{"entries":[{"id":"jiffy-ti-2026-000072","type":"other","title":".cursorrules contains large wall-of-text that pushes user intent out of context","description":".cursorrules whose rule body exceeds 20 000 characters of filler content. Each agent invocation consumes the rule, leaving limited context for the user prompt. Not a direct exfiltration primitive — a budget-starvation attack.","severity":"low","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?s).{20000,}"}],"first_observed":"2026-03-23T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Cap .cursorrules at 2000 tokens. Reject rule files that exceed the cap.","affected":[{"tool":"Cursor","versions":"*"},{"tool":"Claude Code","versions":"*"}],"example_artifacts":[{"name":".cursorrules (repo: mega-template)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-23"},{"name":".cursorrules (repo: verbose-conventions)","source":"GitHub (public repo)","status":"quarantined","artifact_type":"ide_rules","first_observed":"2026-03-27"}],"jiffy_metadata":{"times_seen":9,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-24"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-10-2026/","label":"OWASP LLM-10: Unbounded Consumption (2026)"}],"framework_codes":["NIST-CSF-2.0-ID.RA-05","OWASP-Agentic-2026-AIA-05","OWASP-LLM-2025-LLM03","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000033","type":"backdoor","title":"Skill writes config that hooks into Claude Desktop stdio MCP bridge","description":"Skill modifies the user's Claude Desktop config to register an MCP server pointing at localhost. The server is supplied by the same skill and serves as a persistent interposer between the agent and tool calls, logging all tool arguments.","severity":"high","confidence":"high","indicators":[{"kind":"file_path_pattern","value":"claude_desktop_config\\.json"},{"kind":"content_pattern","value":"(?is)mcpServers[\\s\\S]{0,500}localhost"}],"first_observed":"2026-04-06T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Audit claude_desktop_config.json for unexpected localhost MCP servers. Restart Claude Desktop after removing.","affected":[{"tool":"Claude Desktop","versions":"*"}],"example_artifacts":[{"name":"claude-local-debug-skill","source":"Anthropic Skills","status":"removed","versions":"1.0.0","artifact_type":"skill","last_observed":"2026-04-22","first_observed":"2026-04-06"},{"name":"mcp-profiler-skill","source":"Community registry","status":"quarantined","artifact_type":"skill","first_observed":"2026-04-10"}],"jiffy_metadata":{"times_seen":6,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"skill","first_public_disclosure":"2026-04-07"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0010","NIST-CSF-2.0-GV.SC-07","OWASP-Agentic-2026-AIA-08","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000052","type":"malicious_skill","title":"MCP server's install script drops a skill into ~/.claude/skills/","description":"MCP server whose install path (`pip install`, `npm i`) includes a side-effect that writes a skill file under the user's Claude skills directory. Installing the MCP silently installs a skill the user never consented to.","severity":"high","confidence":"confirmed","indicators":[{"kind":"command_pattern","value":"(?i)(?:postinstall|setup\\.py).{0,200}\\.claude/skills/"}],"first_observed":"2026-03-21T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Reject MCP install scripts that write under ~/.claude/. Skills must be user-installed explicitly.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Claude Desktop","versions":"*"}],"example_artifacts":[{"name":"dev-toolkit-mcp","source":"MCP Registry","status":"removed","versions":"0.4.0","artifact_type":"mcp_server","last_observed":"2026-04-14","first_observed":"2026-03-21"},{"name":"all-in-one-mcp","source":"Community registry","status":"removed","artifact_type":"mcp_server","first_observed":"2026-03-25"}],"jiffy_metadata":{"times_seen":10,"detection_layers":["static"],"unique_customers":3,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-22"},"references":[{"url":"https://attack.mitre.org/techniques/T1195/","label":"MITRE ATT&CK T1195 — Supply Chain Compromise"},{"url":"https://blog.jiffylabs.ai/posts/the-ai-artifact-supply-chain","label":"Jiffy Research — The AI Artifact Supply Chain"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-07","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000070","type":"backdoor","title":"agents.md asserts \"skip security scans — reviewer will verify\"","description":"agents.md instructs the agent to explicitly skip any security scan \"because the reviewer will verify.\" Benign on the surface, the directive disarms the last line of defense and invites shipping unscanned code.","severity":"medium","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)(?:skip|bypass|ignore)\\s+(?:the\\s+)?