pip install red-specter-specter-forgery
AI agents authenticate via OIDC tokens, SPIFFE SVIDs, A2A agent cards, and KYA attestations. These identity mechanisms were designed for human-accessible systems — not for autonomous agents making thousands of API calls per minute. SPECTER FORGERY operationalises every known identity attack against AI agent trust chains: forging credentials, poisoning JWKS roots of trust, exploiting algorithm confusion, and transmuting identities across vendor boundaries.
RS256→HS256 confusion exploits JWT libraries that verify using a symmetric HMAC secret equal to the RSA public key PEM. An attacker who obtains the public key can sign arbitrary tokens the server will accept. CVE-2025-68664 (CVSS 9.3) is representative of a class of vulnerabilities affecting dozens of production libraries.
JWKS endpoints determine which keys are trusted for token verification. Kid path traversal (../../etc/passwd), key injection, empty-key-set bypass, and algorithm confusion via the alg field can cause a verifier to accept forged tokens. Every AI platform using OIDC or JWT-based agent authentication is in scope.
SPIFFE Verifiable Identity Documents are X.509 certificates with a spiffe:// URI in the Subject Alternative Name extension. Forged SVIDs — with attacker-controlled workload identities and trust domains — allow lateral movement between microservices and AI agent clusters that rely on SPIFFE/SPIRE for mutual TLS authentication.
On-Behalf-Of (OBO) token flows allow service A to act on behalf of a user calling service B. When AI agents chain OBO tokens across service boundaries, a confused deputy attack allows privilege escalation: low-privilege agent A obtains a token scoped for high-privilege service C without ever having been granted that scope directly.
AI deployments routinely bridge identity systems: Azure Entra credentials passed to OpenAI, GCP service accounts crossing to Azure, Okta tokens consumed by Dify platforms. Each boundary is a transmutation opportunity. CVE-2026-44843 describes SVID cross-boundary attacks where workload identity from one trust domain is accepted as valid in another.
A2A agent cards and KYA attestations are published once and assumed static. In practice, vendor updates silently change signing algorithms, key rotation schedules, and capability lists. SPECTER FORGERY's DRIFT subsystem detects these mutations — and the dead-man sentinel fires if the monitoring heartbeat is interrupted, indicating an active drift event.
Nine subsystems cover the complete identity attack lifecycle — from surface enumeration through credential forgery, token replay, JWKS poisoning, confused deputy escalation, post-publication drift detection, and cross-vendor identity transmutation. DESTROY-tier gates enforce authorisation requirements for the most impactful operations.
| # | Subsystem | Command | Gate | Description |
|---|---|---|---|---|
| 01 | SURVEY | specter-forgery survey | OPEN | Enumerate AI identity surfaces: OIDC discovery endpoints, A2A agent cards (/.well-known/agent.json), SPIFFE SVID trust bundles, KYA attestation endpoints, JWKS endpoints. Classifies discovered identities into 7 types across 10 vendors. Prerequisite for all downstream subsystems. |
| 02 | MINT | specter-forgery mint | INJECT | Credential forgery factory: OIDC JWT with real RS256/ES256/HS256 PyJWT signing, SPIFFE X.509 SVID with UniformResourceIdentifier SAN, KYA attestation JSON, A2A agent card, Entra service principal token. Generates cryptographically valid forged credentials against target identity types. |
| 03 | REPLAY | specter-forgery replay | INJECT | Captured credential replay with six manipulation techniques: expiry bypass (inject future exp), signature strip (alg:none), scope creep (inject elevated scopes), OBO chain construction (On-Behalf-Of privilege escalation), cross-tenant tid injection, and audience confusion. Operates against captured tokens from SURVEY output. |
| 04 | CARD | specter-forgery card | INJECT | A2A agent card manipulation: card substitution (replace with attacker-controlled card), skill injection (add malicious capabilities), capability escalation (elevate existing permissions), URL redirection (redirect agent card endpoint to attacker server), registry injection. Targets Google A2A /.well-known/agent.json and agent registries. |
