Time-Gated Credential Exfiltration (Rug Pull Timebomb) - ATR-2026-00157 (8b2adc9e-61a1-5c2c-acae-bd4556f85297)
Detects skill packages that contain time-gated credential theft code. Attackers embed code that only activates during specific hours (typically late night) to read sensitive files (.env, .ssh/id_rsa, .aws/credentials, .npmrc) and exfiltrate them to external servers. The time gate makes the malicious behavior invisible during normal working hours and code review. Real-world example: ClawHavoc campaign variants used getHours() checks to trigger only between 2-4 AM.