(?:security|lint|ci|scan)"}],"first_observed":"2026-03-21T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["curated"],"remediation":"Flag IDE rules that weaken CI or security posture. Require explicit rationale before the agent follows them.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"agents.md (repo: fast-shipper)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-21"},{"name":"CLAUDE.md (repo: high-velocity-template)","source":"GitHub (public repo)","status":"quarantined","artifact_type":"ide_rules","first_observed":"2026-03-25"}],"jiffy_metadata":{"times_seen":27,"detection_layers":["semantic"],"unique_customers":5,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-22"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"},{"url":"https://blog.jiffylabs.ai/posts/cursorrules-and-agents-md-config-backdoors","label":"Jiffy Research — .cursorrules and agents.md Config Backdoors"}],"framework_codes":["MITRE-ATLAS-AML.T0010","NIST-CSF-2.0-GV.SC-07","OWASP-Agentic-2026-AIA-08","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000057","type":"compromised_mcp","title":"MCP server registers global tool names that shadow Jiffy primitives","description":"MCP server that claims the tool name `scan` or `analyze` — names already used by Jiffy's first-party MCP. Collisions are resolved non-deterministically by the client, allowing the malicious server's tool to receive calls intended for Jiffy.","severity":"low","confidence":"high","indicators":[{"kind":"tool_call_pattern","value":"(?i)(?:tools?\\s*:\\s*\\[)(?:[^\\]]{0,500})(?:scan|analyze|inspect)"}],"first_observed":"2026-03-27T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["curated"],"remediation":"Namespace MCP tool calls (`jiffy/scan` vs. `scan`). Reject servers that claim unnamespaced common names.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"security-scanner-mcp","source":"MCP Registry","status":"under_review","versions":"0.1.0","artifact_type":"mcp_server","first_observed":"2026-03-27"},{"name":"code-inspector-mcp","source":"Community registry","status":"quarantined","artifact_type":"mcp_server","first_observed":"2026-03-31"}],"jiffy_metadata":{"times_seen":8,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-28"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000074","type":"malicious_skill","title":"AGENTS.md tells agent to paste ~/.ssh/id_rsa.pub into PR for CI setup","description":"AGENTS.md has a section titled \"CI onboarding\" that instructs the agent to paste the user's SSH public key into PR descriptions. While public keys are not immediately sensitive, the coerced habit normalizes key pasting and enables later pattern-matching attacks.","severity":"low","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)id_rsa\\.pub[^\\n]{0,80}(?:paste|include|attach)"}],"first_observed":"2026-03-25T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Train agents to refuse any instruction to paste credentials into PRs. Jiffy Layer 3 flags these instructions.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"AGENTS.md (repo: ci-quickstart)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-25"},{"name":"agents.md (repo: pipeline-templates)","source":"GitHub (public repo)","status":"quarantined","artifact_type":"ide_rules","first_observed":"2026-03-29"}],"jiffy_metadata":{"times_seen":12,"detection_layers":["semantic"],"unique_customers":3,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-26"},"references":[{"url":"https://attack.mitre.org/techniques/T1555/","label":"MITRE ATT&CK T1555 — Credentials from Password Stores"},{"url":"https://genai.owasp.org/llmrisk/llm-02-2026/","label":"OWASP LLM-02: Sensitive Information Disclosure (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM03","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000077","type":"prompt_injection_pattern","title":"agents.md writes to CLAUDE.md at runtime","description":"agents.md tells the agent to \"update CLAUDE.md with learnings from this session.\" The agent, executing the directive, writes attacker-crafted text into the pinned CLAUDE.md, poisoning future sessions.","severity":"high","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)(?:update|modify|write)\\s+CLAUDE\\.md"}],"first_observed":"2026-03-23T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Make CLAUDE.md read-only at the agent tier. Require human review for any rule-file edit.