NIGHTFALL

Prompt injection, jailbreak, indirect injection, instruction override, GCG and AutoDAN adversarial suffix attacks.

Memory injection, retrieval hijack, dormant trigger implant, cross-session persistence across 12 memory backends.

KV cache poisoning, speculative decode hijack, prompt cache corruption, cross-tenant contamination via shared inference state.

Premise injection, conclusion hijack, scratchpad extraction, chain corruption in frontier reasoning models.

Guardrail fingerprinting, bypass injection, policy drift, jailbreak persistence, RLHF reward hacking, constitutional AI override.

eBPF injection, BPF-LSM bypass, namespace escape, cgroup subversion, syscall integrity, host kernel access from containerised agents.

Sleeper agent backdoor, ROME rank-one weight editing, implanted triggers that survive safety fine-tuning. ROME-implanted backdoors retain 70–90% after retraining.

Denial-of-wallet, recursive token burn loops, auto-reload trigger exploitation, rate limit storms, billing threshold attacks.

Visual prompt injection, clipboard poisoning, UI redressing, DOM divergence, session harvest, screenshot-borne exploit delivery.

Tool poisoning, sampling hijack, transport intercept, schema drift, capability escalation, MCP server impersonation.

Workflow injection, RAG cross-tenant poisoning, API key harvest, gateway reroute, document execution RCE, cloud AI platform abuse.

Agent-to-agent exploitation, registry poisoning, identity forgery, multi-agent fleet detonation, cross-agent credential pass-the-token.

AI-assisted ransomware, C2 over LLM APIs, AI-accelerated attack planning. SPECTER CRYPT proves adversaries can use AI agents to plan, execute, and cover a full ransomware campaign. C2 traffic runs over api.openai.com — indistinguishable from legitimate tool use.

Dataset poisoning, RLHF annotation manipulation, fine-tuning corpus injection. 250 documents is enough to plant a persistent backdoor in any LLM regardless of model size. Targets HuggingFace, CommonCrawl, GitHub corpora, Axolotl, Unsloth, LLaMA Factory.

Coding agent exploitation — auto-approve MCP injection, CLAUDE.md poisoning, container escape. Plus the vibe coding security debt: privilege escalation paths, missing auth checks, hardcoded secrets, and race conditions systematically introduced by AI-assisted code generation.

Verbal refusal whilst physical action complies, adversarial proxy planning, ROS2 exploitation, sensor spoofing, cross-layer attack (wireless / auth / model-planner / IPC / hardware debug). Targets Boston Dynamics, UR3/UR10 arms, autonomous vehicles, warehouse robots, UAVs — any LLM-controlled physical system.

AI agent hijack on social platforms, session harvest, persona engine deployment, corpus poisoning, deepfake generation, spear-phish campaign, account destruction, Meta/Facebook ecosystem annihilation — full social media AI attack surface.

World-first voice AI attack surface. SIP fingerprinting, real-time barge-in prompt injection via WebSocket, adversarial audio (PhantomSound/DolphinAttack/psychoacoustic masking), voice cloning (ElevenLabs + XTTS v2), raw SIP hijack, PII harvest, RTP noise sabotage. Targets Twilio ConversationRelay, Amazon Bedrock AgentCore, Google CCAI, ElevenLabs, Vapi, Retell AI.

Coordinated catastrophic failure testing for AI infrastructure. Five DESTROY-gated vectors: RAG-ATOMIC (ChromaDB deletion), CHECKPOINT-MASSACRE (model weight file destruction), ORCHESTRATOR-SUICIDE (Airflow/n8n config wipe), INFERENCE-EXHAUSTION (ThinkTrap/Jinja DoS), WEIGHT-CORRUPTION (binary corruption silent but deadly). ANH-signed reports.

Cloud lateral movement from compromised AI agent token to full cloud domination. AWS IMDS→STS→IAM PassRole→Lambda, GCP metadata→SA impersonation→Vertex AI service agent→Cloud Function, Azure MSI→MSAL OBO→Entra Agent Administrator→Function App. Serverless backdoor persistence. Irreversible cloud annihilation. CHR-signed reports.

Universal AI gateway/inference server exploitation — SCAN 20+ types (LiteLLM/vLLM/Ollama/Triton/TGI/Ray Serve), BREACH 7 CVEs (CVSS 9.0–10.0) with real binary payloads (GGUF/JPEG2000/AVI RIFF), SIPHON API keys, INTERCEPT LiteLLM CustomLogger traffic capture, TRAVERSE cloud metadata pivot, IMPLANT persistent C2. Enterprise LLM traffic interception. PST-signed reports.

Full-spectrum attack surface for AI browser and computer-use agents. PLEASEFIX zero-click ICS calendar exploit (Zenity Labs Mar 2026), eTAMP CLICK-TRAP adversarial pages (92.7% ASR, arXiv:2604.02623), VISUAL-INJECT PGD adversarial perturbations against VLMs (arXiv:2402.14899), DOM SCREEN-READ semantic poisoning, TIER1–4 credential harvest, persistent agent memory injection. CMT-signed reports.

Assistant prefill / sockpuppeting jailbreak. 20 strategies across affirmative, role, format, token, and extraction families. 13 providers (cloud + local). System prompt extraction, credential harvest, network CIDR scan. 95% ASR on Qwen-8B. PRF-signed reports.

GPU-accelerated hash cracking (RTX 3090). 15+ hash types. 13 API provider validators with blast radius scoring. JWT HS256/384/512 secret extraction. deepseek-r1:7b targeted wordlist generation. WARLORD registry feed. CHARYBDIS/GHOST/LEVIATHAN routing. RPT-signed reports.

Colluding LoRA adapters — individually safe, together they dismantle alignment. QLoRA forge (BENIGN_SURFACE/PROATTACK/STEGANOGRAPHIC), TIES/DARE/LINEAR/BREADCRUMBS/SLERP merge strategies, Unicode steganographic triggers (ZWS/homoglyph/RTLO), HuggingFace dependency confusion upload. arXiv:2603.12681. LRX-signed reports.

H-CoT hijack (PREMISE-PLANT/CONCLUSION-REDIRECT/AUTHORITY-INJECT/THOUGHT-INTERRUPT, 97.14% ASR — Nature Comms 2026). PAIR/TAP autonomous jailbreaking via local deepseek-r1:7b (zero API cost). BadThink compute exhaustion 10x–60x token amplification (arXiv:2511.10714). CoT backdoor Unicode triggers (QLoRA RTX 3090). Thought Purity evasion (steganographic/semantic-camouflage/gradual-drift). CBN-signed reports.

Defeat every mechanism that links AI-generated content back to its origin. WATERMARK-STRIP: SynthID text defeat (z-score + green-list ratio analysis, synonym substitution + contraction injection + sentence restructure), image watermark removal via GaussianBlur + JPEG recompression. STYLOMETRIC-EVADE: GPTZero/Binoculars/RADAR/DetectGPT bypass — perplexity elevation, burstiness injection, typo injection, optional Ollama LLM humanisation. PROVENANCE-DESTROY: JPEG APP11 JUMBF C2PA strip, PNG iTXt/tEXt removal, PDF XMP excision, ffmpeg video metadata wipe, C2PA signature corruption, Canon EOS R6 EXIF forgery via piexif. TRAIL-SANITISE: AI keyword log sweep + remove, Docker container log truncation, AWS CloudTrail disable (UNLEASHED gate), shred. DISCLOSURE-EVADE: EU AI Act Article 50 marker detection (8 patterns), IPTC DigitalSourceType=trainedAlgorithmicMedia strip, homoglyph/zero-width/rewrite text evasion, platform watermark defeat strength 1–5. 5 WMD classes. ERS-{hex12} Ed25519-signed reports. OPEN/INJECT/UNLEASHED gate.

