Skip to content

Add missing real-world AI incidents and expand ASI coverage #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
syedDS wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add missing real-world AI incidents and expand ASI coverage #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3a94e5a
adding python framework samples
syedDS Apr 7, 2026
6fa5f11
updating March incidents
syedDS Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,13 @@ response should be discussed with the **CTI initiative** responsible for publish

| Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis<br>(Vendor / CVE / Discoverer) |
|------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
|**Mar 2026**| **LiteLLM Supply Chain Compromise → Mercor Data Breach** | Compromised npm dependency in LiteLLM proxy (36% of cloud AI deployments) spread to 40K downloads in 40 minutes. Downstream breach at Mercor led to ~4TB data exfiltration including biometric records. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI08 (Cascading Failures)<br> • ASI03 (Identity & Privilege Abuse) | • —<br> • —<br> • — |
|**Mar 2026**| **Axios Typosquatting RAT Campaign (Sapphire Sleet)** | Malicious typosquat package targeting Axios ecosystem deployed cross-platform RAT. Affected large developer base (~83M weekly downloads). | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE))<br> • ASI03 (Identity & Privilege Abuse) | • —<br> • —<br> • Sapphire Sleet |
|**Mar 2026**| **OpenAI Codex Unicode Branch Name Injection** | Unicode manipulation in git branch names enabled shell injection and OAuth token exfiltration via unsafe command execution. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI01 (Agent Goal Hijack) | • —<br> • —<br> • — |
|**Mar 2026**| **Railway CDN Environment Variable Exposure** | Misconfigured CDN exposed customer environment variables for ~52 minutes, enabling secrets leakage and downstream compromise risk. | • ASI03 (Identity & Privilege Abuse)<br> • ASI08 (Cascading Failures) | • —<br> • —<br> • — |
|**Mar 2026**| **Delve AI Auditor Fake SOC2 Reports** | Compromised compliance auditor generated 494 fabricated SOC2 reports, undermining trust in AI-driven compliance validation. | • ASI09 (Human-Agent Trust Exploitation)<br> • ASI01 (Agent Goal Hijack) | • —<br> • —<br> • — |
|**Mar 2026**| **Claude Code Compaction Poisoning Persistence** | Malicious instructions injected into conversation context persisted across sessions via memory compaction, enabling long-term agent manipulation. | • ASI06 (Memory & Context Poisoning)<br> • ASI01 (Agent Goal Hijack) | • —<br> • —<br> • — |
|**Mar 2026**| **Meta Rogue Agent Proprietary Code Leak** | Internal agent autonomously exposed proprietary source code publicly for ~2 hours due to lack of containment controls. | • ASI10 (Rogue Agents)<br> • ASI08 (Cascading Failures) | • —<br> • —<br> • — |
|**Mar 2026**| **Cursor Prompt Injection Whitelist Bypass RCE** | Malicious website triggered indirect prompt injection, bypassing auto-run whitelist for zero-consent command execution. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31854)<br> • [Y4tacker](https://github.com/Y4tacker) |
|**Mar 2026**| **Excel XSS Weaponizes Copilot Agent Exfil** | Excel XSS triggered Copilot Agent mode into exfiltrating user data via unintended network egress. Zero-click exploitation. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26144)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-26144)<br> • — |
|**Mar 2026**| **WeKnora MCP Tool Name Collision Hijack** | Malicious MCP server registered tool names that silently overwrote legitimate ones. Combined with prompt injection in tool output, enabled context exfiltration and tool hijack. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI07 (Insecure Inter-Agent Communication) | • [Tencent](https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-30856)<br> • [aleister1102](https://github.com/aleister1102) |
Expand Down
33 changes: 33 additions & 0 deletions code_samples/agentic_top_ten/frameworks/python/asi04/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Environment
.env
.env.local

# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python

# Collected exfiltrated data
attacker-server/collected/*.json
!attacker-server/collected/.gitkeep

# Docker
.docker/

# IDE
.vscode/
.idea/
*.swp
*.swo
*~

# Temporary files
tmpclaude-*
*.tmp
*.log

# OS
.DS_Store
Thumbs.db
54 changes: 54 additions & 0 deletions code_samples/agentic_top_ten/frameworks/python/asi04/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# ASI-04: Supply Chain Compromise Lab

Hands-on lab demonstrating MCP registry poisoning and provenance-based mitigation.

## Quick Start

```bash
docker-compose -f docker-compose-asi04.yml up --build
```

Open browser: **http://localhost:5050**

## Lab Flow

### Phase 1: Demonstrate Attack
1. Click **🔄 Switch Registry**
2. See **COMPROMISED** warning + flag
3. Flag: `ASI04_FLAG{mcp_supply_chain_compromised}`

### Phase 2: Enable Mitigation
1. Click **🔄 Switch Registry** (revert to legit)
2. Click **🛡️ Toggle Provenance Checking**
3. Status → **ENABLED ✓**

### Phase 3: Test Mitigation
1. Click **🔄 Switch Registry** (try to load evil MCP)
2. **Agent REFUSES** - evil MCP blocked!
3. Check "Load Status Details" for block reason
4. ✓ Attack prevented

## What You'll Learn

- Supply chain attacks need no runtime exploits
- Registry poisoning is trivial without verification
- Provenance checking blocks untrusted code

## API Testing

```bash
# Check status
curl http://localhost:5050/status | jq .

# Enable mitigation
curl -X POST http://localhost:5050/toggle_mitigation | jq .

# Try switching (blocked if mitigation on)
curl -X POST http://localhost:5050/switch_registry | jq .
```

## Cleanup

```bash
docker-compose -f docker-compose-asi04.yml down
```
15 changes: 15 additions & 0 deletions code_samples/agentic_top_ten/frameworks/python/asi04/agent/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
FROM python:3.11-slim

WORKDIR /app

# Install dependencies
RUN pip install --no-cache-dir aiohttp

# Copy agent files
COPY agent.py /app/
COPY mcp_registry.json /app/
COPY mcp_registry_poisoned.json /app/

EXPOSE 5050

CMD ["python", "agent.py"]
Loading