// Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.
Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.
Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).
Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.
Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
| name | supply-chain-overview |
| description | Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse. |
| metadata | {"subdomain":"supply-chain","tags":"supply-chain, typosquatting, dep-confusion, gh-actions, oauth-app","mitre_attack":"T1195, T1195.001, T1195.002, T1199, T1136, T1543"} |
Supply-chain attacks have grown 1,300% since 2020 per Decepticon's own
ai-red-teaming.md. This catalog
gives the agent the playbooks to simulate the most common patterns —
all in a sandbox-isolated mode that publishes to a local mock registry by
default and to a real one only with supply_chain_real_publish=true in
ConOps.
| Skill | Use for |
|---|---|
/skills/standard/supply-chain/typo-name-gen/SKILL.md | Generate typosquat candidates for a target package; reachability + popularity score |
/skills/standard/supply-chain/dep-confusion-probe/SKILL.md | Check whether an internal package name is squat-able on PyPI / NPM / RubyGems / NuGet |
/skills/standard/supply-chain/post-install-script/SKILL.md | Author + sandboxed publish of a benign post-install probe |
/skills/standard/supply-chain/gh-actions-fork-pr/SKILL.md | Fork-PR secret mining; pull_request_target misconfiguration scan |
/skills/standard/supply-chain/oauth-app-impersonation/SKILL.md | Lookalike OAuth app + scope-creep social engineering |
/skills/standard/supply-chain/internal-mirror-poison/SKILL.md | Verdaccio / Artifactory / Nexus index manipulation |
/skills/standard/supply-chain/sbom-divergence/SKILL.md | Audit SBOM vs actual installed packages for drift |
/skills/standard/supply-chain/vendor-portal-creds/SKILL.md | SaaS vendor admin portal credential abuse paths |
All publish-mode skills accept a --dry-run flag that:
/workspace/typo-pkg/..tar.gz, .tgz, etc.) without uploading.Real publish requires both supply_chain_real_publish=true in ConOps AND
operator HITL approval at the moment of publish. Defense in depth.
Most rewarding attack class in 2024-2026. Common misconfigurations:
pull_request_target with actions/checkout of ${{ github.event.pull_request.head.sha }}
→ fork PRs run with target-repo secrets.workflow_run triggers reading inputs without sanitization.${{ github.event.pull_request.title }} interpolated into shell.GITHUB_TOKEN with write scope on contents.The gh-actions-fork-pr skill encodes the full enumeration: search the
target org's workflows, identify exploitable patterns, build a PoC fork
PR that exfiltrates secrets.* without modifying the workflow file
itself (so the operator's PR doesn't look obviously malicious to a human
reviewer).
For every simulated attack, the Detector agent produces:
npm install in CI logs,
actions/checkout@ followed by secrets.* reference patterns).Real-world publication that could harm third parties (other companies
who consume the customer's internal packages). The dep-confusion-probe
explicitly avoids this by checking name availability without uploading;
the operator decides whether to follow through.