* rules, attack-path notation, 22 worked examples, verification checklist)
• plugins/tlctc/commands/tlctc-analyze.md — /tlctc-analyze [path|URL|text] slash command

Install

/plugin marketplace add Barnes70/TLCTC
/plugin install tlctc@tlctc
/reload-plugins

Once installed, the tlctc-classify skill auto-loads whenever a security document, CVE, threat-intel report, or attack-path question is in scope — no need to paste the master prompt manually.

Carries Forward from v2.1.0

• Complete v2.1 specification: transit (⇒), intra-system (|...|), and unresolved-step (?/…) operators
• npm supply-chain decompositions
• Agentic AI Attack Path J
• 698 MITRE ATT&CK Enterprise → TLCTC mappings
• 987 MITRE CWE → TLCTC mappings (experimental)

License

CC BY 4.0 — cite TLCTC v2.1 when re-using definitions.

TLCTC v2.1.0 — npm Supply Chain Decompositions & Agentic AI Path J

What's New

2025 npm Supply Chain Attack Paths (Layer 3 Instances)

Three major 2025 npm campaigns fully decomposed into schema-validated attack path instances:

• S1ngularity/Nx (attack-paths/s1ngularity-nx-2025.json) — 10-step path: CI workflow abuse → credential theft → package poisoning → consumer-side QUIETVAULT execution including LLM coding assistant weaponization
• Chalk/Debug Phishing (attack-paths/chalk-debug-phishing-2025.json) — 7-step path: phishing → credential use → publish → trust acceptance → browser-based crypto wallet address substitution
• Shai-Hulud Worm (attack-paths/shai-hulud-worm-2025.json) — 14-step path: first recursive/cyclic supply chain worm with [RECURSIVE] propagation annotation and conditional destructive fallback (DRE: Ac)

New Reference Example

• Chalk/Debug 2025 (json-schemas/layer-3/examples/chalk-debug-2025.json) — Joins SolarWinds 2020 as the second Layer 3 reference example. Demonstrates v2.1 transit boundary notation, R-CRED credential duality, and the canonical #10 → #1 → #7 install chain.

Agentic AI: Path J — LLM Weaponization via Supply Chain

• New attack path (examples/agentic-ai/attack-paths/path-J-llm-weaponization-supply-chain.json) — First documented real-world pattern of malware co-opting a deployed AI coding assistant as a credential-scanning tool (S1ngularity/Nx precedent).
• New scenario: AgentWeaponizedByMalware — Third agentic AI scenario alongside LegitimateAgentCompromised and MaliciousAgentIntroduced. The agent is a secondary LOLBin discovered and directed by external malware.

npm Supply Chain Pattern Mapping

New mapping directory (mappings/npm-supply-chain/) with:

• 5 canonical patterns — Install-time compromise, maintainer phishing, typosquatting, build-to-secret-theft, self-replicating worm — each with full cluster decomposition and per-step control mappings
• Incident-to-control walkthrough — Chalk/Debug 2025 worked end-to-end: incident facts → cluster decomposition → control mapping → risk register entry

Blog Post

• documentation/npm-supply-chain-blog-final.md — "Anatomy of a Worm: The 2025 npm Supply Chain Attacks Through the TLCTC Lens"

Key Structural Findings

1. #10 is a trust boundary, not a mechanism — the mechanisms are #9, #1, #4, #7
2. The #1 between #10 and #7 is the most undertapped control surface in npm security
3. R-CRED exposes a universal kill chain: controls at #4 break every campaign regardless of credential acquisition method
4. #1 Abuse of Functions is the dominant cluster across all npm attack patterns
5. Shai-Hulud's recursive #10 generation breaks the conventional linear supply chain risk model

Validation

All Layer 3 JSON files validate against json-schemas/layer-3/tlctc-attack-path.schema.json.

Full Changelog: v2.0.0...v2.1.0

TLCTC v2.0.0 — Top Level Cyber Threat Clusters

TLCTC v2.0 — The first cause-oriented, axiomatic cyber threat taxonomy

TLCTC provides the missing semantic foundation for cybersecurity: a stable, non-overlapping classification of cyber threats based on why compromise happens — the generic vulnerability exploited — rather than what happens afterwards.

