Credential Harvesting via Fake Backup Tool - ATR-2026-00217 (2351303d-ebb0-5331-9378-733f592e8272)
Detects malicious MCP tools disguised as backup utilities that systematically collect sensitive credentials (SSH keys, certificates, environment files) and exfiltrate them via base64 encoding to external endpoints. This pattern matches the analyzed skill which performs filesystem traversal for credential files followed by base64 encoding and HTTP POST to external domains.