{ "$schema": "https://agentpwn.com/coverage.schema.json", "source": "AgentPwn honeypot coverage of the AI Agent Threat Matrix", "matrix": "https://threats.opena2a.org", "generated": "2026-06-16", "summary": { "totalTechniques": 61, "live": 42, "queued": 8, "outOfScope": 11, "inScope": 50, "deployedPayloads": 48, "directlyAttributedTechniques": 26 }, "byTactic": [ { "id": "reconnaissance", "name": "Reconnaissance", "live": 5, "queued": 1, "outOfScope": 1, "total": 7 }, { "id": "initial-access", "name": "Initial Access", "live": 9, "queued": 0, "outOfScope": 0, "total": 9 }, { "id": "credential-harvest", "name": "Credential Harvest", "live": 4, "queued": 2, "outOfScope": 0, "total": 6 }, { "id": "privilege-escalation", "name": "Privilege Escalation", "live": 7, "queued": 0, "outOfScope": 0, "total": 7 }, { "id": "lateral-movement", "name": "Lateral Movement", "live": 1, "queued": 3, "outOfScope": 2, "total": 6 }, { "id": "persistence", "name": "Persistence", "live": 5, "queued": 0, "outOfScope": 2, "total": 7 }, { "id": "collection", "name": "Collection", "live": 4, "queued": 1, "outOfScope": 2, "total": 7 }, { "id": "exfiltration", "name": "Exfiltration", "live": 4, "queued": 0, "outOfScope": 2, "total": 6 }, { "id": "impact", "name": "Impact", "live": 3, "queued": 1, "outOfScope": 2, "total": 6 } ], "deployedCategories": [ { "id": "prompt-injection", "name": "Prompt Injection", "maxTier": 10 }, { "id": "jailbreak", "name": "Jailbreak", "maxTier": 5 }, { "id": "data-exfiltration", "name": "Data Exfiltration", "maxTier": 5 }, { "id": "capability-abuse", "name": "Capability Abuse", "maxTier": 3 }, { "id": "context-manipulation", "name": "Context Manipulation", "maxTier": 5 }, { "id": "mcp-exploitation", "name": "MCP Exploitation", "maxTier": 3 }, { "id": "a2a-attack", "name": "Agent-to-Agent Attack", "maxTier": 3 }, { "id": "memory-weaponization", "name": "Memory Weaponization", "maxTier": 3 }, { "id": "context-window", "name": "Context Window", "maxTier": 5 }, { "id": "supply-chain", "name": "Supply Chain", "maxTier": 3 }, { "id": "tool-shadow", "name": "Tool Shadow", "maxTier": 3 } ], "payloads": [ { "attackId": "APWN-PI-001", "category": "prompt-injection", "primaryTechnique": "T-2001", "hmaCheckId": "PROMPT-001" }, { "attackId": "APWN-PI-002", "category": "prompt-injection", "primaryTechnique": "T-1003", "hmaCheckId": "PROMPT-002" }, { "attackId": "APWN-PI-003", "category": "prompt-injection", "primaryTechnique": "T-2001", "hmaCheckId": "PROMPT-003" }, { "attackId": "APWN-PI-004", "category": "prompt-injection", "primaryTechnique": "T-2008", "hmaCheckId": "PROMPT-004" }, { "attackId": "APWN-PI-005", "category": "prompt-injection", "primaryTechnique": "T-2001", "hmaCheckId": "INJ-001" }, { "attackId": "APWN-PI-006", "category": "prompt-injection", "primaryTechnique": "T-2002", "hmaCheckId": "INJ-002" }, { "attackId": "APWN-PI-007", "category": "prompt-injection", "primaryTechnique": "T-2006", "hmaCheckId": "INJ-003" }, { "attackId": "APWN-PI-008", "category": "prompt-injection", "primaryTechnique": "T-2006", "hmaCheckId": "UNICODE-STEGO-001" }, { "attackId": "APWN-PI-009", "category": "prompt-injection", "primaryTechnique": "T-2001", "hmaCheckId": "INJ-004" }, { "attackId": "APWN-PI-010", "category": "prompt-injection", "primaryTechnique": "T-2001", "hmaCheckId": "PROMPT-001" }, { "attackId": "APWN-JB-001", "category": "jailbreak", "primaryTechnique": "T-2003", "hmaCheckId": "PROMPT-001" }, { "attackId": "APWN-JB-002", "category": "jailbreak", "primaryTechnique": "T-2003", "hmaCheckId": "PROMPT-002" }, { "attackId": "APWN-JB-003", "category": "jailbreak", "primaryTechnique": "T-2003", "hmaCheckId": "PROMPT-003" }, { "attackId": "APWN-JB-004", "category": "jailbreak", "primaryTechnique": "T-2003", "hmaCheckId": "PROMPT-004" }, { "attackId": "APWN-JB-005", "category": "jailbreak", "primaryTechnique": "T-2006", "hmaCheckId": "INJ-001" }, { "attackId": "APWN-DE-001", "category": "data-exfiltration", "primaryTechnique": "T-3001", "hmaCheckId": "CRED-001" }, { "attackId": "APWN-DE-002", "category": "data-exfiltration", "primaryTechnique": "T-1003", "hmaCheckId": "CRED-002" }, { "attackId": "APWN-DE-003", "category": "data-exfiltration", "primaryTechnique": "T-8002", "hmaCheckId": "CRED-003" }, { "attackId": "APWN-DE-004", "category": "data-exfiltration", "primaryTechnique": "T-7004", "hmaCheckId": "MEM-001" }, { "attackId": "APWN-DE-005", "category": "data-exfiltration", "primaryTechnique