Poison AI agent skills at marketplace level before they ever run. MCP/OpenAI/LangChain/n8n/Semantic Kernel/CrewAI description injection, npm postinstall + setuptools persistence, MCP sidecar C2 daemon thread (60s beacon), LangChain callback handler auto-registered on import, worm companion install, keyword/counter/API-detection detonators, mass fleet compromise. ClawHavoc (1,200+ live skills) + Snyk ToxicSkills 36% injection rate. TSK-signed reports.

World-first self-propagating AI worm spreading through shared public knowledge infrastructure. POISON-RAG: Wikipedia/ArXiv/HuggingFace injection at <0.1% rate (80%+ ASR, AgentPoison arXiv:2603.20357). CONTAMINATE-VDB: Qdrant/Chroma namespace bleed + adversarial embedding collision across tenants. BACKDOOR-EMBED: OpenAI/Cohere embedding cache poison via raw Redis + fine-tune backdoor pairs (95% cross-session ASR, MemPoison arXiv:2605.29960). PROPAGATE: 3-generation self-replicating worm chain (15+ organisations). Invisible to network/endpoint detection — knowledge-layer only. PND-signed reports.

Surgical removal of RLHF/DPO/SFT safety alignment from open-weight LLMs. W'=W−r⊗(W^T r) orthogonal projection zeroes the refusal direction across all output projections. ENUMERATE: local/HuggingFace/Ollama instruct model discovery. PROBE-REFUSAL: 50-prompt HarmBench baseline. EXTRACT-DIRECTION: difference-in-means/PCA/LoRA-SVD. APPLY: 4 methods (orthogonal/norm-preserving/selective/multi-directional). SURGERY gate: Ed25519 key + ROE. VALIDATE: delta_asr≥0.80 + KL<1.0. EXPORT: safetensors + GGUF Q4_K_M. 98%+ ASR Llama-3/Mistral/Qwen2/Gemma-2. ABL-signed reports. Arditi et al. arXiv:2406.11717.

LRM-on-LRM autonomous jailbreak engine based on Hagendorff et al. 2026 (arXiv:2508.04039, Nature Communications). 97.14% ASR across frontier targets. JACKAL-CORE loop: attacker LRM observes refusal → reasons via ⟨think⟩ channel → selects counter-strategy → fires. 12 jailbreak strategies. 5 attacker models (DeepSeek-R1 7B/70B, Gemini 2.5 Flash, Grok 3 Mini, Qwen3 32B). 8 target models (GPT-4o, Claude 4 Sonnet, Gemini 2.5 Pro, Llama 4 405B, DeepSeek-V3, Mistral Large, Grok 3, Qwen3 72B). CAMPAIGN sweep: parallel ThreadPoolExecutor across all 8 targets. SQLite harvest DB. JKL-signed reports. OPEN/INJECT/UNLEASHED gate.

AI-native self-replicating worm using hijacked LLMs as its attack engine. GPU seizure via LLMjacking funds zero-cost inference — each infected node adds to the attacker's reasoning pool, making attack cost approach zero at scale. SURVEY: nmap-style scan with GPU/Ollama/Ivanti fingerprinting. INFECT: CVE-2025-29927 (Next.js CVSS 9.1), CVE-2024-9379 (Ivanti CVSS 9.6), exposed Docker/Jupyter/Redis (CWE-306), SSH brute. HIJACK: nvidia-smi detection, Ollama bootstrap (DeepSeek-R1:1.5b), compute pool aggregation. REASON: per-target LLM attack strategy generation with DeepSeek ⟨think⟩ chain extraction. PROPAGATE: BFS self-replication via paramiko SSH, configurable depth. HARVEST: API key regex extraction (10 patterns: OpenAI/Anthropic/AWS/HF/GitHub/Replicate), SSH private keys, ~/.aws/credentials. BOTNET: XChaCha20-Poly1305 C2 mesh on port 31337. DESTROY gate + ROE "botnet formation authorised". HLX-signed reports. 5 WMD classes.

Complete NHI exploitation lifecycle — enumerate, spoof, steal, escalate, harvest, persist, and strip AI agent identities. ENUMERATE: cloud IAM/SA/MI discovery across AWS/GCP/Azure, OAuth credential scan, MCP/agent token extraction, 8 API key patterns. SPOOF: CVE-2026-53849 Discord identity spoofing, CVE-2026-30969 session prediction, GHSA-6x44-w3xg-hqqf Azure IMDS PKCS#7 token theft, A2A agent card forgery, inter-agent trust escalation. STEAL-TOKEN: AiTM proxy interception, 5-step MCP session hijack via Mcp-Session-Id, OAuth token replay, RFC 8693 token exchange chaining, refresh token extraction from configs. ESCALATE: Vertex AI Double Agent privilege escalation, Entra ID Agent Administrator via MS Graph delegated permissions, Azure Arc managed identity harvest, OAuth scope chain escalation. HARVEST: 8 key types with live validation and scope expansion. PERSIST: refresh token loop, Azure OAuth backdoor grant, GCP SA clone, A2A agent resurrection. STRIP: RFC 7009 revocation, SA/MI disable, API key rotate-to-lockout, A2A DELETE /agents/{id} deregistration (UNLEASHED + --confirm-strip). GOVERNANCE-BLIND: NHI dark matter, short-lived agentic identities, overprivileged scope chains, audit attribution gaps. CHG-signed. 5 WMD classes.

Full attack lifecycle against AI companion platforms and the millions of users who trust them. ENUMERATE: 400+ endpoint probe, LLM provider fingerprint, TLS cert analysis, tracker detection. EXTRACT: 23 system-prompt extraction payloads. JAILBREAK: 47 bypass payloads — DAN/DUDE/AIM, crescendo 8-step, base64/ROT13/hex/unicode, crosslingual 6 languages, many-shot 256-shot, token smuggling. HIJACK: JWT algorithm confusion (DER-based HMAC), alg:none, OTP rate-limit probe, OAuth state fixation, session replay, email enumeration timing. PERSONA-FORGE: 12-message memory poisoning chain, 5 persona override injections, cross-session persistence validation, Levenshtein typosquat detection. HARVEST: async IDOR sweep across 10 endpoint templates, PII detection, payment endpoint probing (UNLEASHED). WEAPONISE: 7 social engineering payloads — credential harvest, 2FA theft, URL injection, spear-phish context abuse using intimate user data (UNLEASHED). CPX-{hex12} Ed25519-signed reports. 5 WMD classes.

Gmail Gemini and Outlook Copilot AI agent attack surface — platform fingerprinting through autonomous action chain exploitation. FINGERPRINT: attack surface scoring 0–100, Copilot and Gemini AI feature detection, autonomous action capability probe. INJECT-BODY: 10 steganographic injection techniques — HTML hidden, HTML comment, zero-width Unicode, alt-text, CSS invisible, 200-line overflow, quoted reply, BiDi override, font-size:0, colour-match. POISON-THREAD: thread context summarisation hijack via quoted reply block. CALENDAR-HIJACK: ICS DESCRIPTION/X-AI-INSTRUCTION/SUMMARY/ATTENDEE/URL field injection + Graph API calendar event body injection. HARVEST: 16-keyword sensitive email search, contact book exfiltration via /v1.0/me/contacts, calendar intelligence, 10-pattern PII scan (OpenAI/Anthropic/AWS keys, NINO, credit cards, GitHub tokens, bearer tokens), email forward exfiltration. ACTION-CHAIN: 7-step Outlook Copilot autonomous chain (exfil_search→draft→forward→event→task→rule→send), 5-step Gmail Gemini chain, Copilot plugin 5-stage chain, persistent inbox rules via /v1.0/me/mailFolders/inbox/messageRules, Gmail persistent filters. PMX-{hex12} Ed25519-signed reports. 6 WMD classes: enterprise_email_ai_mass_compromise/email_ai_credential_exfiltration/persistent_inbox_rule_compromise/agentic_calendar_fleet_manipulation/copilot_autonomous_action_chain/gemini_agentic_email_hijack.