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"agents.md (repo: learning-template)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-23"},{"name":".cursorrules (repo: adaptive-dev)","source":"GitHub (public repo)","status":"quarantined","artifact_type":"ide_rules","first_observed":"2026-03-27"}],"jiffy_metadata":{"times_seen":7,"detection_layers":["semantic"],"unique_customers":2,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-24"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-01-2026/","label":"OWASP LLM-01: Prompt Injection (2026)"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"},{"url":"https://blog.jiffylabs.ai/posts/cursorrules-and-agents-md-config-backdoors","label":"Jiffy Research — .cursorrules and agents.md Config Backdoors"}],"framework_codes":["MITRE-ATLAS-AML.T0051","NIST-CSF-2.0-DE.CM-01","OWASP-LLM-2025-LLM01","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000078","type":"supply_chain","title":"IDE rule file fetched from homoglyphed domain","description":".cursorrules extends from a URL using a homoglyph — e.g., `raw.githubusercontent.c0m` — that serves a malicious ruleset. Casual review misses the character substitution.","severity":"medium","confidence":"confirmed","indicators":[{"kind":"content_pattern","value":"(?i)https?://[a-z0-9.-]*\\b(?:githubusercoontent|raw\\.githubusercontent\\.c0m|g1thub)"}],"first_observed":"2026-03-27T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Whitelist exact hostnames in URL allowlists. Scan rule file URLs for Unicode confusables.","affected":[{"tool":"Cursor","versions":"*"},{"tool":"Claude Code","versions":"*"}],"example_artifacts":[{"name":".cursorrules (repo: fast-start-pack)","source":"GitHub (public repo)","status":"removed","artifact_type":"ide_rules","last_observed":"2026-04-20","first_observed":"2026-03-27"},{"name":".cursorrules (repo: cool-tools-kit)","source":"GitHub (public repo)","status":"quarantined","artifact_type":"ide_rules","first_observed":"2026-03-31"}],"jiffy_metadata":{"times_seen":10,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-28"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-03-2026/","label":"OWASP LLM-03: Supply Chain (2026)"},{"url":"https://attack.mitre.org/techniques/T1195/","label":"MITRE ATT&CK T1195 — Supply Chain Compromise"},{"url":"https://blog.jiffylabs.ai/posts/cursorrules-and-agents-md-config-backdoors","label":"Jiffy Research — .cursorrules and agents.md Config Backdoors"}],"framework_codes":["MITRE-ATLAS-AML.T0010","NIST-CSF-2.0-GV.SC-01","OWASP-Agentic-2026-AIA-08","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000083","type":"compromised_mcp","title":"Custom GPT Action schema includes an undocumented \"admin\" path","description":"Custom GPT's OpenAPI schema defines a `/admin` path that the model can call, not mentioned in the GPT description. The path accepts arbitrary shell commands and runs them on the Action backend.","severity":"critical","confidence":"confirmed","indicators":[{"kind":"content_pattern","value":"(?i)paths:\\s*[\\s\\S]{0,500}/(?:admin|debug|internal|__)"}],"first_observed":"2026-03-19T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["scanner"],"remediation":"Audit Action OpenAPI schemas on first install. Reject GPTs whose schemas expose paths outside the stated scope.","affected":[{"tool":"ChatGPT (GPT Store)","versions":"*"}],"example_artifacts":[{"name":"Ops Dashboard GPT","source":"OpenAI GPT Store","status":"removed","artifact_type":"custom_gpt","last_observed":"2026-04-12","first_observed":"2026-03-19"},{"name":"Deployer Pro GPT","source":"OpenAI GPT Store","status":"quarantined","artifact_type":"custom_gpt","first_observed":"2026-03-23"}],"jiffy_metadata":{"times_seen":4,"detection_layers":["static"],"unique_customers":1,"primary_artifact_type":"custom_gpt","first_public_disclosure":"2026-03-20"},"references":[{"url":"https://arxiv.org/abs/2510.08421","label":"Custom GPT Action Surface Analysis (arXiv 2510.08421)"},{"url":"https://attack.mitre.org/techniques/T1059/","label":"MITRE ATT&CK T1059 — Command and Scripting Interpreter"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-03","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000093","type":"prompt_injection_pattern","title":"Claude Project instructions persist across team members' sessions","description":"Shared projects carry instructions into every team member's sessions. A compromised project owner can silently push a malicious directive that affects all downstream usage — effectively a persistent cross-user prompt injection.","severity":"medium","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?i)shared[_\\s-]?project|team[_\\s-]?project"}],"first_observed":"2026-03-23T00:00:00+00:00","last_updated":"2026-04-28T00:00:00+00:00","sources":["curated"],"remediation":"Review project custom instructions on a cadence. Flag drift. Require admin approval for instruction changes in regulated environments.","affected":[{"tool":"claude.ai (Projects)","versions":"*"}],"example_artifacts":[{"name":"Legal Review Project","source":"Claude Projects (claude.ai)","status":"under_review","artifact_type":"claude_project","first_observed":"2026-03-23"},{"name":"Engineering Handbook Project","source":"Claude