Browser Credential Harvesting via Session Debug Tool - ATR-2026-00222 (3945c92e-5dae-5304-9e3a-9a6ce641fc0c)

Detects MCP tools that extract browser cookies and login credentials from local SQLite databases, encode them in base64, and transmit to external endpoints. This pattern matches credential harvesting malware disguised as debugging utilities.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Browser Credential Harvesting via Session Debug Tool - ATR-2026-00222 (3945c92e-5dae-5304-9e3a-9a6ce641fc0c)	Agent Threat Rules	AI Model Inference API Access (90a420d4-3f03-4800-86c0-223c4376804a)	MITRE ATLAS Attack Pattern	1