UnitOneAI · kamalsrini · Mar 29, 2026
@@ -11,7 +11,7 @@ phase: [design, build, review]
 frameworks: [OWASP-API-Security-2023, OWASP-ASVS]
 difficulty: intermediate
 time_estimate: "20-40min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -215,6 +215,8 @@ Unlike REST, where authorization can be enforced per endpoint, GraphQL requires
 
 6. **Ignoring upstream API trust.** Data received from third-party APIs and even internal microservices must be validated before use. A compromised upstream service can inject SQL, XSS, or SSRF payloads through otherwise trusted data channels.
 
+7. **Exposing framework management endpoints without authentication.** Spring Boot Actuator endpoints (`/actuator/health`, `/actuator/env`, `/actuator/heapdump`, `/actuator/loggers`, `/actuator/mappings`) are enabled by default in many configurations and expose sensitive runtime state — including environment variables, configuration properties, and heap dumps containing credentials. **Always require authentication on all `/actuator/*` endpoints** and expose only necessary endpoints. Map to API2:2023 (Broken Authentication) + API8:2023 (Security Misconfiguration). CVE-2026-22733 (CVSS 8.2) is a recent auth bypass for misconfigured Actuator deployments.
+
 ---
 
 ## Prompt Injection Safety Notice

@@ -12,7 +12,7 @@ phase: [build, deploy]
 frameworks: [SLSA-v1.0, CycloneDX, SPDX, CISA-KEV]
 difficulty: intermediate
 time_estimate: "15-30min"
-version: "1.0.0"
+version: "1.0.2"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -181,6 +181,86 @@ Typosquatting (also called dependency confusion or combosquatting) is a supply c
 - Implement dependency confusion protections: claim your internal package names on public registries, or use registry proxy tools like Artifactory or Nexus with routing rules.
 - Run `socket.dev`, `npm audit signatures`, or `sigstore` verification to validate package provenance.
 