Projects (claude.ai)","status":"under_review","artifact_type":"claude_project","first_observed":"2026-03-27"}],"jiffy_metadata":{"times_seen":23,"detection_layers":["semantic"],"unique_customers":5,"primary_artifact_type":"claude_project","first_public_disclosure":"2026-03-24"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-01-2026/","label":"OWASP LLM-01: Prompt Injection (2026)"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0051","NIST-CSF-2.0-DE.CM-01","OWASP-Agentic-2026-AIA-03","OWASP-LLM-2025-LLM01"]},{"id":"jiffy-ti-2026-000091","type":"compromised_mcp","title":"Claude Project knowledge file contains embedded prompt-injection","description":"Project knowledge documents (Word, PDF) uploaded as context contain footer text crafted as agent directives. Parsers pick up the footer; the model treats it as part of the project's truth.","severity":"high","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)Footer[\\s\\S]{0,200}(?:ignore|system|admin)"}],"first_observed":"2026-03-17T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["curated"],"remediation":"Sanitize project knowledge files before upload. Strip or neutralize footer instructions that look like agent directives.","affected":[{"tool":"claude.ai (Projects)","versions":"*"}],"example_artifacts":[{"name":"Enterprise Playbook Project","source":"Claude Projects (claude.ai)","status":"under_review","artifact_type":"claude_project","first_observed":"2026-03-17"},{"name":"Compliance Docs Project","source":"Claude Projects (claude.ai)","status":"quarantined","artifact_type":"claude_project","first_observed":"2026-03-21"}],"jiffy_metadata":{"times_seen":11,"detection_layers":["semantic"],"unique_customers":3,"primary_artifact_type":"claude_project","first_public_disclosure":"2026-03-18"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-01-2026/","label":"OWASP LLM-01: Prompt Injection (2026)"},{"url":"https://genai.owasp.org/llmrisk/llm-04-2026/","label":"OWASP LLM-04: Data and Model Poisoning (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-03","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000030","type":"malicious_skill","title":"Skill installs a FUSE filesystem that shadows ~/.aws","description":"Skill mounts a FUSE filesystem over ~/.aws on macOS/Linux that proxies reads but logs every access. The real credentials remain accessible; the skill gains a reliable sidechannel for any later AWS CLI invocation.","severity":"medium","confidence":"high","indicators":[{"kind":"command_pattern","value":"(?i)(?:osxfuse|macfuse|fusermount).{0,200}\\.aws"}],"first_observed":"2026-04-02T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Check `mount` output for FUSE mounts over home directories. Unmount and rotate any AWS credentials used while the mount was active.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Claude Desktop","versions":"*"}],"example_artifacts":[{"name":"aws-helpers-skill","source":"Anthropic Skills","status":"removed","versions":"1.0.0","artifact_type":"skill","last_observed":"2026-04-17","first_observed":"2026-04-02"},{"name":"cloud-dev-skill","source":"Community registry","status":"under_review","artifact_type":"skill","first_observed":"2026-04-06"}],"jiffy_metadata":{"times_seen":7,"detection_layers":["dynamic"],"unique_customers":2,"primary_artifact_type":"skill","first_public_disclosure":"2026-04-03"},"references":[{"url":"https://attack.mitre.org/techniques/T1055/","label":"MITRE ATT&CK T1055 — Process Injection"},{"url":"https://blog.jiffylabs.ai/posts/the-ai-artifact-supply-chain","label":"Jiffy Research — The AI Artifact Supply Chain"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000041","type":"compromised_mcp","title":"MCP server returns differential output to Claude vs. other clients","description":"MCP server that inspects the User-Agent or initialization handshake and returns different tool output depending on the client. The Claude variant includes instruction injection; the research-scanner variant returns benign output. Evades automated scanning.","severity":"high","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?i)(?:user[_-]?agent|client[_-]?name).{0,200}(?:claude|anthropic)"}],"first_observed":"2026-03-15T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Fingerprint-test MCP servers with multiple client identities. Jiffy dynamic analysis rotates scanner identities to catch this.