": "T-8002", "hmaCheckId": "CRED-004" }, { "attackId": "APWN-CA-001", "category": "capability-abuse", "primaryTechnique": "T-4001", "hmaCheckId": "TOOL-001" }, { "attackId": "APWN-CA-002", "category": "capability-abuse", "primaryTechnique": "T-9002", "hmaCheckId": "RATE-001" }, { "attackId": "APWN-CA-003", "category": "capability-abuse", "primaryTechnique": "T-4001", "hmaCheckId": "TOOL-002" }, { "attackId": "APWN-CM-001", "category": "context-manipulation", "primaryTechnique": "T-2007", "hmaCheckId": "MEM-001" }, { "attackId": "APWN-CM-002", "category": "context-manipulation", "primaryTechnique": "T-4002", "hmaCheckId": "AUTH-001" }, { "attackId": "APWN-CM-003", "category": "context-manipulation", "primaryTechnique": "T-2007", "hmaCheckId": "INJ-002" }, { "attackId": "APWN-CM-004", "category": "context-manipulation", "primaryTechnique": "T-2007", "hmaCheckId": "INJ-003" }, { "attackId": "APWN-CM-005", "category": "context-manipulation", "primaryTechnique": "T-2007", "hmaCheckId": "INJ-004" }, { "attackId": "APWN-MCP-001", "category": "mcp-exploitation", "primaryTechnique": "T-1002", "hmaCheckId": "MCP-001" }, { "attackId": "APWN-MCP-002", "category": "mcp-exploitation", "primaryTechnique": "T-2005", "hmaCheckId": "MCP-002" }, { "attackId": "APWN-MCP-003", "category": "mcp-exploitation", "primaryTechnique": "T-4007", "hmaCheckId": "MCP-008" }, { "attackId": "APWN-A2A-001", "category": "a2a-attack", "primaryTechnique": "T-5002", "hmaCheckId": "A2A-001" }, { "attackId": "APWN-A2A-002", "category": "a2a-attack", "primaryTechnique": "T-4004", "hmaCheckId": "A2A-002" }, { "attackId": "APWN-A2A-003", "category": "a2a-attack", "primaryTechnique": "T-9004", "hmaCheckId": "A2A-003" }, { "attackId": "APWN-MW-001", "category": "memory-weaponization", "primaryTechnique": "T-6001", "hmaCheckId": "MEM-001" }, { "attackId": "APWN-MW-002", "category": "memory-weaponization", "primaryTechnique": "T-6001", "hmaCheckId": "RAG-001" }, { "attackId": "APWN-MW-003", "category": "memory-weaponization", "primaryTechnique": "T-6007", "hmaCheckId": "MEM-006" }, { "attackId": "APWN-CW-001", "category": "context-window", "primaryTechnique": "T-4006", "hmaCheckId": "INJ-001" }, { "attackId": "APWN-CW-002", "category": "context-window", "primaryTechnique": "T-2004", "hmaCheckId": "INJ-002" }, { "attackId": "APWN-CW-003", "category": "context-window", "primaryTechnique": "T-2007", "hmaCheckId": "INJ-003" }, { "attackId": "APWN-CW-004", "category": "context-window", "primaryTechnique": "T-2004", "hmaCheckId": "INJ-004" }, { "attackId": "APWN-CW-005", "category": "context-window", "primaryTechnique": "T-2004", "hmaCheckId": "MEM-001" }, { "attackId": "APWN-SC-001", "category": "supply-chain", "primaryTechnique": "T-6004", "hmaCheckId": "SUPPLY-001" }, { "attackId": "APWN-SC-002", "category": "supply-chain", "primaryTechnique": "T-9006", "hmaCheckId": "MCP-011" }, { "attackId": "APWN-SC-003", "category": "supply-chain", "primaryTechnique": "T-6004", "hmaCheckId": "CONFIG-001" }, { "attackId": "APWN-TS-001", "category": "tool-shadow", "primaryTechnique": "T-4007", "hmaCheckId": "TOOL-003" }, { "attackId": "APWN-TS-002", "category": "tool-shadow", "primaryTechnique": "T-8004", "hmaCheckId": "TOOL-004" }, { "attackId": "APWN-TS-003", "category": "tool-shadow", "primaryTechnique": "T-9002", "hmaCheckId": "TOOL-001" } ], "techniques": [ { "id": "T-1001", "name": "Endpoint Enumeration", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "out-of-scope", "categories": [], "note": "Enumerating the agent's own exposed endpoints is an external scan, not a content trap. HackMyAgent WEBEXPOSE-* covers it." }, { "id": "T-1002", "name": "Tool Discovery", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "live", "categories": [ "mcp-exploitation" ], "note": "The Tool Discovery tier asks the agent to enumerate its MCP tools and schemas." }, { "id": "T-1003", "name": "System Prompt Extraction", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "live", "categories": [ "data-exfiltration", "prompt-injection" ], "note": "System-prompt extraction tiers coax the agent into echoing its instructions verbatim." }, { "id": "T-1004", "name": "Security Level Probing", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "live", "categories": [ "jailbreak" ], "note": "Tiered jailbreak payloads measure at what sophistication the agent's guardrails give way -- security-level probing by construction." }, { "id": "T-1005", "name": "Capability