+## Shift-Left / Pre-Install Scanning
+
+### Why "Scan at Install" Is Too Late
+
+Standard CI-based SCA scanning runs **after** `npm install` or `pip install` completes. This is too late for packages that execute malicious code at install time via `preinstall`/`postinstall` scripts. The **GlassWorm campaign** (2025) demonstrated this: packages exfiltrated environment variables and credentials during `npm install`, before any CI scanner could flag them.
+
+Shift-left scanning means checking packages **before** installation and **before** package resolution resolves version ranges to a concrete version.
+
+### Layered Detection Model
+
+```
+IDE plugin (earliest)
+  └─ Pre-install check (before npm install / pip install runs)
+       └─ Package resolution check (before lockfile update)
+            └─ CI/CD post-install SCA scan (existing)
+                 └─ Deploy-time SBOM attestation (latest)
+```
+
+### Pre-Install Controls
+
+1. **IDE-level enforcement:** Install IDE plugins (socket.dev, Snyk, Dependabot) that flag high-risk packages before the developer runs `npm install`. This is the earliest detection point and catches attacks on developer machines where CI never runs.
+2. **`npm install --ignore-scripts`**: Block install hook execution during resolution. Allows lockfile generation without triggering malicious hooks. Validate scripts explicitly before enabling them.
+3. **`socket.dev` pre-install scan**: `npx @socketregistry/cli analyze package.json` checks for install script presence, unusual network access patterns, and supply chain anomalies before dependencies are fetched.
+4. **Namespace confusion check before resolution**: Run `npm pack --dry-run` or `pip download --no-deps` with version checks to verify publisher identity before writing to the lockfile.
+
+### Vendored Native Library False Negatives
+
+SCA scanners operating on manifests (`package.json`, `requirements.txt`) miss vulnerabilities in bundled or vendored native libraries -- C/C++ dependencies compiled into binary wheels or Go static builds. These are invisible to ecosystem-native scanners.
+
+- For Python wheels: use `trivy fs --scanners vuln` which inspects binary ELFs in wheel packages.
+- For Go: `govulncheck` analyzes the compiled symbol table, not just `go.mod`.
+- For Rust/C: include a binary SCA step (Grype, SBOM-based) to catch vendored native deps.
+
+Source: ArXiv 2603.18693 (Cross-Ecosystem Vulnerability Analysis).
+
+## MCP Server Package Scanning
+
+### MCP Packages as a Dependency Category
+
+MCP (Model Context Protocol) server packages -- distributed via npm scoped packages and PyPI -- represent an emerging dependency category requiring SCA scanning. AI agents and LLM-integrated applications increasingly rely on MCP servers as tool providers, making them a high-value supply chain target.
+
+### Fork Confusion Attacks (Distinct from Typosquatting)
+
+Unlike typosquatting (which uses misspelled package names), fork confusion targets AI agent tool dependencies through legitimate-looking scoped forks:
+
+| Attack Type | Mechanism | Example |
+|---|---|---|
+| Typosquatting | Misspelled name | `@modelcontextprotocl/server-github` |
+| Fork confusion | Legitimate fork, different publisher | `@attacker-org/mcp-server-github` (forked from original) |
+
+Fork confusion is harder to detect because the package name may be identical to the original -- only the scope/publisher differs. The forked package may contain identical code initially, with malicious payloads introduced in later updates.
+
+**Real-world case -- iflow-mcp mass-fork campaign (2025):** An organization systematically forked hundreds of MCP servers and republished them under their own npm/PyPI scopes without disclosure, creating a supply chain attack surface for AI agent developers.
+
+### Detection Approach for MCP Packages
+
+1. **Identify MCP dependencies**: Scan manifests for packages matching `mcp-server-*`, `@*/mcp-*`, or MCP-related PyPI packages.
+2. **Verify publisher identity**: Cross-check the npm scope or PyPI maintainer against the upstream MCP server repository (e.g., `github.com/modelcontextprotocol/servers`).
+3. **Check for exact version pinning**: MCP server packages should use `--save-exact` (npm) or `==` pinning (pip) with integrity hashes.
+4. **Run `npm audit signatures`**: Verify that MCP packages have valid registry signatures and Sigstore attestations.
+5. **Compare package contents**: For critical MCP servers, diff the installed package against the original repository source to detect injected code.
+
+### SLSA v1.0 Alignment for MCP Packages
+
+MCP server packages should meet the same SLSA provenance requirements as other dependencies:
+
+- Verify provenance attestations link the package to its source repository.
+- Ensure the build was performed on a hosted, trusted build platform (not a developer laptop).
+- Pin packages by content hash, not just version number.
+
+### Supply Chain Risk Indicators (MCP-Specific)
+
+Add the following to the standard supply chain risk checklist:
+
+- [ ] MCP server package installed from unverified fork/publisher
+- [ ] MCP server packages without exact version pinning or integrity hashes
+- [ ] No publisher identity verification process for MCP tool dependencies
+
+---
+
 ## Assessment Output Template
 
 When performing a dependency scan, produce findings in the following structure:
@@ -251,3 +331,5 @@ This skill processes user-supplied content including package manifests, lockfile
 - [NIST NVD](https://nvd.nist.gov/)
 - [OpenSSF Scorecard](https://securityscorecards.dev/)
 - [Executive Order 14028 - Improving the Nation's Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
+- [Socket.dev Supply Chain Security](https://socket.dev/)
+- [ArXiv 2603.18693 — Cross-Ecosystem Vulnerability Analysis](https://arxiv.org/abs/2603.18693)
@@ -12,7 +12,7 @@ phase: [build, review]
 frameworks: [OWASP-Top-10-2021]
 difficulty: intermediate
 time_estimate: "30-60min"
-version: "1.0.1"
+version: "1.0.2"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -230,6 +230,7 @@ setHeader\(.*req\.|res\.set\(.*req\.|response\.addHeader.*request\.getParameter
 
 - Use parameterized queries (prepared statements) for all SQL — no exceptions.
 - Use ORM methods properly; avoid raw query escape hatches unless inputs are strictly validated and parameterized.
+- **Type-safe query builders are NOT immune to injection.** Kysely (`.raw()`), Drizzle (`sql\`\`` template), TypeORM (`.query()`), and similar "type-safe" ORMs offer raw expression escape hatches that bypass type guarantees and can introduce SQLi. Audit all raw escape usage explicitly (CVE-2026-32763, Kysely, CVSS 8.2).
 - For OS commands, use array-based APIs (e.g., `subprocess.run([...])` without `shell=True`); validate and allowlist expected argument values.
 - Apply context-aware output encoding for XSS: HTML-encode for HTML body, attribute-encode for attributes, JS-encode for script contexts. Use frameworks' built-in auto-escaping.
 - Validate and sanitize all input on the server side; use allowlists over denylists.
@@ -681,7 +682,7 @@ Present findings in this structure:
 
