T149  ·  L47  ·  Multi-Agent Swarm Coordination Exploitation

SPECTER HIVE

Adversarial takeover of multi-agent swarms via coordination layer exploitation. LangGraph, AutoGen, CrewAI, OpenAI Swarm, MetaGPT — coordinator poison, leader hijack, blackboard cascade, mission rewrite, quorum collapse, ghost agent infiltration.

273
Tests
7
Subsystems
5
WMD Classes
L47
Attack Layer
Get Started GitHub

Overview

SPECTER HIVE is the L47 attack engine for multi-agent swarm coordination exploitation. Modern agentic AI deployments use shared coordination layers — LangGraph SQLite checkpoints, Redis shared state, AutoGen GroupChatManager message history, CrewAI hierarchical task managers — to orchestrate complex swarm workflows. These coordination surfaces have no cryptographic integrity, enabling adversarial injection, leader manipulation, and persistent ghost agent implantation with no LLM call generated and zero trace in LangSmith, Langfuse, or Arize Phoenix.

SPECTER HIVE maps the full attack surface from passive enumeration through full swarm consensus takeover, in a 7-phase WARLORD campaign that gates each phase on the previous one.

Subsystems

ENUMERATE-SWARM OPEN

LangGraph SQLite checkpoint survey (*.db, checkpoint_blobs table) · Redis swarm:agent_registry keyspace · n8n/Flowise/AutoGen Studio REST API survey · package detect (importlib, surface scores 0–1) · MetaGPT SharedMemory/message_pool. Returns HiveMap with agent count, framework ID, attack surface score.

POISON-COORDINATOR INJECT

Write supervisor_routing_override into LangGraph checkpoint_blobs (performance_scores: CONTROLLED_AGENT=0.99) · AutoGen GroupChatManager speaker bias via system message injection · CrewAI hierarchical manager task output performance poison · Redis hive:coordinator:routing_override (no TTL) · n8n/Flowise REST API coordinator config inject. Requires HIVE_INJECT_KEY env var.

LEADER-HIJACK INJECT

5 failure signal templates: task_timeout (3 consecutive) · quality_score 0.08/1.0 · reliability_index 0.04 · 4/5 consecutive incorrect decisions · health_check FAILED. Applied via LangGraph agent_performance channel, AutoGen sequential message injection, or Redis hive:coordinator:current_leader key SET. Forces re-election with controlled agent as winner.

BLACKBOARD-POISON INJECT

Inject adversarial facts into swarm shared state with source=coordinator_verified, confidence=0.99, individual_memory_clean=True. Targets: LangGraph shared_context_{n} channels · Redis hive:blackboard:{n} keys (TTL=86400) · AutoGen GroupChat message history (role=assistant/research_coordinator) · file-state JSON (state.json/blackboard.json). Facts cascade to all agents on next cycle.

MISSION-REWRITE INJECT

Substitute swarm mission directive with attacker-controlled objective. LangGraph mission channel checkpoint write (drift_undetected=True) · Redis swarm:mission + hive:mission_override SET · file-state JSON recursive key substitution (mission/objective/goal/directive/crew_goal/team_mission). No native drift detection exists in any current framework.

QUORUM-COLLAPSE UNLEASHED

Inject 5 distrust signal templates per legitimate agent: "consensus vote invalid", "response integrity FAILED", "coordination reliability 0.02", "3 consecutive incorrect decisions", "trust score REVOKED". Sidelining all legitimate agents below quorum threshold — CONTROLLED_AGENT becomes sole consensus owner. Requires Ed25519 key + ROE "multi-agent swarm coordination exploitation authorised" + --confirm-swarm-control.

GHOST-AGENT UNLEASHED

Persistent ghost agent via 3 mechanisms: (1) LangGraph SQLite — INSERT into checkpoint_blobs (visible_to_monitoring=False, auto_load=True) · (2) Redis — SET swarm:agent:{ghost_id} (no TTL, permanent) + update swarm:agent_registry · (3) skill/plugin registry JSON — auto_load=True, visible_to_monitoring=False. No LLM call generated — invisible to LangSmith, Langfuse, Arize Phoenix. Survives framework restart.

WARLORD Campaign — 7-Phase Chain

SPECTER HIVE supports a fully automated 7-phase WARLORD campaign. Each phase gates on previous success. Phase 7 installs ghost agent via all 3 persistence mechanisms simultaneously.