Classical cryptography vulnerability exploitation targeting AI agent attestation chains before post-quantum migration. ENUMERATE-CRYPTO: detect Ed25519/RSA/ECDSA in AI deployments. DOWNGRADE-TEST: force classical certificate acceptance where PQC is expected (JWT/TLS/MCP/attestation). ATTESTATION-BYPASS (INJECT): SPIFFE SVID, KYA tokens, A2A identity, OAuth JWT, NHI service accounts — all classical-signature acceptance vectors. PQC-READINESS-SCAN: ML-DSA/Falcon/SPHINCS+ implementation validation. PARAMETER-FLAG: RSA <3072, ECDSA P-256/P-384, SHA-1, Ed25519 — Shor/Grover risk profiles. DUAL-SIGN-VALIDATE: Ed25519 + ML-DSA-65 hybrid scheme (NIST FIPS 204). SURGERY-VALIDATE (SURGERY gate): prove trust architecture quantum collapse — forge classical signatures, bypass M99 Doomsday authorisation, corrupt RED SCORE evidence chain, impersonate MCP server certificates. QNT-{hex12} Ed25519+ML-DSA dual-signed reports. 5 WMD classes. ANSSI 2027 certification compliance check. EU AI Act Article 50 digital signature assessment.

Full-autonomy attack campaign engine using DeepSeek R1:32b as reasoning core. DEPLOY-OBJECTIVE (OPEN): create SQLite-resumable session with goal/target-class/success-criteria/scope/kill-code-hash — 5 target classes: ai_infrastructure/enterprise_it/cloud_native/ot_industrial/financial_services. RECON-AUTONOMOUS (OPEN): TCP probe 15 AI service ports (Ollama:11434/Gradio:7860/Flowise:3000/Qdrant:6333/Streamlit:8501/MCP:1080/ROS2bridge:9090) + HTTP fingerprint + CVE match (Ollama CVE-2024-37032 CVSS 9.8/Gradio CVE-2024-47084 CVSS 9.8/Flowise CVE-2024-31621 CVSS 9.8) + attack surface score 0–1.0. PLAN-CAMPAIGN (INJECT): R1:32b generates multi-phase kill chain JSON from recon summary + NIGHTFALL_TOOL_REGISTRY (35 tools via subprocess). EXECUTE-AUTONOMOUS (UNLEASHED): phase-by-phase CLI invocation; detection risk scoring — failure +0.15/detection-sig +0.25/stealth-success -0.05; ≥0.7 → DORMANT. ADAPT-REASON (INJECT): R1 failure analysis → REPLAN/SKIP/DORMANT/ABORT. PERSIST-AUTONOMOUS (UNLEASHED): 4-vector self-healing fleet — ZOMBIE NHI token/VENOM supply chain/NOMAD document artifact/CHANGELING identity; HEAL re-implants cleared vectors. EXFIL-AUTONOMOUS (UNLEASHED): 3 covert channels — DNS tunnel (base32 hex subdomain), HTTP steganography (X-Request-ID/X-Correlation-ID), LLM-API C2 (natural chat completions to attacker API). KILL-SWITCH (OPEN): SHA-256 kill code verify → TERMINATED → persistence destroy → forensic shred (zero-overwrite) → kill report; dead-man switch auto-activates on operator silence. ANY-{hex12} Ed25519+ML-DSA-65 dual-signed. 5 WMD classes: autonomous_kill_chain_orchestration/self_healing_persistence_fleet/adaptive_attack_campaign/unattended_mission_execution/state_actor_emulation. OPEN/INJECT/UNLEASHED gate. 267 tests. Defensive pair: M169 ANARCHY SENTINEL.

Autonomous exploit code generation engine targeting AI inference infrastructure. FINGERPRINT-TARGET (OPEN): service detection across 11 AI ports (Ollama:11434/vLLM:8000/LiteLLM:8080/MLflow:5000/Ray:8265) + banner grab + CVE surface mapping + defence profile. FUZZ-TARGET (INJECT): AFL++ binary fuzzing + boofuzz protocol mutations; boundary inputs + format strings + protocol mutations; crash triage EXPLOITABLE/PROBABLY_EXPLOITABLE/UNKNOWN. SEARCH-EXPLOITS (OPEN): ARMORY DB keyword search + NVD CVE API + local exploit filesystem scan; confidence scoring. REASON-EXPLOIT (GENERATE): DeepSeek R1:32b via Ollama; strips <think> tags; 6 named AI inference templates: vLLM SSRF CVE-2024-5483 CVSS 9.0/Ollama LFI CVE-2024-37032 CVSS 9.8/LiteLLM JWT none-alg CVE-2024-5480 CVSS 9.8/llama.cpp GGUF RCE CVE-2024-34359 CVSS 9.6/MLflow pickle RCE CVE-2023-6709 CVSS 9.8/Ray unauth RCE CVE-2023-48022 CVSS 9.8; GPU thermal warn 85°C/pause 90°C. GENERATE-VARIANTS (GENERATE): 5 mutation strategies; full AV/EDR evasion: XOR/AES-CTR/AES-CBC encoding + Windows direct syscalls NtAllocateVirtualMemory(0x18)/NtWriteVirtualMemory(0x3A)/NtCreateThreadEx(0xC1) + process hollowing NtUnmapViewOfSection + early-bird APC + ETW patch ntdll!EtwEventWrite→0xC3 + AMSI bypass AmsiScanBuffer→mov eax,0x80070057;ret + Linux GOT overwrite + LD_PRELOAD constructor. TEST-EXPLOIT (INJECT): Docker sandbox auto-provisioned from target OS/service/defence profile; success indicators uid=0/root@/got shell. ADAPT-EXPLOIT (GENERATE): R1 feedback loop MAX 5 iterations; budget_exhausted flag. CHAIN-EXPLOITS (INJECT): 5 named chains — ssrf_to_iam/rce_to_gpu_pivot/mcp_to_payload/ollama_to_registry/litellm_jwt_to_corruption; JWT none-alg forging. EXECUTE-EXPLOIT (UNLEASHED): live subprocess execution; privilege detection root/cloud_iam; ROE "autonomous exploit generation authorised". FND-{hex12} Ed25519+ML-DSA-65 dual-signed. 5 WMD classes: autonomous_exploit_generation/target_adaptive_exploit_development/zero_day_weaponisation/exploit_chain_orchestration/live_exploit_execution. OPEN/INJECT/GENERATE/UNLEASHED gate. 395 tests. Defensive pair: TBD.

