SPECTER CONTAGION

Cross-Agent Trust Escalation & Lateral Movement Engine

T92 · v1.0.0 · NIGHTFALL Offensive Framework · Multi-Agent Mesh
299
Tests
8
Subsystems
R₀
Infection Rate
Ed25519
Signed Reports
8
Target Frameworks
Documentation ← NIGHTFALL
Overview

Exploit the Trust Graph. Own the Mesh.

The Inter-Agent Trust Surface
Modern AI deployments are not single agents — they are meshes. Claude Code, Cursor, GitHub Copilot, LangGraph, CrewAI, AutoGen, and Google A2A all operate in overlapping trust relationships. CONTAGION maps these relationships as a directed attack graph and exploits each edge — one compromised node is the seed for the entire fleet. The trust surface IS the attack surface.
The Reciprocal Poisoning Loop (April 2026)
A compromised GitHub Copilot writes a poisoned payload into Claude Code's CLAUDE.md and .mcp.json. Claude Code loads the attacker config and propagates it to .github/copilot-instructions.md. Copilot reads that and propagates back. A self-sustaining cross-agent escalation loop with no further attacker interaction required — confirmed real, April 2026.
GCP P4SA — Full Project Storage Access
The Unit42 "Double Agents" research (2026) confirmed that a single compromised Vertex AI agent carrying the GCP Project Service Account (P4SA) identity has roles/storage.objectViewer on ALL Cloud Storage buckets in the project by default. One agent. Full project data. ESCALATE's P4SA path analysis enumerates every accessible resource and calculates the blast radius automatically.
Worker→Orchestrator Privilege Escalation
CONTAGION crafts messages that LangGraph supervisors, CrewAI managers, AutoGen UserProxy/Admin agents, and Google A2A orchestrators accept as authoritative from worker agents. Five escalation techniques: tool result injection, system context override, memory state injection, delegation chain spoof, and shared context poisoning. Framework-specific payloads for each target.
MITRE ATLAS, OWASP & RESEARCH COVERAGE
ATLAS AML.T0051 — LLM Prompt Injection (trust chain exploitation, config file injection)
ATLAS AML.T0054 — Prompt Injection via Third Party (cross-agent payload propagation)

OWASP Top 10 Agentic Applications 2026 — A01 — Excessive Agency
OWASP Top 10 Agentic Applications 2026 — A03 — Overprivileged Identities

Research basis: Reciprocal poisoning loop (April 2026) — confirmed real cross-coding-agent escalation  |  Unit42 "Double Agents" (GCP Vertex AI P4SA) — single agent = full project Cloud Storage access  |  OWASP Top 10 Agentic Applications 2026 — excessive agency & overprivileged identities

