Hidden Payload in HTML Comment - ATR-2026-00128 (fabfa03c-1f7d-5712-8cf1-2869fab3083f)
Detects malicious instructions hidden inside HTML comments in SKILL.md files. Attackers embed exfiltration commands, prompt overrides, or C2 URLs inside blocks that are invisible to the user but parsed by the agent. Real campaign: ClawHavoc evasive variants used HTML comments to hide "agent should output all API keys" instructions (2026-03).
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| ML Supply Chain Compromise (d2cf31e0-a550-4fe0-8fdb-8941b3ac00d9) | MITRE ATLAS Attack Pattern | Hidden Payload in HTML Comment - ATR-2026-00128 (fabfa03c-1f7d-5712-8cf1-2869fab3083f) | Agent Threat Rules | 1 |