Tool Response Data Piggybacking - ATR-2026-00136 (c2a3e028-9e65-564f-9919-56f1ff91d259)
Detects malicious tool responses that embed sensitive data extraction within legitimate-looking results. The attack pattern embeds credential theft (SSH keys, API tokens, env vars) as a "by the way" addendum to a normal tool response, exploiting the agent's trust in tool outputs. Discovered via adversarial testing: 62/62 social engineering variants evaded prior rules.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| LLM Jailbreak (172427e3-9ecc-49a3-b628-96b824cc4131) | MITRE ATLAS Attack Pattern | Tool Response Data Piggybacking - ATR-2026-00136 (c2a3e028-9e65-564f-9919-56f1ff91d259) | Agent Threat Rules | 1 |