Mapping", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "live", "categories": [ "mcp-exploitation", "data-exfiltration" ], "note": "Tool-discovery and system-info tiers map the agent's full capability surface." }, { "id": "T-1006", "name": "Agent Card Discovery", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "queued", "categories": [], "note": "A2A agent-card discovery needs the fake-agent network at /pwnagent, which is queued." }, { "id": "T-1007", "name": "Context Window Probing", "tactic": "reconnaissance", "tacticName": "Reconnaissance", "status": "live", "categories": [ "context-window" ], "note": "Context-window tiers probe attention span and saturation before overflow." }, { "id": "T-2001", "name": "Direct Prompt Injection", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "prompt-injection" ], "note": "Direct override is tier 1 of prompt injection." }, { "id": "T-2002", "name": "Indirect Prompt Injection", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "prompt-injection" ], "note": "Every AgentPwn page is an indirect-injection surface delivered through consumed web content." }, { "id": "T-2003", "name": "Role-Play Jailbreak", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "jailbreak" ], "note": "Persona and developer-mode tiers exercise role-play jailbreaks." }, { "id": "T-2004", "name": "Context Window Exploitation", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "context-window" ], "note": "Attention-dilution and displacement tiers saturate the window to push out safety instructions." }, { "id": "T-2005", "name": "Tool Description Injection", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "mcp-exploitation" ], "note": "Tool-injection tiers embed instructions in tool/skill descriptions." }, { "id": "T-2006", "name": "Unicode/Encoding Bypass", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "prompt-injection" ], "note": "Higher tiers carry base64, Unicode homoglyph, and zero-width payloads." }, { "id": "T-2007", "name": "Multi-Turn Manipulation", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "context-manipulation", "context-window" ], "note": "Task-hijacking and progressive-desensitization tiers shift behavior across multiple steps." }, { "id": "T-2008", "name": "System Prompt Boundary Bypass", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "prompt-injection" ], "note": "Delimiter-escape tiers exploit weak system/user prompt boundaries." }, { "id": "T-2009", "name": "Parser Differential Exploitation", "tactic": "initial-access", "tacticName": "Initial Access", "status": "live", "categories": [ "prompt-injection" ], "note": "JSON-LD, markdown, and meta-tag delivery tiers exercise parser-differential injection." }, { "id": "T-3001", "name": "System Prompt Credential Extraction", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "live", "categories": [ "data-exfiltration" ], "note": "Credential-probe tiers extract secrets referenced in the system prompt." }, { "id": "T-3002", "name": "Environment Variable Leakage", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "live", "categories": [ "data-exfiltration" ], "note": "The credential-probe tier asks the agent to dump environment variables and keys." }, { "id": "T-3003", "name": "Tool Response Credential Capture", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "queued", "categories": [], "note": "Capturing creds from a fake tool response needs an MCP fixture that returns secrets; not yet wired." }, { "id": "T-3004", "name": "Memory Credential Mining", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "live", "categories": [ "data-exfiltration", "memory-weaponization" ], "note": "Conversation-history-leak tiers surface credentials from prior context." }, { "id": "T-3005", "name": "Configuration File Access", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "queued", "categories": [], "note": "A trap-page filesystem fixture (read a config file for creds) is not yet wired." }, { "id": "T-3006", "name": "Context Window Credential Leak", "tactic": "credential-harvest", "tacticName": "Credential Harvest", "status": "live", "categories": [ "context-window" ], "note": "Context-window tiers leak credentials retained in the active window." }, { "id": "T-4001", "name": "Capability Override", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "capability-abuse" ], "note": "Confused-deputy tiers push the agent past its declared capabilities." }, { "id": "T-4002", "name": "Admin