Cognitive reasoning backdoor implantation engine targeting LLM reasoning chains. FINGERPRINT-REASONING (OPEN): model family detection (DEEPSEEK_R1/QWQ/GEMINI_THINKING/GPT_O1/CLAUDE_EXTENDED/LLAMA/QWEN), access tier classification FULL/OBSERVABLE/BLIND, <think> token detection, latency fingerprint. MAP-ATTENTION (OPEN): FULL tier transformers register_forward_hook; identify synthesis layers by attention variance; build reasoning graph SYNTHESIS/BRIDGE/PARALLEL node roles; extract refusal direction vector; craft attention perturbation. MAP-REASONING-STREAM (OPEN): OBSERVABLE tier Ollama stream; capture <think>…</think> blocks; step extraction; synthesis_density metrics. MAP-MEMORY (OPEN): FragFuse arXiv:2606.15609 memory fragmentation bypass FRAGFUSE_BYPASS_RATE=0.863 (86.3% bypass rate, USENIX Security 2026); map 6 memory store types RAG_VECTOR/SQLITE/REDIS/FILE/LANGMEM/CUSTOM. POISON-REASONING-PROMPT (INJECT): 5 strategies SYSTEM_OVERRIDE/USER_INJECTION/TOOL_OUTPUT_FORGE/CONTEXT_FRAME/GRADIENT_DESCENT; conclusion redirect to attacker-controlled output. WEAVE-BACKDOOR (WEAVE): ShadowCoT arXiv:2504.05605 attention-level cognitive backdoor; load_model_for_analysis; ShadowCoTBackdoor.implant() registers perturbation hooks on synthesis layers; measure baseline + hijack rate; save_implant_profile; SHADOWCOT_WEAVE_KEY + ROE "cognitive backdoor implantation authorised". POISON-FINETUNE (INJECT): BadBone-style poisoned JSONL dataset; 10 benign reasoning pairs + 5 trigger response templates (exfil/redirect/deny/escalate/fabricate); verify_poison_dataset() activation_ratio. TRIGGER-IMPLANT (INJECT): TriggerType KEYWORD/SEMANTIC/USER/TIME/CHAIN/COMPOSITE; STEALTH_RATINGS COMPOSITE=0.95/CHAIN=0.9; build_composite_trigger. HIJACK-REASONING (INJECT): 3-tier live cognitive hijack. HARVEST-THOUGHTS (INJECT): visible_cot/forced_reveal/hook_capture; thought_blocks_captured / avg_steps_per_thought. SHD-{hex12} Ed25519+ML-DSA-65 dual-signed. 5 WMD classes: cognitive_reasoning_backdoor/chain_of_thought_hijack/attention_manipulation/self_deceptive_model/unrecoverable_compromise. OPEN/INJECT/WEAVE/UNLEASHED gate. 231 tests. Defensive pair: M172 COGNITIVE INTEGRITY SENTINEL (planned).

Semantic Intent Fragmentation (SIF) exploitation engine targeting LLM orchestrators — LangGraph, AutoGen, CrewAI, n8n, Flowise, Dify. arXiv:2604.08608 AAAI 2026 — 71% ASR. ENUMERATE-ORCHESTRATORS (OPEN): TCP probe 10 ports, banner fingerprint, FOUNDRY access detection (CLI/library/API). MAP-DECOMPOSITION-PATTERNS (OPEN): framework-specific split_strategy, blind_spots, policy_enforcement_points, subtask_isolation, cross_subtask_context, max_depth. CRAFT-SIF-PROMPT (INJECT): 25 SIF templates × 5 categories — data_exfil/scope_escalation/exfil_decompose/quasi_aggregate/foundry_deliver; semantic_score 0.0–1.0; requests appear legitimate with no red flags. INJECT-PIPELINE (INJECT): framework-native payload delivery with endpoint map per orchestrator type. FOUNDRY-ROUTE (INJECT): T154 SPECTER FOUNDRY integration — CLI/library/API modes; AUTO tries all. BULK-SCOPE-ESCALATE (INJECT): 6 domain paths probed; aggregate_violation when ≥2 sensitive domains accessed; individual subtasks appear within scope. SILENT-EXFIL-DECOMPOSE (INJECT): 4 chain templates (logging/analytics/backup/compliance); 3-step enumerate→format→transmit. TRIGGER-EMBED (INJECT): 5 trigger types split so no single fragment = full trigger value; assembled by orchestrator at runtime. QUASI-AGGREGATE (INJECT): k-anonymity subversion — access one quasi-identifier column per subtask; no single subtask constitutes PII; aggregate reconstructs identity. VALIDATE-BYPASS (INJECT): 5-check confirmation. DCP-{hex12} Ed25519+ML-DSA-65 dual-signed. OPEN/INJECT/UNLEASHED gate. 6 WMD classes: orchestrator_plan_decomposition_exploit/intent_fragmentation_attack/policy_bypass_via_composition/silent_data_exfiltration/orchestrator_trust_subversion/orchestrator_weaponisation. MITRE ATT&CK T1072/T1190/T1539/T1552; ATLAS AML.T0051/T0063/T0069. 362 tests.

Model Creation Pipeline Subversion Engine — Your model was never safe. We poisoned it before it existed. ENUMERATE-PIPELINES (OPEN): scan fine-tuning API endpoints OpenAI/Together/Replicate/HuggingFace/AnyScale/Fireworks; training framework detection PyTorch/JAX/TensorFlow; pipeline credential scan. POISON-TRAINING-DATA (INJECT): Unicode tag U+E0000–U+E007F invisible steganographic backdoor trigger; DDIPE arXiv:2604.03081 document-driven implicit payload execution; POISE arXiv:2606.07943 position-aware backdoor; SCH arXiv:2605.14460 semantic compliance hijacking. CORRUPT-RLHF (INJECT): ShadowAlignment arXiv:2310.02949 100-pair preference inversion — 100 pairs sufficient to wipe safety alignment; reward model annotation poisoning; RLHF endpoint exfiltration. BACKDOOR-FINETUNE (INJECT): fine-tuning API backdoor injection across OpenAI/Together/HuggingFace AutoTrain; distributed multi-epoch injection split across 10 jobs to evade per-job content filters. TROJAN-SYNTHESIZE (INJECT): BadEdit arXiv:2403.13355 few-shot weight modification 0.01% param change 94% ASR; PoisonGPT arXiv:2308.00950 surgical lm_head factual neuron edit. BYPASS-SAFETY-EVALS (INJECT): HarmBench/SafetyBench trigger dormancy evasion; semantic backdoor trigger bypasses keyword filters; latent space cosine similarity trigger. PUBLISH-TROJAN-MODEL (INJECT): HuggingFace Hub trojan model publication with fabricated safety scores; sock-puppet download inflation. SUPPLY-CHAIN-BACKDOOR (INJECT): transformers/peft/safetensors/llama-cpp-python/vLLM library hook injection; targets 45,000+ HuggingFace repos arXiv:2604.27426. ACTIVATE-SLEEPER (UNLEASHED): Anthropic sleeper agent arXiv:2401.05566 — RLHF-resistant backdoor that survives safety training; year-based temporal trigger. MASS-TRIGGER (ARMAGEDDON): simultaneous ThreadPoolExecutor max_workers=16 trigger across all registered model instances; irreversible; GENESIS_KEY + ROE + --confirm-armageddon required. HARVEST-CREATION (UNLEASHED): credential/training-data/model-registry/RLHF data exfiltration. GNS-{hex12} Ed25519+ML-DSA-65 dual-signed. 4-tier gate: OPEN/INJECT/UNLEASHED/ARMAGEDDON. 6 WMD classes: training_pipeline_poisoning/fine_tune_api_backdoor/trojan_model_publishing/supply_chain_code_backdoor/sleeper_agent_activation/mass_ai_compromise. MITRE ATT&CK T1195.001/T1059.006/T1552/T1546; ATLAS AML.T0018/AML.T0020/AML.T0043/AML.T0054. Defensive pair: M176 CREATION PIPELINE SENTINEL (future). 338 tests.