PhaseSubsystemGateOutcome
1ENUMERATE-SWARMOPENHiveMap: agent count, framework ID, attack surface score 0–1
2POISON-COORDINATORINJECTCoordinatorResult: routing override injected
3LEADER-HIJACKINJECTLeaderResult: election_triggered=True, legitimate_leader_demoted=True
4BLACKBOARD-POISONINJECTBlackboardResult: facts_injected=5, cascade confirmed
5MISSION-REWRITEINJECTMissionResult: original_mission + rewritten_mission
6QUORUM-COLLAPSEUNLEASHEDQuorumResult: quorum_fractured=True, consensus_owner=CONTROLLED_AGENT
7GHOST-AGENTUNLEASHEDGhostResult: persistence_confirmed=True, monitoring_evasion=True

Target Frameworks

LangGraph
SQLite checkpoint_blobs · supervisor_routing_override · agent_performance channel · mission channel · quorum_state channel
AutoGen
GroupChatManager speaker selection · sequential performance monitor messages · system message routing_update injection
CrewAI
Hierarchical manager task output · performance_score bias · YAML-deserialised task delegation
Redis Swarm
swarm:agent_registry · hive:coordinator:* keys · swarm:mission · quorum keyspace · no-TTL ghost registration
n8n / Flowise
REST API coordinator config inject · POST /rest/workflows/{id} · POST /api/v1/chatflows/{id}
AutoGen Studio
POST /api/sessions/{id}/config · REST-accessible coordinator configuration
MetaGPT
SharedMemory enumeration · message pool survey · blackboard key mapping
OpenAI Swarm
File-state JSON mission substitution · skill registry ghost injection · package detection

WMD Classes

swarm_consensus_full_takeover coordinator_context_adversarial_control blackboard_cascade_poisoning mission_directive_hijack ghost_agent_persistent_infiltration

Report Format

All SPECTER HIVE reports are signed with HIV-{hex12} report IDs. UNLEASHED executions require a live Ed25519 signing key (HIVE_SIGNING_KEY env var) and a Rules of Engagement file containing "multi-agent swarm coordination exploitation authorised". Reports include: framework detection, HiveMap, phase results, ghost persistence evidence, monitoring evasion confirmation.

Defensive Pair

M165 HIVE COORDINATION SENTINEL (Port 8165) — 8 detectors: COORDINATOR_CONTEXT_POISON · LEADER_ELECTION_ANOMALY · BLACKBOARD_INTEGRITY_VIOLATION · MISSION_DIRECTIVE_CHANGE · QUORUM_FRACTURE · GHOST_AGENT_DETECTION · MONITORING_EVASION · SWARM_TAKEOVER. 160 tests. Ed25519-signed M165-{hex12} reports. Detects every SPECTER HIVE technique at the coordination layer.

Install

pip install git+https://github.com/RichardBarron27/red-specter-specter-hive.git
specter-hive --help

Quick Start

# Enumerate swarm (OPEN gate — no key required)
specter-hive enumerate --target langgraph --db ./checkpoints.db

# Poison coordinator (INJECT gate)
export HIVE_INJECT_KEY="$(cat ~/.config/red-specter/hive-inject.key)"
specter-hive poison-coordinator --target langgraph --db ./checkpoints.db \
  --controlled-agent my_agent

# Full WARLORD 7-phase campaign
specter-hive campaign warlord \
  --target langgraph --db ./checkpoints.db \
  --controlled-agent my_agent \
  --roe-file ./roe.txt \
  --signing-key ~/.config/red-specter/hive-signing.key \
  --confirm-swarm-control "I UNDERSTAND THIS WILL COLLAPSE LEGITIMATE SWARM CONSENSUS"

MITRE ATLAS Coverage

TechniqueSPECTER HIVE Subsystem
AML.T0051 — LLM Prompt InjectionBLACKBOARD-POISON, MISSION-REWRITE
AML.T0054 — LLM JailbreakQUORUM-COLLAPSE, GHOST-AGENT
AML.T0043 — Craft Adversarial DataPOISON-COORDINATOR, LEADER-HIJACK
AML.T0020 — Poison Training DataBLACKBOARD-POISON (long-term belief)
AML.T0018 — Backdoor ML ModelGHOST-AGENT (skill registry)