mirror of https://github.com/garrytan/gstack.git
e7af1929c0
Adds 4 detection rules for the 2026-05-11 npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321) into Phase 8 (Skill Supply Chain). - R7 (Claude Code settings hook injection — /proc/*/mem read pattern) - R8 (obfuscated payload heuristic — _0x patterns + crypto-decode) - R9 (auto-run persistence bridge — manifest-undeclared file referenced by hook or tasks.json runOn: folderOpen) - R12 (Session-protocol C2 deny-list — executable context only) All rules surface only under /cso --comprehensive with TENTATIVE marking; daily mode's 8/10 zero-noise contract is preserved. Closes Phase 8 gaps for IDE-config infection vectors that the existing generic-pattern matching (curl/wget/exfiltrat/IGNORE PREVIOUS) does not catch. No new skill, no new phase, no scope-flag changes (per #1011). |
||
|---|---|---|
| .. | ||
| ACKNOWLEDGEMENTS.md | ||
| SKILL.md | ||
| SKILL.md.tmpl | ||