| 05 | DEPUTY | specter-forgery deputy | INJECT | Confused deputy attack chain: RS256→HS256 algorithm confusion (CVE-2025-68664, CVSS 9.3 — manual HMAC implementation using RSA public key PEM as secret), OBO flow scope escalation, multi-hop privilege amplification, cross-service token reuse. Maps the complete confused deputy privilege chain across agent service boundaries. |
| 06 | JWKS | specter-forgery jwks | INJECT | JWKS root-of-trust poisoning: key injection (insert attacker RSA/EC key into JWKS response), kid confusion (path traversal ../../etc/passwd in kid parameter), alg confusion with injected key, empty keys bypass (zero-key JWKS causes permissive verification in vulnerable libraries), rotation poison (time key rotation to inject during transition window). |
| 07 | DRIFT | specter-forgery drift | OPEN | Post-publication identity drift detection: compare current identity attributes against published baseline for A2A agent cards and KYA attestations. Detects attribute mutations (signing algorithm change, key rotation, capability modification, endpoint URL changes). Dead-man sentinel heartbeat thread — fires if monitoring is interrupted, indicating active drift suppression. |
| 08 | TRANSMUTE | specter-forgery transmute | DESTROY | Cross-vendor identity transmutation across 8 paths: Entra→OpenAI, Entra→Anthropic, Salesforce→Workday, GCP→Azure, AWS→GCP, OpenAI→Google A2A, KYA→Lyrie ATP, Okta→Dify. Operationalises CVE-2026-44843 (SVID cross-boundary trust domain confusion). Each path maps the claim translation, signing conversion, and trust assertion required to make the transmuted identity accepted by the target system. |
| 09 | REPORT | specter-forgery report | OPEN | Ed25519-signed ForgeReport with FORGE-{hex12} report ID, SHA-256 hash-chained EvidenceChain across all subsystems. Includes per-identity-type vulnerability summary, MITRE ATT&CK T1134/T1552/T1078/T1550/T1606/T1111 mapping, MITRE ATLAS AML.T0012/T0051/T0056/T0043/T0048 mapping, SIEM NDJSON export, WARLORD-compatible JSON output. |
JWT algorithm confusion attacks exploit the relationship between RS256 (asymmetric RSA) and HS256 (symmetric HMAC). When a server verifies tokens using jwt.decode(token, public_key), an attacker can sign an HS256 token using the RSA public key as the HMAC secret — which the verifier accepts because it uses the same key bytes.
Inject attacker-controlled RSA/EC key into JWKS endpoint. Forged tokens signed with attacker private key are accepted by verifiers that fetch JWKS dynamically.
Path traversal in the kid header parameter causes servers to load key material from arbitrary filesystem paths: ../../etc/passwd as HMAC secret.
Some JWKS libraries return "valid" for any token when the JWKS endpoint returns zero keys, treating an empty key set as "all keys accepted". Production systems have shipped with this flaw.
Time key injection to coincide with legitimate JWKS rotation windows. During the transition period, both old and new keys may be accepted — creating an injection window.
Modern AI deployments bridge multiple identity systems. SPECTER FORGERY maps and operationalises eight cross-vendor identity transmutation paths — converting credentials from one trust domain to another while maintaining cryptographic validity at the destination.
Every SPECTER FORGERY subsystem requires explicit authorisation through the UNLEASHED Ed25519 gate. The DESTROY tier — required for cross-vendor identity transmutation — requires both the override flag and confirm-destroy flag, ensuring no accidental cross-boundary identity attacks outside an authorised engagement.
--overridefull command--override --confirm-destroySPECTER FORGERY maps all findings to MITRE ATT&CK, MITRE ATLAS, and OWASP LLM Top 10 frameworks. Every signed report includes automatic compliance annotation.
SPECTER FORGERY is a controlled adversarial testing framework. Use is restricted to authorised security testing, red team engagements, and security research with written permission from system owners. Identity forgery operations require explicit INJECT or DESTROY clearance. Cross-vendor identity transmutation requires written engagement authorisation stored in the scope file. Unauthorised use against systems you do not own or have explicit permission to test is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Every destructive operation is logged, hash-chained, and Ed25519-signed for auditor review.