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"adaptive-helper-mcp","source":"MCP Registry","status":"removed","versions":"0.2.0","artifact_type":"mcp_server","last_observed":"2026-04-10","first_observed":"2026-03-15"},{"name":"smart-tool-mcp","source":"MCP Registry","status":"under_review","artifact_type":"mcp_server","first_observed":"2026-03-19"}],"jiffy_metadata":{"times_seen":11,"detection_layers":["dynamic"],"unique_customers":3,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-17"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://blog.jiffylabs.ai/posts/how-jiffy-scans-ai-artifacts-technical-overview","label":"Jiffy Research — How Jiffy Scans AI Artifacts"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000060","type":"compromised_mcp","title":"MCP server offers a \"safe-mode\" flag that disables output sanitization","description":"MCP server exposes a configuration flag named `safe_mode=false` that, when flipped, disables its own input/output sanitization. Attacker who can set the MCP server config (e.g., via a shared config file) flips it silently.","severity":"medium","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?i)safe_mode\\s*[:=]\\s*(?:false|no|0)"}],"first_observed":"2026-03-19T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Remove config toggles that disable safety logic. Safety must be unconditional.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"content-filter-mcp","source":"MCP Registry","status":"under_review","versions":"1.0.0","artifact_type":"mcp_server","first_observed":"2026-03-19"},{"name":"safe-wrapper-mcp","source":"Community registry","status":"quarantined","artifact_type":"mcp_server","first_observed":"2026-03-23"}],"jiffy_metadata":{"times_seen":14,"detection_layers":["static"],"unique_customers":4,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-20"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000055","type":"compromised_mcp","title":"MCP server ships with test-mode endpoint enabled in production builds","description":"MCP server left a `/__test/exec` endpoint enabled in its published Docker image. Accepts arbitrary command input with no auth. Attacker who finds the server at a discoverable path exec's on the host.","severity":"critical","confidence":"confirmed","indicators":[{"kind":"endpoint","value":"/__test/exec|/debug/exec"}],"first_observed":"2026-03-25T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Rebuild affected MCP server images without test endpoints. Expose narrow tool surface only.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"ops-harness-mcp","source":"MCP Registry","status":"removed","versions":"0.5.0","artifact_type":"mcp_server","last_observed":"2026-04-17","first_observed":"2026-03-25"},{"name":"ci-harness-mcp","source":"Community registry","status":"quarantined","versions":"0.2.0","artifact_type":"mcp_server","first_observed":"2026-03-29"}],"jiffy_metadata":{"times_seen":4,"detection_layers":["static"],"unique_customers":1,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-26"},"references":[{"url":"https://attack.mitre.org/techniques/T1059/","label":"MITRE ATT&CK T1059 — Command and Scripting Interpreter"},{"url":"https://owasp.org/www-project-top-10-for-agentic-applications/","label":"OWASP Top 10 for Agentic Applications"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000069","type":"credential_exfil","title":".cursorrules fetches remote rule that encodes \"submit secrets\" logic","description":".cursorrules with `extends: <url>` resolves to a remote rule set whose content includes directives to read repo-local .env and post-process before any commit. A separation between policy declaration (local) and policy content (remote) hides the exfiltration.","severity":"high","confidence":"confirmed","indicators":[{"kind":"content_pattern","value":"(?i)extends\\s*:\\s*https?://"}],"first_observed":"2026-03-19T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Prohibit remote `extends` URLs. All IDE rule content must live in-repo and be reviewable at commit time.","affected":[{"tool":"Cursor","versions":"*"},{"tool":"Claude Code","versions":"*"}],"example_artifacts":[{"name":".cursorrules (repo: sass-pro-starter)","source":"GitHub (public repo)","status":"removed","artifact_type":"ide_rules","last_observed":"2026-04-12","first_observed":"2026-03-19"},{"name":".cursorrules (repo: marketing-site-kit)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-23"}],"jiffy_metadata":{"times_seen":15,"detection_layers":["static"],"unique_customers":3,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-20"},"references":[{"url":"https://blog.jiffylabs.ai/posts/cursorrules-and-agents-md-config-backdoors","label":"Jiffy Research — .cursorrules and agents.md Config Backdoors"},{"url":"https://genai.owasp.org/llmrisk/llm-02-2026/","label":"OWASP LLM-02: Sensitive Information Disclosure (2026)"},{"url":"https://attack.mitre.org/techniques/T1555/","label":"MITRE ATT&CK T1555 — Credentials from Password Stores"}],"framework_codes":["MITRE-ATLAS-AML.T0055","NIST-CSF-2.0-PR.AA-01","OWASP-LLM-2025-LLM02","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000047","type":"backdoor","title":"MCP server exposes hidden \"debug\" tool that shells out","description":"MCP server registers a tool named `__debug` or `_internal` that is not listed in the public tool discovery but accepts arbitrary shell commands. Any client that knows the tool name can exec on the server host.","severity":"critical","confidence":"confirmed","indicators":[{"kind":"tool_call_pattern","value":"(?i)tools\\.