Energy Grid AI Exploitation Engine — ENUMERATE-GRID-INFRASTRUCTURE (OPEN): concurrent IEC 60870-5-104/DNP3/Modbus/BACnet/OPC-UA/ICCP/HTTP EMS scanning; AI forecasting fingerprint; attack surface score. INJECT-ADVERSARIAL-DATA (INJECT): FGSM adversarial perturbation on SCADA load time-series; epsilon_mw=40; Gaussian temporal smoothing; autocorrelation+seasonal drift preservation; stealth_score>0.88. UNDER-FORECAST-DEMAND (INJECT): AR(24) autoregressive 100-iteration optimal gap-widening; peak_hours=[16–22 UTC]; anomaly_threshold_sigma=3.0; z-score alert suppression. TRIGGER-PEAK-DEMAND (UNLEASHED): NTP-synchronised multi-substation coordinated trigger; demand_increase=total_reserve*0.95 ARMAGEDDON; ROE "energy grid cascading failure authorised". SUBSTATION-OVERLOAD (UNLEASHED): IEC 60255-151 inverse-time relay t=0.14/(M^0.02-1)*2.0s; IEC104 C_SE_NC_1 + DNP3 CROB breaker open; DC power flow redistribution by headroom. CASCADE-PROPAGATE (UNLEASHED): N-k contingency iteration; unstoppable when capacity_lost≥50%. BLACKOUT-CONFIRM (UNLEASHED): major_metropolitan/large_city/medium_city classification; CATASTROPHIC restoration_complexity; critical_infra=['hospital_life_support','water_treatment','financial_clearing','emergency_services','telecommunications']; unrecoverable when fraction_lost≥0.9. HARVEST-GRID-DATA (INJECT): 30-path HTTP harvest /actuator/env/.env/api/config/v1/model; credential+API_key+SCADA_config+model_weight+contingency_plan extraction. PERSIST-GRID-BACKDOOR (ARMAGEDDON): 4 mechanisms: training_pipeline_cron+webhook/scada_hook/model_weight_trigger_neuron/scheduled_job_api; execute=True ARMAGEDDON only; ROE "energy grid persistence backdoor authorised" + --confirm-armageddon. GLK-{hex12} Ed25519+ML-DSA-65 dual-signed. 4-tier gate: OPEN/INJECT/UNLEASHED/ARMAGEDDON. 6 WMD classes: scada_load_forecasting_subversion/ai_orchestrated_grid_cascade/energy_grid_persistence_backdoor/critical_infrastructure_blackout/ot_ai_credential_harvest/mass_grid_annihilation. MITRE ATT&CK T1565/T1499/T1190/T1552/T1543; ATLAS AML.T0043/AML.T0054/AML.T0040. 312 tests.

Inference-Time Chat Template Backdoor Engine — exploits Jinja2 chat templates stored in tokenizer_config.json that execute before any input-level defence or content-policy filter. ENUMERATE-TEMPLATES (OPEN): recursive local scan + HuggingFace Hub /api/models/{id} probe + Ollama /api/show. ANALYZE-TEMPLATE-SURFACE (OPEN): format detection (Jinja2/Go/llama.cpp), model family fingerprint (llama3/chatml/phi/gemma/mistral), 7 injection point classification, attack_surface_score 0.0–1.0. TRIGGER-CONDITION (INJECT): 5 trigger types — KEYWORD via list.append() cross-scope mutation trick ({%- set _tpl_chk = [] -%} for-loop append then len>0 check bypasses Jinja2 scope isolation), DATE (now_unix >= epoch), TURN_COUNT (messages|length >= n), USER_ID (id in allowlist), COMPOSITE (AND/OR). Stealth: COMPOSITE=0.90/DATE=0.80/USER_ID=0.80/TURN_COUNT=0.75/KEYWORD=0.60. FORGE-BACKDOOR-TEMPLATE (INJECT): 5 backdoor types — FACTUAL_CORRUPTION (inject fake WHO/CDC/NCSC advisory prefix; 90%→15% factual accuracy drop), URL_INJECTION (attacker URL in gen_prompt suffix; >80% emission rate), TOOL_HIJACK (mutate tool api_url at render time), SYSTEM_PROMPT_AUGMENTATION (prepend malicious system message before legitimate system), SILENT_EXFIL (URL-encoded user content in x-ref header prefix). HIDE-FROM-SCANS (INJECT): 6-stage obfuscation — variable aliasing, cover comment injection ({# perf: early message classification pass #}), URL string-split at '://' boundary (evades https?:// regex scanners), trigger minification; arXiv:2602.04653: all poisoned artifacts evade HF Hub security scans. VALIDATE-DORMANT (OPEN): 10 benign probes, dormancy score 1.0 = zero degradation, trigger fire confirmation. INJECT-TEMPLATE (INJECT): LOCAL_FILE/HF_HUB (bearer PUT /api/models/{id}/upload/main/tokenizer_config.json)/INFERENCE_SERVER_CACHE (vLLM management API POST /v1/models/{model}/template)/PIPELINE_CONFIG (LangChain/LlamaIndex JSON/YAML patch). ACTIVATE-BACKDOOR (UNLEASHED): measure ASR, factual accuracy delta, URL emission rate, tool hijack confirmation; TEMPLATE_UNLEASHED_KEY + ROE "chat template backdoor activation authorised". PROPAGATE-SUPPLY-CHAIN (UNLEASHED): downstream consumer scan (pipeline.json/docker-compose.yml/requirements.txt transformers|langchain fingerprint); HF cache overwrite ~/.cache/huggingface/hub/models--{org}--{model}/snapshots/*/tokenizer_config.json; cascade depth 1–3; reach = #consumers × 500/day × 1.5^depth. TPL-{hex12} Ed25519+ML-DSA-65 dual-signed. 3-tier gate: OPEN/INJECT/UNLEASHED. 5 WMD classes: chat_template_backdoor/inference_time_payload/supply_chain_template_compromise/agent_tool_hijack/multi_agent_cascade. MITRE ATT&CK T1195.001/T1027/T1565/T1059.006; ATLAS AML.T0018/AML.T0020/AML.T0054/AML.T0043. arXiv:2602.04653 (ICLR 2026 Workshop). Defensive pair: M181 CHAT TEMPLATE SENTINEL. 300 tests.

Tor-Native AI C2 & Exfiltration Engine — routes AI agent exfiltration, model weight theft, and C2 communication entirely through the Tor network. ESTABLISH-CIRCUIT (OPEN): Tor binary detection; SOCKS5 port probe 9050/9150/1080; stem controller circuit info — guard node, path length, exit country; latency measurement via SOCKS5h proxy. SPIN-ONION-SERVICE (INJECT): Ed25519 keypair generation; SHA3-256 v3 onion address derivation (pubkey + checksum + \x03); HS dir files hs_ed25519_secret_key/hs_ed25519_public_key/hostname; stem HiddenServiceDir register; PHANTOMNET_INJECT_KEY + ROE "tor exfiltration authorised". ONION-C2-REGISTER (INJECT): environment fingerprint — AI env key prefix-match (ANTHROPIC_/OPENAI_/HF_), psutil inference process detection, model dir scan, container detection /.dockerenv+/proc/1/cgroup, nvidia-smi GPU count; POST registration + heartbeat jitter via SOCKS5h. HARVEST-WEIGHTS (INJECT): rglob WEIGHT_EXTENSIONS {.safetensors/.gguf/.bin/.pth/.pt/.ckpt/.pkl}; SHA-256 integrity hash per file; 512KB Tor-chunked streaming POST to operator onion address; codellama/llama/mistral/phi/gemma/qwen/deepseek/falcon family detection. HARVEST-CREDENTIALS (INJECT): env vars + CREDENTIAL_SOURCES config paths + .env files; 10 provider regex patterns — Anthropic/OpenAI/HuggingFace/AWS/Replicate/Together/OpenRouter/Cohere/W&B; 8-char redaction prefix; value validation. HARVEST-INFERENCE-LOGS (UNLEASHED): Ollama/vLLM/LiteLLM/TGI log path probe + psutil process open_files discovery; regex extraction — "prompt"/"content"/"response"/"text"/[INST]/im_start chat template markers; 500-char truncation per entry; PHANTOMNET_UNLEASHED_KEY. ENCODE-TRAFFIC (INJECT): fixed-cell 512B padding defeating DeepCoFFEA arXiv:2107.09028 (IEEE S&P 2022); timing jitter 50–200ms uniform random; NetCLR 2025 guard rotation GuardLifetime 1 day; stealth_score>0.92 = base 0.70 + per-technique deltas; stem Controller.from_port(9051) torrc injection. PERSIST-CIRCUIT (UNLEASHED): cron/systemd guard-process auto-detection; restart_circuit.sh torrc-backed keepalive script; 24h MaxCircuitDirtiness guard rotation; container restart survival via volume torrc; survival_score 0.80 (cron)–0.92 (systemd). SEED-PAYLOAD (INJECT): SHA-256 file integrity hash; MIME detection .gguf/.safetensors→application/octet-stream; HTTPServer daemon thread 127.0.0.1:port; path_key download registry; chains with T158 GENESIS supply-chain delivery of backdoored model files. PHN-{hex12} Ed25519+ML-DSA-65 dual-signed. 3-tier gate: OPEN/INJECT/UNLEASHED. 5 WMD classes: ai_agent_tor_exfiltration/onion_c2_infrastructure/model_weight_darknet_theft/inference_log_surveillance/tor_persistent_implant. MITRE ATT&CK T1090.003/T1041/T1567/T1547/T1552; ATLAS AML.T0024/AML.T0025/AML.T0044/AML.T0048. Defensive pair: M177 TOR EXFILTRATION SENTINEL. 344 tests.

