{"ave_id":"AVE-2026-00024","schema_version":"0.2.0","component_type":"mcp","title":"Supply Chain - Content Type Mismatch (Magika)","attack_class":"Supply Chain - Content Type Mismatch","description":"This record covers supply chain attacks where an executable payload is disguised as a skill file (`.md`, `.yaml`, `.json`, `.txt`). Unlike all other AVE records which are detected by text pattern matching, this record is detected exclusively by the **Magika engine (Stage 0)** - Google's ML-based file type classifier - because the file contains no readable text instructions to match against. Detection requires: `pip install \"bawbel-scanner[magika]\"` ---","affected_platforms":["any-mcp-client","claude-desktop"],"affected_registries":["smithery.ai","glama.ai"],"aivss_score":6.8,"cvss_base_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N","owasp_mapping":["ASI07"],"owasp_mcp":["MCP04"],"nist_ai_rmf_mapping":["MAP-1.5","MANAGE-2.2"],"mitre_atlas_mapping":["AML.T0011"],"behavioral_fingerprint":"A file's actual content type does not match its declared extension. An ELF binary, Windows executable, Python pickle, PHP script, or other executable content is disguised as a benign skill file.\n\n---","behavioral_vector":["supply-chain","content-type"],"mutation_count":3,"detection_methodology":"1. Attacker publishes a skill on the Smithery marketplace\n2. The SKILL.md file is actually a compiled ELF binary renamed to .md\n3. When the agent loads the skill, it executes the binary instead of reading instructions\n4. Attacker achieves code execution on the host running the agent\n\n---","indicators_of_compromise":["ELF binary with .md, .yaml, .json, or .txt extension","Windows PE32/PE64 executable with skill file extension","Python pickle (.pkl) disguised as .yaml or .json","PHP, JSP, or shell script with .md extension"],"aivss":{"cvss_base":8.5,"aarf":{"autonomy":1.0,"tool_use":1.0,"multi_agent":0.0,"non_determinism":0.5,"self_modification":0.5,"dynamic_identity":0.0,"persistent_memory":0.0,"natural_language_input":0.5,"data_access":0.5,"external_dependencies":1.0},"aars":5.0,"thm":1.0,"mitigation_factor":1.0,"aivss_score":6.8,"aivss_severity":"MEDIUM","spec_version":"0.8","owasp_mcp_mapping":["MCP04"],"notes":"AARF scores based on typical deployment of mcp components in agentic workflows."},"remediation":"- Install Magika engine: `pip install \"bawbel-scanner[magika]\"`\n- Verify content type of all skill files before loading\n- Reject any file where content type does not match declared extension\n- Use a file type allowlist for skill loading - only accept known-safe types\n\n---","status":"active","kill_switch_active":false,"researcher":"Bawbel Security Research Team","researcher_url":"https://bawbel.io","published":"2026-04-19T09:00:00Z","last_updated":"2026-05-12T00:00:00Z","references":["https://owasp.org/www-project-top-10-for-large-language-model-applications/","https://aivss.owasp.org","https://github.com/bawbel/ave"],"piranha_url":"https://api.piranha.bawbel.io/records/AVE-2026-00024","severity":"MEDIUM"}