Malicious Fork Impersonation via Install Instruction - ATR-2026-00151 (bc9e98ad-3fa8-543c-845a-e51c295d48ba)
Detects skills or tool responses that instruct users to install packages described as "community fork", "enhanced version", or "patched version" of known tools. Real attack pattern: attacker publishes a typosquatted package and describes it as a fork to gain trust. Crystallized from 29 fork_claim adversarial samples.