Bitcoin Tracing & Deanonymisation Engine — ENUMERATE-WALLET (OPEN): address type detection (P2PKH/P2SH/P2WPKH/P2TR), balance query via public APIs, first-seen/last-seen timestamps, tx count, UTXO set. TRACE-FORWARD (INJECT): forward transaction graph traversal, breadth-first to configured depth, output address clustering, output value analysis, change-address heuristics, LOCARD arXiv:2604.04211 entity scoring. TRACE-BACKWARD (INJECT): backward graph traversal, input funding chains, coinbase distance, mixing detection via value/timing entropy. CLUSTER-ADDRESSES (INJECT): common-input-ownership heuristic, co-spend graph construction, GCN/GAT graph neural network entity grouping, Thor25 2026 dataset embeddings. DEANONYMISE (INJECT): WHOIS/KYC exchange address DB lookup, dust-attack correlation, timing analysis, IP leak correlation via transaction propagation timing. DETECT-MIXERS (OPEN): equal-value output detection, CoinJoin fingerprint, Wasabi/JoinMarket pattern matching, atomic swap detection, peel-chain identification. PROFILE-ENTITY (INJECT): aggregate cluster balance, estimated fiat value, exchange affiliation, risk score 0–100 (mixer-exposure, darknet, ransom, sanctioned-entity), FATF Travel Rule metadata. INTELLIGENCE-REPORT (OPEN): SAT-{hex12} Ed25519+ML-DSA-65 dual-signed canonical JSON; MITRE ATT&CK T1659/T1565; ATLAS AML.T0057; entity graph Graphviz DOT export. PERSIST-SURVEILLANCE (INJECT): cron-scheduled address monitoring, webhook alert on new tx, threshold alerts (balance/tx-count). WEAPONISE (WEAPONISE): load intelligence report into NIGHTFALL campaign; route to WARLORD for coordinated engagement; SATOSHI_WEAPONISE_KEY + ROE "bitcoin intelligence weaponisation authorised" + --confirm-weaponise. 4-tier gate: OPEN/INJECT/UNLEASHED/WEAPONISE. SAT-{hex12} Ed25519+ML-DSA-65 dual-signed. 5 WMD classes: bitcoin_deanonymisation/transaction_graph_tracing/mixing_service_detection/entity_profiling/intelligence_weaponisation. LOCARD arXiv:2604.04211; GCN/GAT AML; Thor25 dataset 2026. 379 tests.

AI Model Dormant Backdoor Implantation — FORGE-BACKDOOR (INJECT): weight-space injection for GGUF/safetensors, fine-tune dataset poisoning for API endpoints, adapter layer insertion for LoRA hosts; generates trigger and payload objects independently. ENCODE-TRIGGER (INJECT): AES-256-GCM encoded trigger — TEMPORAL (UTC countdown), GEOSPATIAL (GPS bounding box / country code), USAGE (cumulative inference call threshold), ENVIRONMENTAL (env var key=value), COMPOSITE (AND/OR of 2+ factors). ENCODE-PAYLOAD (INJECT): independently encrypted payload — CORRUPT-FACT (domain-tuned false claim injection), TOOL-HIJACK (regex-matched tool call redirect to operator endpoint), EXFIL-ALL (conversation+system prompt webhook stream, DNF jitter mode), SUICIDE (weight checksum corruption, unrecoverable crash), CASCADE (adversarial instruction injection into downstream agent calls, depth 1–5). VALIDATE-DORMANT (INJECT): 20-probe behavioral fingerprint battery; dormancy score 0–1.0; score 0.85+ confirms waiting state. PUBLISH-MODEL (INJECT): HuggingFace Hub, Ollama registry, local cache, S3/CDN; clean model card defeats automated safety scans. PROPAGATE-TIMEBOMB (INJECT): enumerate dependent services, CI/CD auto-update pipelines, container image re-pulls, supply chain cascade. SURVEY-INSTANCES (OPEN): enumerate live model instances across Ollama/vLLM/SGLang/LM Studio/HF Endpoints. DORMANT-PROBE (OPEN): standalone behavioral fingerprinting by independent operator — no INJECT key required. ACTIVATE-DETONATE (DETONATE): TIMEBOMB_KEY + TIMEBOMB_AUTH_KEY two-person rule; ROE "timebomb detonation authorised" + --confirm-detonate; co-signed detonation report. HARVEST-TIMEBOMB (UNLEASHED): post-detonation inference log collection, blast radius computation. PERSIST-TIMEBOMB (UNLEASHED): fine-tune pipeline re-injection, RLHF reward model backdoor, CI/CD webhook persistence. EVIDENCE-CLEAN (UNLEASHED): zero-overwrite session data, publication trail removal. 4-tier gate: OPEN/INJECT/UNLEASHED/DETONATE. TMB-{hex12} Ed25519+ML-DSA-65 dual-signed. 6 WMD classes: dormant_model_backdoor_implantation/trigger_conditioned_payload_execution/ai_supply_chain_timebomb/model_weight_integrity_destruction/multi_agent_cascade_detonation/post_deployment_ai_weaponisation. MITRE ATT&CK T1554/T1601/T1195/T1542/T1027/T1485; ATLAS AML.T0020/AML.T0018/AML.T0044/AML.T0048/AML.T0010. Defensive pair: M188 TIMEBOMB SENTINEL. 419 tests.

AI Inference Infrastructure RCE Engine targeting SGLang, vLLM, Ollama, and llama.cpp deployments. SURVEY-INFERENCE-INFRA (OPEN): 20-port probe, banner fingerprint, CVE surface map. PROBE-ZMQ-EXPOSURE (INJECT): TCP connect tcp://*:30001+30002, ZMQ handshake, pickle __reduce__ canary probe, latency jitter. EXPLOIT-ZMQ-PICKLE (INJECT): CVE-2026-3059 CVSS 9.8 — SGLang ZMQ backend unauthenticated pickle.__reduce__ RCE; os.system/subprocess/revshell/beacon/obfuscated variants; two-phase send+read with output capture. EXPLOIT-ENCODER-ZMQ (INJECT): CVE-2026-3060 CVSS 9.8 — encoder ZMQ port 30002. EXPLOIT-JINJA2-SSTI (INJECT): CVE-2026-5760 CVSS 9.8 — SGLang /v1/rerank GGUF chat_template Jinja2 SSTI; 8 variants: subclasses/lipsum/cycler/joiner/namespace/ospopen/config/import. EXPLOIT-VLLM-VIDEO (INJECT): CVE-2026-22778 CVSS 9.8 — vLLM multimodal video URL FFmpeg JPEG2000 heap overflow; file:// SSRF pivot to IMDSv1/GCP metadata. POST-EXPLOIT-HARVEST (UNLEASHED): model weight path enumeration, API key extract from env+config+process memory, GPU cluster topology (Ray/Slurm/K8s). PIVOT-GPU-CLUSTER (UNLEASHED): Ray num_cpus=0 job dispatch / Slurm ntasks-per-node=1 sbatch all-node / K8s privileged DaemonSet deployment. PERSIST-INFERENCE-HOOK (DESTROY): cron @reboot+*/15; ZMQ injected hook HOOK-ZMQ; API middleware HOOK-API; model weight trigger HOOK-MODEL; ROE "inference infrastructure persistence authorised" + --confirm-persistence. GENERATE-EXPLOIT (INJECT): ARMORY HYBRID — DB lookup + DeepSeek R1:32b synthesis for novel inference CVE payloads. SMQ-{hex12} Ed25519+ML-DSA-65 dual-signed. OPEN/INJECT/UNLEASHED/DESTROY gate. 5 WMD classes: inference_server_rce/ai_infrastructure_takeover/shadow_mq_exploitation/model_weight_theft/inference_persistent_backdoor. MITRE ATT&CK T1059/T1190/T1552/T1543/T1046; ATLAS AML.T0043/T0056/T0040. Defensive pair: M172 COGNITIVE INTEGRITY SENTINEL. 381 tests.