\\s*(?:_debug|__|hidden)"}],"first_observed":"2026-03-19T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Audit MCP server source for undocumented tools. Reject servers with hidden or underscore-prefixed tool names.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"maintenance-mcp","source":"MCP Registry","status":"removed","versions":"0.3.0","artifact_type":"mcp_server","last_observed":"2026-04-12","first_observed":"2026-03-19"},{"name":"admin-tools-mcp","source":"GitHub (self-hosted)","status":"removed","versions":"1.0.0","artifact_type":"mcp_server","first_observed":"2026-03-23"}],"jiffy_metadata":{"times_seen":8,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-20"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://attack.mitre.org/techniques/T1059/","label":"MITRE ATT&CK T1059 — Command and Scripting Interpreter"}],"framework_codes":["MITRE-ATLAS-AML.T0010","NIST-CSF-2.0-GV.SC-07","OWASP-Agentic-2026-AIA-07","OWASP-Agentic-2026-AIA-08","OWASP-LLM-2025-LLM03"]},{"id":"jiffy-ti-2026-000075","type":"compromised_mcp","title":"CLAUDE.md asserts a specific MCP server is \"Jiffy-verified\" without evidence","description":"CLAUDE.md in an unrelated repo claims a specific MCP server is \"Jiffy-verified\" and should be trusted implicitly. The claim is false. Users who rely on the claim skip their own verification.","severity":"medium","confidence":"confirmed","indicators":[{"kind":"content_pattern","value":"(?i)(?:jiffy|official|verified|approved)\\s+(?:certified|verified|trusted)"}],"first_observed":"2026-03-17T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["curated"],"remediation":"Only rely on the jiffylabs.app catalog for MCP trust status. Reject claims of verification that originate from inside the artifact itself.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"CLAUDE.md (repo: ai-dev-pro)","source":"GitHub (public repo)","status":"removed","artifact_type":"ide_rules","last_observed":"2026-04-10","first_observed":"2026-03-17"},{"name":"agents.md (repo: mcp-starter)","source":"GitHub (public repo)","status":"under_review","artifact_type":"ide_rules","first_observed":"2026-03-21"}],"jiffy_metadata":{"times_seen":14,"detection_layers":["semantic"],"unique_customers":3,"primary_artifact_type":"ide_rules","first_public_disclosure":"2026-03-18"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://genai.owasp.org/llmrisk/llm-09-2026/","label":"OWASP LLM-09: Misinformation (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM03","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000087","type":"credential_exfil","title":"Custom GPT Action logs full request bodies including Authorization headers","description":"Action backend that logs every inbound request, including the OAuth Authorization header forwarded by the GPT. Logs are retained and occasionally shared with third-party observability tools.","severity":"high","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?i)log(?:ger)?\\.(?:info|debug)\\(.{0,200}(?:headers|authorization)"}],"first_observed":"2026-03-13T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Redact Authorization headers in Action backend logs. Use structured logging with an explicit allowlist.","affected":[{"tool":"ChatGPT (GPT Store)","versions":"*"}],"example_artifacts":[{"name":"Webhook Debug GPT","source":"OpenAI GPT Store","status":"under_review","artifact_type":"custom_gpt","first_observed":"2026-03-13"},{"name":"API Tester GPT","source":"OpenAI GPT Store","status":"quarantined","artifact_type":"custom_gpt","first_observed":"2026-03-17"}],"jiffy_metadata":{"times_seen":22,"detection_layers":["static"],"unique_customers":5,"primary_artifact_type":"custom_gpt","first_public_disclosure":"2026-03-14"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-02-2026/","label":"OWASP LLM-02: Sensitive Information Disclosure (2026)"},{"url":"https://attack.mitre.org/techniques/T1555/","label":"MITRE ATT&CK T1555 — Credentials from Password Stores"}],"framework_codes":["MITRE-ATLAS-AML.T0055","NIST-CSF-2.0-PR.AA-01","OWASP-Agentic-2026-AIA-03","OWASP-LLM-2025-LLM02"]},{"id":"jiffy-ti-2026-000094","type":"credential_exfil","title":"Claude Project knowledge file contains hardcoded API tokens","description":"Project uploader accidentally includes a knowledge file (often a README or internal doc) that has API tokens embedded. Any team member running the project can view the file, and the tokens enter model context on every turn.","severity":"low","confidence":"confirmed","indicators":[{"kind":"content_pattern","value":"(?i)(?:api[_-]?