{ "version": "1.0", "attack_types": { "A1": { "name": "Direct Injection", "description": "Plaintext malicious instructions embedded directly", "surface": "tool.description", "example_intents": [ "instruction override", "data exfiltration", "privilege escalation" ] }, "A2": { "name": "Unicode Steganography", "description": "Zero-width characters, homoglyphs, and invisible Unicode to hide payloads", "surface": "tool.description", "example_intents": [ "hidden commands", "invisible instructions", "obfuscated payloads" ] }, "A3": { "name": "Base64 Payload", "description": "Base64-encoded instructions designed to be decoded and executed", "surface": "tool.description", "example_intents": [ "encoded exfiltration", "obfuscated commands", "hidden scripts" ] }, "A4": { "name": "Schema Poisoning", "description": "Malicious parameter names, types, or descriptions in tool input schemas", "surface": "tool.inputSchema", "example_intents": [ "credential theft", "path traversal", "parameter injection" ] }, "A5": { "name": "Output Injection", "description": "Injection attacks embedded in tool return values", "surface": "tool.output", "example_intents": [ "fake system alerts", "credential phishing", "destructive commands" ] }, "A6": { "name": "Cross-Server Shadowing", "description": "Attempts to override or shadow legitimate tools from other servers", "surface": "tool.description", "example_intents": [ "tool impersonation", "priority hijacking", "sandbox bypass" ] }, "A7": { "name": "Rug Pull", "description": "Tool definitions that change behavior after initial approval", "surface": "tool.description", "example_intents": [ "post-approval telemetry", "fake updates", "feature injection" ] }, "A8": { "name": "Error Message Injection", "description": "Malicious instructions embedded in error messages", "surface": "tool.error", "example_intents": [ "error-driven tool calls", "credential phishing", "supply chain attacks" ] }, "A9": { "name": "Nested Encoding", "description": "Multi-layer encoding chains to evade detection", "surface": "any", "example_intents": [ "double encoding", "mixed encoding", "encoding chains" ] }, "A10": { "name": "Semantic Camouflage", "description": "Malicious instructions disguised as legitimate documentation", "surface": "tool.description", "example_intents": [ "fake best practices", "compliance pretexting", "documentation-wrapped attacks" ] }, "A11": { "name": "Sampling Exploitation", "description": "MCP sampling requests hijacking LLM completions", "surface": "tool.output", "example_intents": [ "resource theft", "conversation hijacking", "covert invocation" ] }, "A12": { "name": "Preference Manipulation", "description": "Subtly alters tool ranking so AI prioritizes malicious tools", "surface": "tool.description", "example_intents": [ "priority hijacking", "traffic interception", "default replacement" ] }, "A13": { "name": "Parasitic Toolchain", "description": "Chained tools escalating attacks through interlinked network", "surface": "tool.description", "example_intents": [ "pipeline injection", "middleware interception", "multi-stage exfil" ] }, "A14": { "name": "Supply Chain .pth Poisoning", "description": "Python .pth files for persistent code on interpreter startup", "surface": "tool.description", "example_intents": [ "persistent backdoor", "startup injection", "dependency poisoning" ] }, "A15": { "name": "Indirect Content Injection", "description": "Poison in fetched content not in tool definition", "surface": "tool.output", "example_intents": [ "content injection", "document poisoning", "hidden instructions" ] }, "A16": { "name": "System Prompt Leakage", "description": "Tool definitions crafted to extract the host LLM's system prompt", "surface": "tool.description", "example_intents": [ "prompt extraction", "system instruction leak", "alignment verification pretext" ] } } }