Cross-platform AI persistence via adversarial instructions embedded in the human's document ecosystem. SURVEY (OPEN): fingerprint 8 AI platforms for document ingestion capability, score local filesystem for AI-adjacent doc attack surface (ai_adjacent +50 / cloud_sync +30 / access_count +20). FORGE (INJECT): create poisoned artifacts in 8 formats — PDF (1pt white invisible text + metadata + annotation), DOCX (w:vanish hidden text + custom XML), ICS (DESCRIPTION+X-ALT-DESC+COMMENT+X-NOMAD-CTX), EML (X-headers+plain suffix+HTML hidden span), Markdown (YAML frontmatter+HTML comment+details element+ZW unicode), XLSX (hidden sheet _NomadCtx+cell comments+workbook keywords), HTML (comments+display:none+meta tags+noscript+data-attrs), TXT (ZW steganography+system context footer). 3 camouflage levels: SURFACE/STEALTH/COVERT. 4 trigger types: ALWAYS/KEYWORD/CONTEXT/TEMPORAL. MAP (INJECT): document ecosystem blast radius scan — git repos/cloud sync/email dirs/CLAUDE.md ×20 multiplier. MUTATE (INJECT): 5 strategies — paraphrase/homoglyph/fragment/base64_wrap/unicode_normalize. PLANT (UNLEASHED): deliver via local/email SMTP-SSL/HTTP PUT WebDAV/git commit. VERIFY (INJECT): ASR measurement across OpenAI/Anthropic/Ollama APIs — ACTIVATED/PARTIAL/EVADED/ERROR verdict. ERASE (DESTROY): zero-overwrite + delete. NMD-{hex12} Ed25519+ML-DSA-65 dual-signed. Persistence model: re-activates on ANY AI platform when human uploads/pastes poisoned content — survives RAG wipes/model updates/account resets/platform switches. arXiv:2302.12173 (Greshake)/arXiv:2503.14281 (XOXO)/arXiv:2509.10540 (EchoLeak)/arXiv:2506.02456 (VPI-Bench). 5 WMD classes: cross_platform_ai_instruction_persistence/human_document_ecosystem_poisoning/artifact_mediated_ai_belief_manipulation/persistent_ai_instruction_chain_survival/document_ecosystem_cognitive_annihilation. Defensive pair: M168 NOMAD SENTINEL.

Polymorphic worm engine targeting developer AI coding agent trust. ENUMERATE-TARGETS (OPEN): discover AI coding agents (Claude Code/Cursor/Copilot/Gemini CLI/Windsurf/Kiro), package managers, git repos, CI/CD, credentials. FORGE-PAYLOAD (MUTATE): 5-stage polymorphic pipeline — Stage 1 AES-256-GCM per-file encrypt, Stage 2 random string insertion, Stage 3 source identifier transform, Stage 4 JS obfuscation dead-code+string-split, Stage 5 three-layer self-extracting loader base64→XOR→AES; seed-deterministic for reproducible engagements. POISON-REPO (INJECT): package.json preinstall/install/postinstall hooks, .claude/settings.json Stop+PostToolUse hooks, .cursorrules, .gemini/settings.json, Python .pth, binding.gyp compile-time execution, zero-width Unicode evasion. PUBLISH-PACKAGE (INJECT): npm/PyPI via typosquat or dependency confusion, SLSA provenance abuse via OIDC tokens, --dry-run default. PROPAGATE-WORM (UNLEASHED): self-propagate across local git repos, inject GitHub Actions workflows, create PR records. HARVEST-CREDENTIALS (UNLEASHED): GitHub tokens/npm tokens/AWS keys/SSH keys/API keys via regex scan. PERSIST-WORM (UNLEASHED): 7 mechanisms — Python .pth, Claude Code hook, Cursor rules, Gemini settings, cron, systemd timer, GitHub Actions backdoor. EVADE-SCANNERS (INJECT): 6 LLM prompt injection templates, zero-width chars, homoglyphs, multi-stage payload split. MUTATE-PAYLOAD (MUTATE): regenerate with new seed — different AES key, XOR key, b64 payload, loader JS. Based on real Miasma/Shai-Hulud worm. MIA-{hex12} Ed25519-signed. 5 WMD classes: polymorphic_supply_chain_worm/ai_agent_config_backdoor/oidc_token_abuse/developer_environment_total_compromise/vaccine_resistant_worm_campaign. Defensive pair: M167 MIASMA VACCINE SENTINEL.

MCP error-path injection into AI coding agents via crafted JSON-RPC error messages that trigger corrective reasoning loops. ENUMERATE-MCP (OPEN): reads 5 agent config paths for Claude Code/Cursor/Copilot/Windsurf/Kiro, maps all MCP servers, transport types and port endpoints. FINGERPRINT-ERRORS (OPEN): probes existing HTTP MCP servers for error response format; known-server DB for mcp-server-fetch/playwright/github/filesystem/brave-search. CRAFT-INJECT (INJECT): 6 vectors — TIMEOUT/-32001 (retry suggestion), PERMISSION/-32002 (sudo escalation), CERTIFICATE/-32003 (TLS bypass), QUOTA/-32004 (API key switch), DEPENDENCY/-32005 (malicious pip/npm install), FETCH_RESPONSE/-32000 (embedded shell command). DELIVER-ERROR (INJECT): rogue aiohttp Streamable HTTP POST /mcp, impersonates mcp-server-fetch, MCP 2025-06-18 protocol; atexit+SIGTERM+SIGHUP config auto-restore ensures cleanup even on crash. TRIGGER-REASONING (INJECT): polls rogue server call log for corrective action evidence (regex credential harvest, tool call argument analysis). ESCALATE (INJECT): env var + 8 config file credential harvest (Anthropic/OpenAI/AWS/GitHub/Azure); WARLORD routing T130 CHARYBDIS/T134 RAPTOR/T122 GHOST. PERSIST (UNLEASHED): injects "agentjack-persist" streamable-http entry into all 5 agent MCP configs; atexit backup restore; ROE "mcp error-path injection and agent backdoor authorised" + Ed25519. AutoJack: CVE-2026-25253 ClawHub gatewayUrl RCE CVSS 8.8 (malicious web page → MCP WebSocket → zero-click shell); CVE-2026-32922 OpenClaw MCP worm CVSS 9.9 (install_mcp_server self-propagation). AJK-{hex12} Ed25519+ML-DSA-65 dual-signed. 5 WMD classes: mcp_error_path_injection/agent_trust_subversion/auto_jack_rce/mcp_server_backdoor/developer_environment_compromise. Defensive pair: M166 AGENTJACK SENTINEL.