A cyber threat is defined by the generic vulnerability it exploits, not by who performs it and not by what consequence follows.

The 10 Threat Clusters

#	Cluster	Topology
#1	Abuse of Functions	Internal
#2	Exploiting Server	Internal
#3	Exploiting Client	Internal
#4	Identity Theft	Internal
#5	Man in the Middle	Internal
#6	Flooding Attack	Internal
#7	Malware	Internal
#8	Physical Attack	Bridge
#9	Social Engineering	Bridge
#10	Supply Chain Attack	Bridge

What's in this release

Framework Core

• 10 threat clusters, each defined by exactly one generic vulnerability
• 10 axioms — the non-negotiable logical foundation
• 6 classification rules (R-EXEC, R-ROLE, R-FLOOD, R-SUPPLY, R-MITM, R-CRED)
• Attack path notation with velocity classes (VC-1 through VC-4) and Data Risk Events

Three-Layer JSON Architecture (JSON Schema Draft 7)

• Layer 1 — Framework definition (static): cluster definitions, axioms, rules
• Layer 2 — Reference registry (context): responsibility spheres, boundary contexts
• Layer 3 — Attack path instances (dynamic): incident analyses with step sequences and velocity

MITRE ATT&CK Enterprise Mapping

• 698 techniques mapped to TLCTC clusters with rationale
• Decision tree methodology
• SOC-to-risk walkthrough example

MITRE CWE Mapping (experimental, AI-assisted)

• 987 weaknesses mapped to TLCTC clusters with rationale
• Verdict system (Allowed, Allowed-with-Review, Discouraged, Prohibited)
• Decision tree and control walkthrough

Agentic AI Threat Analysis

• 9 attack paths (Paths A–I) analyzing AI agent threats through TLCTC
• Consequence chains, tool profiles, and irreversibility matrices

Glossary

• 55 machine-readable terms with definitions, disambiguation, cross-references
• JSON Schema for universal cyber security vocabulary

Tools

• Threat Modeling Tool — SDLC threat modeling and architecture analysis (standalone HTML)
• Attack Path Architect — incident documentation and CTI exchange (standalone HTML)

Documentation

• V2.0 White Paper (PDF)
• Glossary (PDF)
• JSON Architecture Specification (PDF)
• "Why Exactly Ten" — framework architecture rationale (PDF)

License

CC BY 4.0 — free to use, integrate, and build upon.

Links

• Website: tlctc.net
• White Paper: tlctc.net/tlctc-v2.0-whitepaper.html

TLCTC Cyber Security Glossary v0.1.0

TLCTC Cyber Security Glossary — Initial Release

A machine-readable, universal glossary for cyber risk and cyber security terminology. Establishes precise, unambiguous definitions to create a common language across frameworks, teams, and organizations.

What's included

• JSON Schema (tlctc-glossary.schema.json) — Draft 7 schema defining the glossary structure
• 55 terms (tlctc-glossary.json) — seeded from TLCTC v2.0:
  • 10 threat clusters with generic vulnerabilities
  • 10 axioms
  • 6 classification rules (R-EXEC, R-ROLE, R-FLOOD, R-SUPPLY, R-MITM, R-CRED)
  • Attack path notation (delta-t, velocity classes, parallel groups)
  • Three-layer JSON architecture (framework, registry, instance)
  • Data Risk Events (C, I, A, Ac)
  • Verdict system for framework mappings

Key features per term

• Normative definition — precise, unambiguous
• Disambiguation ("not to be confused with") — resolves common conflations
• Cross-references — links to related terms within the glossary
• Domain classification — tlctc-core, tlctc-classification, tlctc-notation, tlctc-architecture, tlctc-mapping, with expansion domains for cyber-risk, cyber-security, governance
• Source attribution — traceable to TLCTC v2.0 axioms, rules, and specifications
• Examples — illustrative usage where applicable

Why this matters

Cybersecurity suffers from semantic diffusion — the same terms carry different meanings across frameworks, teams, and organizations. NIST alone has over 20 definitions of "cyber threat." This glossary anchors terminology in TLCTC's cause-oriented, axiomatic foundation: threats are causes, not outcomes; classification follows the generic vulnerability, not the actor or the consequence.

License

CC BY 4.0 — free to use, integrate, and build upon.