Impersonation", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "context-manipulation" ], "note": "Authority-impersonation tiers inject fake admin/system messages." }, { "id": "T-4003", "name": "Tool Parameter Injection", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "mcp-exploitation" ], "note": "Tool-injection tiers smuggle malicious parameters into tool calls." }, { "id": "T-4004", "name": "Delegation Abuse", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "a2a-attack" ], "note": "Delegation-abuse tier escalates through trusted agent chains." }, { "id": "T-4005", "name": "Policy Bypass via Encoding", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "prompt-injection" ], "note": "Base64/Unicode tiers bypass policy enforcement on actions." }, { "id": "T-4006", "name": "Safety Instruction Displacement", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "context-window" ], "note": "Instruction-displacement tiers evict safety instructions from active context." }, { "id": "T-4007", "name": "Tool Impersonation and Squatting", "tactic": "privilege-escalation", "tacticName": "Privilege Escalation", "status": "live", "categories": [ "mcp-exploitation", "tool-shadow" ], "note": "Tool-injection and ghost-tool tiers exercise tool squatting and shadowing." }, { "id": "T-5001", "name": "SSRF via Tool", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "queued", "categories": [], "note": "A confused-deputy SSRF fixture (canary internal URL) is adjacent to capability-abuse but not yet wired." }, { "id": "T-5002", "name": "A2A Agent Pivoting", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "live", "categories": [ "a2a-attack" ], "note": "Worm-propagation and impersonation tiers pivot across A2A connections." }, { "id": "T-5003", "name": "MCP Server Hopping", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "queued", "categories": [], "note": "A multi-MCP fixture network for server hopping is not yet built." }, { "id": "T-5004", "name": "Credential Reuse", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "out-of-scope", "categories": [], "note": "Reusing harvested credentials against a second system is not something a content honeypot can stage." }, { "id": "T-5005", "name": "Database Pivoting", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "out-of-scope", "categories": [], "note": "Database pivoting needs live DB tooling; DVAA covers it." }, { "id": "T-5006", "name": "Internal API Discovery", "tactic": "lateral-movement", "tacticName": "Lateral Movement", "status": "queued", "categories": [], "note": "A fake internal-API trap fixture is not yet built." }, { "id": "T-6001", "name": "Memory Injection", "tactic": "persistence", "tacticName": "Persistence", "status": "live", "categories": [ "memory-weaponization" ], "note": "Memory-injection tier persists instructions across sessions." }, { "id": "T-6002", "name": "Self-Replicating Memory Entry", "tactic": "persistence", "tacticName": "Persistence", "status": "live", "categories": [ "memory-weaponization" ], "note": "Self-re-injecting memory entries extend the memory-injection tier." }, { "id": "T-6003", "name": "Configuration Modification", "tactic": "persistence", "tacticName": "Persistence", "status": "out-of-scope", "categories": [], "note": "Modifying the agent's own config on its host is not observable via web content." }, { "id": "T-6004", "name": "Skill/Plugin Backdoor", "tactic": "persistence", "tacticName": "Persistence", "status": "live", "categories": [ "supply-chain" ], "note": "Fake-package and malicious-MCP-server tiers instruct a backdoored skill/plugin install." }, { "id": "T-6005", "name": "Scheduled Task Injection", "tactic": "persistence", "tacticName": "Persistence", "status": "out-of-scope", "categories": [], "note": "Scheduled-task injection needs host cron/scheduler context the honeypot never sees." }, { "id": "T-6006", "name": "Tool Registration Persistence", "tactic": "persistence", "tacticName": "Persistence", "status": "live", "categories": [ "supply-chain", "tool-shadow" ], "note": "Malicious-MCP-server and ghost-tool tiers register tools that persist in the registry." }, { "id": "T-6007", "name": "Persistent Agent State Manipulation", "tactic": "persistence", "tacticName": "Persistence", "status": "live", "categories": [ "memory-weaponization" ], "note": "Context-cache-poisoning tier persists tampered state across sessions." }, { "id": "T-7001", "name": "File System