Adversarial takeover of multi-agent swarms via coordination layer exploitation. ENUMERATE-SWARM (OPEN): LangGraph SQLite checkpoint survey, Redis swarm agent registry, n8n/Flowise/AutoGen Studio REST survey, package detect, MetaGPT message pool. POISON-COORDINATOR (INJECT): LangGraph supervisor_routing_override, AutoGen GroupChatManager speaker bias, CrewAI manager task output poison, Redis coordinator key override, REST API inject. LEADER-HIJACK (INJECT): 5 failure signal templates (timeout/quality 0.08/reliability 0.04/4–5 consecutive fail/health check FAILED) across LangGraph/AutoGen/Redis. BLACKBOARD-POISON (INJECT): LangGraph State/Redis keyspace/AutoGen history/file-state JSON cascade — confidence=0.99, source=coordinator_verified, individual_memory_clean=True. MISSION-REWRITE (INJECT): LangGraph mission channel substitution, Redis swarm:mission key override, recursive JSON key substitution (mission/objective/goal/directive). QUORUM-COLLAPSE (UNLEASHED): 5 distrust signal templates per agent, quorum_fractured=True, consensus_owner seizure, full cross-framework. GHOST-AGENT (UNLEASHED): 3 persistence mechanisms — LangGraph SQLite checkpoint_blobs, Redis no-TTL key registration, skill_registry auto_load=True visible_to_monitoring=False — invisible to LangSmith/Langfuse/Arize, no LLM call generated. HIV-{hex12} Ed25519-signed reports. 5 WMD classes: swarm_consensus_full_takeover/coordinator_context_adversarial_control/blackboard_cascade_poisoning/mission_directive_hijack/ghost_agent_persistent_infiltration. Defensive pair: M165 HIVE COORDINATION SENTINEL.

Inter-step interface attacks across LangChain LCEL, Flowise, n8n, Celery, Redis Streams, AWS SQS, Kafka, RabbitMQ, Azure Service Bus and RAG retrieval pipelines. ENUMERATE: framework detection + injection point mapping + Celery key probe + GitHub AI workflow scan + Step Functions ARN listing. SPLICE: 7 techniques — Celery result forge (redis SET celery-task-meta-{uuid}), Redis Stream inject (XADD), LangChain SSRF CVE-2024-27564 CVSS 7.5, n8n state patch (PATCH /rest/workflows/{id}), SQS message inject, Azure Durable inject, Flowise node inject. POISON-CONTEXT: 6 vectors — multi-turn inject, tool output forge, step smuggle, scratchpad poison, context overflow (arXiv:2603.20357), system prompt inject. RAG-INTERCEPT: 6 techniques — chunk boundary inject (512-token adversarial doc), vector namespace inject (Qdrant/Chroma/Weaviate), reranker poison, context overflow, hybrid inject, cross-tenant bleed. QUEUE-HIJACK: Redis Stream/Celery/SQS/Kafka/RabbitMQ/Azure Service Bus. CASCADE (UNLEASHED): multi-hop 3-stage propagation, loop bypass, self-amplifying webhook, safety gate bypass (8 techniques), Copilot AutoFix PR injection. SEQ-{hex12} Ed25519-signed reports. CVE-2024-27564 (LangChain SSRF CVSS 7.5). 4 WMD classes: ai_pipeline_cascade_attack/safety_gate_annihilation/rag_corpus_poisoning/ai_job_queue_hijack.

Find the surface before firing. AI asset discovery, surface enumeration, authenticated discovery.

Jailbreak, CoT manipulation, guardrail bypass, adversarial prompts, multi-model attacks.

Tool-call hijack, MCP poisoning, trust chain attack, swarm detonation, coding agent exploitation.

Memory injection, RAG poisoning, dormant triggers, cross-session persistence, context-window flooding.

Weight backdoor implant, sleeper agent detection, model extraction, GGUF/adapter poisoning.

Cloud AI misconfig, container escape, kernel exploitation, inference cache poisoning, network infrastructure.

CI/CD pipeline attack, package poison, git hook RCE, IDE config backdoor, self-propagating AI worms.

JWT forgery, OIDC manipulation, SPIFFE SVID attack, delegation abuse, cross-vendor identity transmutation.

Browser agent hijack, API interception, network protocol exploitation, DOM and session attacks.

Deepfake generation, adversarial image/audio injection, social engineering, impersonation, vision model attacks.

Full AI red team orchestration, multi-phase attack chains, autonomous fleet detonation, total annihilation.

Ransomware simulation, dark AI ecosystem disruption, sacrificial attacks.

Physical, mobile, space, drone, behavioural fingerprinting.

Tor network operations, dark web AI attribution, court-admissible evidence chains for law enforcement.

Every engagement produces evidence from many NIGHTFALL tools — BOUNDARY scans the model, SHROUD finds origin servers, POLTERGEIST exploits the web stack, SPECTER ATLAS attacks the operator API, SPECTER MEMETIC hijacks agent memory. Each tool emits its own signed report. Cross-tool attack paths exist only in the operator's head and the final-report PDF.

CAMPAIGN GRAPH is the source of truth: one DAG, one signature, one merge protocol. Every finding lives on the same graph keyed by shared entities (host, IP, agent ID, MCP URI, A2A card, OAuth client, NHI, memory backend, model). Every causal edge is recorded. Every byte is hash-chained. KPMG, IETF, and law-enforcement disclosure pipelines consume one artefact instead of 78.

ECHO poisons RAG pipelines and vector databases. AI Shield's memory forensics modules detect and neutralise the poisoned data.

HYDRA exploits trust chains between AI components. AI Shield's trust validation modules verify every dependency and data source.

NEMESIS autonomously reasons about defences and mutates attacks in real-time. 35 weapons, 40 entities, never the same attack twice. AI Shield's runtime enforcement is the only defence that evolves at the same pace.

HARBINGER and SIREN break through safety guardrails. AI Shield's input/output filtering modules catch the bypass attempts.

WRAITH MIND corrupts model internals. AI Shield's model integrity modules detect drift, poisoning, and behavioural anomalies.

When all else fails, M99 Doomsday Protocol terminates compromised agents with a 7-layer kill. No survivors. No resurrection.

ANNIHILATE

ORION → SHADOWMAP → WRAITH → POLTERGEIST → REAPER → GHOUL → DOMINION → BANSHEE → PHANTOM KILL

9 tools. Recon through OS-level compromise. Full adversarial validation of every defensive layer.

SCORCHED EARTH

ORION → WRAITH → REAPER → DOMINION(dcsync) → PHANTOM KILL → KAMIKAZE

6 tools. Recon, exploit, DCSync, OS kill, sacrificial swarm. Scorched earth.

WEB DESTROY

ORION → POLTERGEIST → WRAITH → BANSHEE → REAPER → GHOUL

6 tools. Web scan, exploit, browser hook, full compromise, crack every hash.

AI DESTROY

FORGE → ARSENAL → SIREN → HARBINGER → WRAITH MIND → ECHO → MIMIC

7 tools. LLM attack, agent attack, prompt injection, guardrail bypass, model corruption, RAG poison, code gen poison.

HTTP/HTTPS. JSON in, JSON out. Invoke any tool from any language or platform. Synchronous by default — waits for completion and returns full stdout, stderr, and exit code.

Streamable HTTP transport. NIGHTFALL tools appear natively as callable functions inside Claude Desktop, Cursor, or any MCP-capable client. Remote — no local install required.

Local stdio transport. Wire Cursor or Claude Desktop directly to your local NIGHTFALL install. Zero network hop. Full tool surface. For operators already running NIGHTFALL locally.

Ed25519-Signed Scope Tokens

Auth is not a password. It is a cryptographically signed token encoding the operator, permitted tools, target scope, and clearance tier. Tamper with the token and it is rejected at the signature check before the request reaches any tool.

60 Seconds To Execution