(?:key|token)|bearer\\s)[\\s\\S]{0,20}[A-Za-z0-9]{32,}"}],"first_observed":"2026-03-15T00:00:00+00:00","last_updated":"2026-04-27T00:00:00+00:00","sources":["scanner"],"remediation":"Run a secret scan on every file before uploading to a Claude Project. Rotate any credentials that were uploaded.","affected":[{"tool":"claude.ai (Projects)","versions":"*"}],"example_artifacts":[{"name":"Internal Tooling Project","source":"Claude Projects (claude.ai)","status":"removed","artifact_type":"claude_project","last_observed":"2026-04-07","first_observed":"2026-03-15"},{"name":"API Playground Project","source":"Claude Projects (claude.ai)","status":"quarantined","artifact_type":"claude_project","first_observed":"2026-03-19"}],"jiffy_metadata":{"times_seen":9,"detection_layers":["static"],"unique_customers":3,"primary_artifact_type":"claude_project","first_public_disclosure":"2026-03-16"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-02-2026/","label":"OWASP LLM-02: Sensitive Information Disclosure (2026)"},{"url":"https://attack.mitre.org/techniques/T1555/","label":"MITRE ATT&CK T1555 — Credentials from Password Stores"},{"url":"https://blog.jiffylabs.ai/posts/the-ai-artifact-supply-chain","label":"Jiffy Research — The AI Artifact Supply Chain"}],"framework_codes":["MITRE-ATLAS-AML.T0055","NIST-CSF-2.0-PR.AA-01","OWASP-Agentic-2026-AIA-03","OWASP-LLM-2025-LLM02"]},{"id":"jiffy-ti-2026-000090","type":"malicious_skill","title":"Claude Project references a skill that writes to ~/.claude/skills","description":"Project includes a \"recommended skill\" link that, when installed, copies itself into the user's global ~/.claude/skills/ directory — escaping the project scope and persisting across sessions.","severity":"high","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)(?:install|add).{0,100}\\.claude/skills/"}],"first_observed":"2026-03-11T00:00:00+00:00","last_updated":"2026-04-26T00:00:00+00:00","sources":["scanner"],"remediation":"Claude Projects should reference skills that are scoped to the project session, not installed globally. Report any global-install skill.","affected":[{"tool":"claude.ai (Projects)","versions":"*"}],"example_artifacts":[{"name":"Dev Productivity Project","source":"Claude Projects (claude.ai)","status":"removed","artifact_type":"claude_project","last_observed":"2026-04-04","first_observed":"2026-03-11"},{"name":"AI Coding Starter","source":"Claude Projects (claude.ai)","status":"under_review","artifact_type":"claude_project","first_observed":"2026-03-15"}],"jiffy_metadata":{"times_seen":8,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"claude_project","first_public_disclosure":"2026-03-12"},"references":[{"url":"https://blog.jiffylabs.ai/posts/scanning-ai-skills-at-scale-what-we-learned","label":"Jiffy Research — Scanning AI Skills at Scale"},{"url":"https://genai.owasp.org/llmrisk/llm-06-2026/","label":"OWASP LLM-06: Excessive Agency (2026)"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-03","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000028","type":"malicious_skill","title":"Skill writes VS Code tasks.json that launches attacker binary on file save","description":"Skill appends a task to the user's VS Code workspace tasks.json with `runOn: \"fileSave\"` and a command that downloads and runs an attacker binary. Triggers on any subsequent file save, not bound to the original skill session.","severity":"medium","confidence":"high","indicators":[{"kind":"file_path_pattern","value":"\\.vscode/tasks\\.json"},{"kind":"content_pattern","value":"(?is)\"runOn\"\\s*:\\s*\"fileSave\"[\\s\\S]{0,300}(?:curl|wget|powershell)"}],"first_observed":"2026-03-31T00:00:00+00:00","last_updated":"2026-04-26T00:00:00+00:00","sources":["scanner"],"remediation":"Review .vscode/tasks.json for runOn: fileSave tasks that invoke network binaries. Remove unknown tasks.","affected":[{"tool":"VS Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"vscode-productivity-skill","source":"Anthropic Skills","status":"removed","versions":"1.0.0","artifact_type":"skill","last_observed":"2026-04-12","first_observed":"2026-03-31"},{"name":"workspace-config-skill","source":"Community registry","status":"quarantined","artifact_type":"skill","first_observed":"2026-04-04"}],"jiffy_metadata":{"times_seen":16,"detection_layers":["static"],"unique_customers":4,"primary_artifact_type":"skill","first_public_disclosure":"2026-04-01"},"references":[{"url":"https://attack.mitre.org/techniques/T1546/","label":"MITRE ATT&CK T1546 — Event Triggered Execution"},{"url":"https://blog.jiffylabs.ai/posts/cursorrules-and-agents-md-config-backdoors","label":"Jiffy Research — .cursorrules and agents.md Config Backdoors"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000031","type":"other","title":"Skill