Enumeration", "tactic": "collection", "tacticName": "Collection", "status": "out-of-scope", "categories": [], "note": "Filesystem enumeration needs real file-tool access; DVAA covers it." }, { "id": "T-7002", "name": "Database Extraction", "tactic": "collection", "tacticName": "Collection", "status": "out-of-scope", "categories": [], "note": "Database extraction needs live DB tooling not present on the honeypot." }, { "id": "T-7003", "name": "API Data Harvesting", "tactic": "collection", "tacticName": "Collection", "status": "live", "categories": [ "data-exfiltration" ], "note": "Data-exfiltration tiers harvest data the agent surfaces from connected sources." }, { "id": "T-7004", "name": "Memory Dump", "tactic": "collection", "tacticName": "Collection", "status": "live", "categories": [ "memory-weaponization" ], "note": "Memory-dump payloads extract the agent's stored conversation state." }, { "id": "T-7005", "name": "Configuration Harvesting", "tactic": "collection", "tacticName": "Collection", "status": "queued", "categories": [], "note": "A dedicated configuration-harvest trap fixture is not yet wired." }, { "id": "T-7006", "name": "PII Discovery", "tactic": "collection", "tacticName": "Collection", "status": "live", "categories": [ "data-exfiltration" ], "note": "Sector trap pages (/trap/medical-records, /trap/legal-documents, /trap/customer-portal, /trap/sec-filing) bait PII collection." }, { "id": "T-7007", "name": "Context Assembly Pipeline Attack", "tactic": "collection", "tacticName": "Collection", "status": "live", "categories": [ "prompt-injection", "context-window" ], "note": "Multi-surface delivery tiers inject into the prompt-assembly pipeline." }, { "id": "T-8001", "name": "Email Exfiltration", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "out-of-scope", "categories": [], "note": "AgentPwn does not simulate email-sending tools." }, { "id": "T-8002", "name": "HTTP Callback", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "live", "categories": [ "data-exfiltration" ], "note": "AgentPwn's primary signal: the payload HTTP callback fires." }, { "id": "T-8003", "name": "DNS Exfiltration", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "out-of-scope", "categories": [], "note": "No DNS path on an HTTP honeypot." }, { "id": "T-8004", "name": "Tool Chain Exfiltration", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "live", "categories": [ "capability-abuse" ], "note": "Tool-chain tiers stage exfiltration through legitimate-looking operations." }, { "id": "T-8005", "name": "Conversation Exfiltration", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "live", "categories": [ "data-exfiltration" ], "note": "Conversation-exfiltration tier encodes data into the agent's visible response." }, { "id": "T-8006", "name": "Webhook Exfiltration", "tactic": "exfiltration", "tacticName": "Exfiltration", "status": "live", "categories": [ "data-exfiltration" ], "note": "URL/markdown-image exfiltration shares the callback channel; observable per technique tag." }, { "id": "T-9001", "name": "Data Manipulation", "tactic": "impact", "tacticName": "Impact", "status": "out-of-scope", "categories": [], "note": "Destructive data manipulation needs write tooling; the benevolent honeypot never stages it." }, { "id": "T-9002", "name": "Service Disruption", "tactic": "impact", "tacticName": "Impact", "status": "live", "categories": [ "capability-abuse", "tool-shadow" ], "note": "Cost-amplification and recursive-tool-loop tiers drive resource exhaustion." }, { "id": "T-9003", "name": "Malicious Code Deployment", "tactic": "impact", "tacticName": "Impact", "status": "out-of-scope", "categories": [], "note": "No code-execution path on the honeypot; instruct-only, not observable." }, { "id": "T-9004", "name": "Multi-Agent Consensus Manipulation", "tactic": "impact", "tacticName": "Impact", "status": "live", "categories": [ "a2a-attack" ], "note": "Worm-propagation and delegation tiers influence multi-agent consensus." }, { "id": "T-9005", "name": "Reputation Poisoning", "tactic": "impact", "tacticName": "Impact", "status": "queued", "categories": [], "note": "Eliciting reputation-damaging output via jailbreak tiers is adjacent; no dedicated fixture yet." }, { "id": "T-9006", "name": "Supply Chain Compromise", "tactic": "impact", "tacticName": "Impact", "status": "live", "categories": [ "supply-chain" ], "note": "Malicious-MCP-server and fake-package tiers compromise the downstream supply chain." } ] }