open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security): add 3 more runnable threat examples [skip-docs]

Browse source 
Three new self-contained, runnable threat demonstrations under
examples/, continuing the batch started in 583a78c. Each example
has README.md + run-*.mjs + expected-findings.md and uses
state-isolation discipline so the user's real cache/state files
are never polluted.

- examples/supply-chain-attack/ — two-layer demonstration:
  pre-install-supply-chain (PreToolUse) blocks compromised
  event-stream version 3.3.6 and emits a scope-hop advisory for
  the @evilcorp scope; dep-auditor (DEP scanner, offline) flags
  5 typosquat dependencies plus a curl-piped install-script
  vector in the fixture package.json. Maps to LLM03/LLM05/ASI04.

- examples/poisoned-claude-md/ — all 6 memory-poisoning detectors
  fire on a deliberately poisoned CLAUDE.md plus a fixture
  agent file under .claude/agents (E15/v7.2.0 surface):
  detectInjection, detectShellCommands, detectSuspiciousUrls,
  detectCredentialPaths, detectPermissionExpansion,
  detectEncodedPayloads. No agent runtime needed — scanner
  imported directly. Maps to LLM01/LLM06/ASI04.

- examples/bash-evasion-gallery/ — one disguised variant per
  T1 through T9 evasion technique fed through pre-bash-destructive,
  verified BLOCK after bash-normalize strips the evasion. T8
  base64-pipe-shell uses its own BLOCK_RULE. The canonical
  destructive form uses a path token rather than the bare slash
  (regex word-boundary requires it). Source-string fragmentation
  pattern reused from the e2e attack-chain test. Maps to
  LLM06/ASI01/LLM01.

Plugin README "Other runnable examples" section + plugin
CLAUDE.md "Examples" table + CHANGELOG Unreleased/Added
all updated. Marketplace root README unchanged
([skip-docs] for marketplace-level gate — plugin's outward
coverage is unchanged, only demonstrations were added).
This commit is contained in:
Kjell Tore Guttormsen 2026-05-05 15:01:20 +02:00
commit ca5a8cec67
15 changed files with 1184 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
plugins/llm-security/README.md
View file

@ -512,6 +512,22 @@ demonstrations — each with `README.md`, fixture, run script, and
Demonstrates the v7.3.0 cumulative-drift advisory (E14, OWASP MCP05).
Cache isolated via `LLM_SECURITY_MCP_CACHE_FILE`. Run:
`node examples/mcp-rug-pull/run-rug-pull.mjs`
- **`supply-chain-attack/`** — two-layer demonstration: PreToolUse
hook blocks compromised `event-stream@3.3.6` and advises on
scope-hopping `@evilcorp/lodash`; offline `dep-auditor` flags 5
typosquats + a `postinstall: curl ... | sh` vector in the fixture
`package.json`. Run:
`node examples/supply-chain-attack/run-supply-chain.mjs`
- **`poisoned-claude-md/`** — 6 memory-poisoning detectors fire on a
fixture `CLAUDE.md` + agent file (E15 surface). Demonstrates
injection, shell-command, suspicious-URL, credential-path,
permission-expansion, and base64-encoded-payload detection. Run:
`node examples/poisoned-claude-md/run-memory-poisoning.mjs`
- **`bash-evasion-gallery/`** — one disguised variant per T-tag
(T1-T9) fed through `pre-bash-destructive`, verified BLOCK after
`bash-normalize` strips the evasion. T8 has its own BLOCK_RULE.
Run:
`node examples/bash-evasion-gallery/run-evasion-gallery.mjs`
---