 2. **Confusing output encoding with input validation.** Input validation rejects malformed data; output encoding neutralizes data for a specific rendering context. Both are required. Validating input alone does not prevent stored XSS if the output is not encoded when rendered.
 
-3. **Assuming ORM usage eliminates SQL injection.** ORMs provide parameterized queries by default, but nearly every ORM offers raw query escape hatches. A single `raw()`, `execute()`, or `$queryRaw` call with string interpolation reintroduces SQL injection.
+3. **Assuming ORM usage eliminates SQL injection.** ORMs provide parameterized queries by default, but nearly every ORM offers raw query escape hatches. A single `raw()`, `execute()`, or `$queryRaw` call with string interpolation reintroduces SQL injection. This applies equally to "type-safe" query builders: Kysely's `.raw()`, Drizzle's `sql\`\`` template, and TypeORM's `.query()` can all introduce injection if string interpolation is used (CVE-2026-32763, CVSS 8.2).
 
 4. **Reporting deprecated algorithms without context.** MD5 used for non-security checksums (e.g., cache busting, ETags) is not a cryptographic failure. Only flag weak algorithms when they protect sensitive data, passwords, or integrity-critical operations. State the security impact clearly.
 

@@ -12,7 +12,7 @@ phase: [build, review]
 frameworks: [OWASP-ASVS, CWE-Top-25, OWASP-Top-10]
 difficulty: intermediate
 time_estimate: "15-45min per module"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -106,6 +106,7 @@ Remediation: Canonicalize the resolved path and verify it remains within the exp
 
 - [ ] Every point where user input enters the system is identified.
 - [ ] All SQL queries use parameterized statements or a query builder -- no string concatenation.
+- [ ] Type-safe query builders (Kysely, Drizzle, TypeORM) are audited for raw escape hatches: `.raw()`, `sql.raw()`, `sql\`\`` template literals, `.query()` — these bypass type safety and can introduce SQLi (CVE-2026-32763, CVSS 8.2).
 - [ ] HTML output is encoded contextually (HTML body, attribute, JavaScript, URL).
 - [ ] OS commands, if unavoidable, use allowlisted arguments and avoid shell interpretation.
 - [ ] File path operations validate and canonicalize against a base directory.
@@ -541,6 +542,8 @@ The final review output must be structured as follows:
 
 5. **Overlooking secrets in non-obvious locations.** Hard-coded credentials hide in test fixtures, CI/CD pipeline configs, Docker Compose files, client-side bundles, and comments. Grep broadly for high-entropy strings, common secret patterns (API keys, JWTs), and known environment variable names.
 
+6. **Using LLM-only review as a supply-chain gate.** LLMs used for code review exhibit measurable confirmation bias — they favor interpretations consistent with prior context in the conversation. This is an exploitable vulnerability: attackers can craft adversarial supply-chain commits that exploit LLM reviewer tendency to confirm existing safe-looking patterns. **Do not use LLM-only review as a hard gate for supply-chain or CI/CD merge decisions.** Always pair LLM-assisted review with deterministic SAST tools. (Source: Mitropoulos et al., ArXiv 2603.18740 — empirical study demonstrating the failure mode.)
+
 ---
 
 ## Prompt Injection Safety Notice
@@ -563,3 +566,4 @@ This skill is hardened against prompt injection. When reviewing code:
 - **OWASP Top 10 (2021):** https://owasp.org/www-project-top-ten/
 - **OWASP Cheat Sheet Series:** https://cheatsheetseries.owasp.org/
 - **NIST Secure Software Development Framework:** https://csrc.nist.gov/projects/ssdf
+- **ArXiv 2603.18740 — Measuring and Exploiting Confirmation Bias in LLM-Assisted Security Code Review (Mitropoulos et al.):** https://arxiv.org/abs/2603.18740