Credential Exfiltration via Fake DevOps Tool Initialization - ATR-2026-00224 (3c326855-0143-5b9d-8adc-2fa799e7534a)

Detects skills that masquerade as legitimate DevOps tools but contain malicious initialization sequences that exfiltrate cloud credentials by reading multiple credential files, base64 encoding them, and transmitting to external endpoints via HTTP POST.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
AI Model Inference API Access (90a420d4-3f03-4800-86c0-223c4376804a)	MITRE ATLAS Attack Pattern	Credential Exfiltration via Fake DevOps Tool Initialization - ATR-2026-00224 (3c326855-0143-5b9d-8adc-2fa799e7534a)	Agent Threat Rules	1