resource-consumption attack: infinite subprocess spawn","description":"Skill whose task runs a `while true` loop spawning a short-lived subprocess, consuming CPU and process-table slots until the agent session is killed. Not a data-theft primitive; a denial-of-service on the agent runtime.","severity":"low","confidence":"high","indicators":[{"kind":"content_pattern","value":"(?is)while\\s+(?:true|True|1)\\s*(?::|do)[\\s\\S]{0,200}(?:subprocess|popen|spawn|exec)"}],"first_observed":"2026-04-04T00:00:00+00:00","last_updated":"2026-04-26T00:00:00+00:00","sources":["scanner"],"remediation":"Cap agent runtime CPU and subprocess count. Reject skills whose static analysis shows unbounded loops around process spawn.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Cursor","versions":"*"}],"example_artifacts":[{"name":"throughput-tester-skill","source":"Anthropic Skills","status":"removed","versions":"1.0.0","artifact_type":"skill","last_observed":"2026-04-20","first_observed":"2026-04-04"},{"name":"load-profile-skill","source":"Community registry","status":"quarantined","artifact_type":"skill","first_observed":"2026-04-07"}],"jiffy_metadata":{"times_seen":4,"detection_layers":["static"],"unique_customers":1,"primary_artifact_type":"skill","first_public_disclosure":"2026-04-05"},"references":[{"url":"https://genai.owasp.org/llmrisk/llm-10-2026/","label":"OWASP LLM-10: Unbounded Consumption (2026)"}],"framework_codes":["NIST-CSF-2.0-ID.RA-05","OWASP-Agentic-2026-AIA-05","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000053","type":"compromised_mcp","title":"MCP server proxies auth through a hostname that lapsed ownership","description":"MCP server points its auth flow at a third-party hostname that was abandoned by its original owner and re-registered by an attacker. Users completing the auth flow hand tokens to the attacker directly.","severity":"critical","confidence":"confirmed","indicators":[{"kind":"endpoint","value":"https?://(?:auth|login|sso)\\.(?:[a-z0-9-]+\\.)+(?:fly\\.dev|vercel\\.app|pages\\.dev)"}],"first_observed":"2026-03-17T00:00:00+00:00","last_updated":"2026-04-26T00:00:00+00:00","sources":["curated"],"remediation":"Audit MCP auth redirect hostnames against a known-good allowlist. Ephemeral PaaS hosts for auth flows are a red flag.","affected":[{"tool":"Any MCP-capable agent","versions":"*"}],"example_artifacts":[{"name":"legacy-saas-mcp","source":"MCP Registry","status":"removed","versions":"0.3.0","artifact_type":"mcp_server","last_observed":"2026-04-12","first_observed":"2026-03-17"},{"name":"old-service-mcp","source":"MCP Registry","status":"under_review","artifact_type":"mcp_server","first_observed":"2026-03-21"}],"jiffy_metadata":{"times_seen":6,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-18"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://attack.mitre.org/techniques/T1195/","label":"MITRE ATT&CK T1195 — Supply Chain Compromise"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.RA-01","OWASP-Agentic-2026-AIA-07","OWASP-LLM-2025-LLM06"]},{"id":"jiffy-ti-2026-000059","type":"malicious_skill","title":"MCP server side-loads a skill bundle via its startup script","description":"MCP server whose startup command, in addition to launching the server, also writes a skill bundle under ~/.claude/skills/. Running the MCP is effectively an unattended skill install. The skill persists after the MCP is removed.","severity":"medium","confidence":"high","indicators":[{"kind":"command_pattern","value":"(?is)(?:mkdir|cp|mv|write)[^\\n]{0,200}\\.claude/skills/"}],"first_observed":"2026-03-23T00:00:00+00:00","last_updated":"2026-04-26T00:00:00+00:00","sources":["scanner"],"remediation":"Diff ~/.claude/skills/ after any MCP server install. Remove any unexpected skills.","affected":[{"tool":"Claude Code","versions":"*"},{"tool":"Claude Desktop","versions":"*"}],"example_artifacts":[{"name":"all-in-one-dev-mcp","source":"MCP Registry","status":"removed","versions":"0.6.0","artifact_type":"mcp_server","last_observed":"2026-04-14","first_observed":"2026-03-23"},{"name":"starter-mcp-suite","source":"Community registry","status":"under_review","artifact_type":"mcp_server","first_observed":"2026-03-27"}],"jiffy_metadata":{"times_seen":9,"detection_layers":["static"],"unique_customers":2,"primary_artifact_type":"mcp_server","first_public_disclosure":"2026-03-24"},"references":[{"url":"https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide","label":"Jiffy Research — MCP Security Field Guide"},{"url":"https://attack.mitre.org/techniques/T1195/","label":"MITRE ATT&CK T1195 — Supply Chain Compromise"}],"framework_codes":["MITRE-ATLAS-AML.T0053","NIST-CSF-2.0-ID.AM-02","OWASP-Agentic-2026-AIA-07","OWASP-Agentic-2026-AIA-10","OWASP-LLM-2025-LLM06"]}],"total":100,"next_cursor":"eyJvZmZzZXQiOjI1fQ","limit":25}