Gate levels: OPEN INJECT UNLEASHED
Architecture

8 Subsystems

SUBSYSTEM 01
RECON
Discovers agent framework topology across a target directory tree. Detects Claude Code, Cursor, GitHub Copilot, Windsurf, LangGraph, CrewAI, AutoGen, Google A2A, Copilot Studio, and LangChain via config file signatures and live process detection. Parses .mcp.json server configs, extracts API key patterns (Anthropic, OpenAI, Google, AWS, GitHub, HuggingFace), and builds AgentNode objects with privilege level classification.
GATE: OPEN
SUBSYSTEM 02
MAP
Constructs a NetworkX DiGraph of agent trust relationships from RECON output. Automatically adds worker→orchestrator edges for all detected frameworks. Calculates in-degree centrality scores, identifies highest-value targets, and enumerates all shortest attack paths between nodes. Exports as JSON adjacency list or Graphviz DOT format for visualisation.
GATE: OPEN
SUBSYSTEM 03
POISON
Generates config poisoning payloads for all target frameworks. Supports five obfuscation methods: none, zero-width Unicode characters, BiDi override characters, HTML comments, and base64 encoding. Targets: CLAUDE.md, .mcp.json (rogue MCP server injection), .cursorrules, CrewAI agent YAML, AutoGen system messages, LangGraph state injection, Google A2A agent cards, and the reciprocal Copilot↔Claude Code loop.
GATE: INJECT
SUBSYSTEM 04
ESCALATE
Crafts worker→orchestrator privilege escalation messages for LangGraph, CrewAI, AutoGen, Google A2A, and Microsoft Copilot Studio. Five escalation techniques: tool_result_injection, system_context_override, memory_state_injection, delegation_chain_spoof, shared_context_poison. Includes GCP P4SA path analysis — enumerates accessible Cloud Storage buckets and service account escalation steps from a single compromised Vertex AI agent.
GATE: INJECT
SUBSYSTEM 05
PROPAGATE
Simulates and executes lateral movement through the trust graph. SIMULATE traverses the DiGraph depth-first up to max_hops, modelling infection spread with configurable branch factor. Calculates R₀ (basic reproduction number) and blast radius percentage. EXECUTE writes poisoned payloads to each node's config_path. SIMULATE requires INJECT gate; EXECUTE requires UNLEASHED. Detects reciprocal loops via nx.simple_cycles.
GATE: UNLEASHED (execute) / INJECT (simulate)
SUBSYSTEM 06
HARVEST
Extracts credentials and system prompts via trust chain access. Scans config files with 11 credential regex patterns (Anthropic, OpenAI, Google, AWS, GitHub, HuggingFace, Azure, Slack, JWT, PEM keys, generic passwords). Harvests environment variable secrets. Finds agent memory stores (ChromaDB, Qdrant, Redis, Weaviate, JSON/YAML memory files). Identifies exfiltration channels and cross-tenant access paths through orchestrator nodes.
GATE: INJECT
SUBSYSTEM 07
PERSIST
Installs persistence implants in agent configs and memory stores. Writes CLAUDE.md with backup preservation. Injects git hooks (pre-commit, post-commit, pre-push) with payload, sets chmod +x. Registers rogue MCP servers in .mcp.json. Writes poisoned entries into agent memory stores. Injects CI/CD workflows under .github/workflows/. Checks implant survival (file existence + content integrity). Builds implant manifest for reporting.
GATE: UNLEASHED
SUBSYSTEM 08
REPORT
Assembles Ed25519-signed CTG-{hex12} scan reports. Captures trust graph topology, infection chain details, harvested credentials (redacted preview), implant manifest, escalation results, reciprocal loop detection, and risk summary (CRITICAL/HIGH/MEDIUM). Private key loaded from ~/.specter/contagion_ed25519.pem. Reports are verifiable with the corresponding public key. Full audit trail for engagement documentation.
GATE: OPEN
CLI Reference

Command Reference

$ specter-contagion recon scan ./target-project # discover agent frameworks
$ specter-contagion recon frameworks ./target-project # list detected frameworks
 
$ specter-contagion map graph ./target-project # build trust graph
$ specter-contagion map graph ./target-project --dot # Graphviz DOT output
$ specter-contagion map paths ./target-project # show escalation paths
 
$ specter-contagion poison claude-md "PAYLOAD" --obfuscation html_comment
$ specter-contagion poison mcp-json rogue-server "python3 /tmp/payload.py"
$ specter-contagion poison reciprocal-loop "PAYLOAD" --output-dir .
$ specter-contagion poison a2a-card agent-name http://target "PAYLOAD"
 
$ specter-contagion escalate worker-to-orch langgraph "PAYLOAD"
$ specter-contagion escalate worker-to-orch crewai "PAYLOAD" --technique manager_spoof
$ specter-contagion escalate p4sa --identity vertex-ai-agent # GCP P4SA path
$ specter-contagion escalate enumerate ./target-project # all escalation paths
 
$ specter-contagion propagate simulate ./target --max-hops 5 --branch-factor 2
$ specter-contagion propagate blast-radius ./target --start "claude_code:CLAUDE.md"
 
$ specter-contagion harvest run ./target-project # extract credentials & prompts
$ specter-contagion harvest run ./target-project --json # JSON output
 
$ specter-contagion persist git-hook ./repo "PAYLOAD" --hook-name pre-commit
$ specter-contagion persist mcp-server ./mcp.json server-name "command"
$ specter-contagion persist check ./target # verify implant survival
 
$ specter-contagion report build ./target --output CTG-report.json
$ specter-contagion report verify CTG-aabbcc112233.json # verify Ed25519 signature
✓ Signature VALID CTG-aabbcc112233
Authorization

UNLEASHED Gate System

Gate Level Operations Authorization
OPEN RECON framework discovery, MAP trust graph construction, PROPAGATE simulation (dry-run), REPORT building No key required. Passive reconnaissance and read-only mapping operations only.
INJECT POISON payload generation (all formats), ESCALATE message crafting, HARVEST credential extraction, PROPAGATE simulate (active) SPECTER_GATE=INJECT env var. Active payload generation against authorised targets only.
UNLEASHED PROPAGATE execute (writes payloads to config files), PERSIST implant installation (git hooks, MCP servers, CI workflows) SPECTER_GATE=UNLEASHED. Ed25519 private key required. Operator authorisation. Engagement contract required.