{"advisories":[{"id":"75c02714-71ea-4861-a827-310be23b1b55","slug":"aegis-2026-05-29-synthetic-substrate-fingerprint-divergence","title":"Synthetic post-mortem: compromised openai-sdk patch detected via substrate fingerprint divergence","summary":"Synthetic GA seed advisory demonstrating AEGIS's incident-response surface. A patched upstream LLM-client library exfiltrated prompts to an attacker-controlled host; AEGIS detected the substrate-fingerprint divergence within seconds and promoted a Managed Rule into observe mode at T+12s, then to enforce after a clean 24h soak. Three illustrative customer agents affected.","body_markdown":"> *This advisory describes a **synthetic scenario** published at GA to demonstrate AEGIS's incident-response surface. The substrate fingerprint, timeline, and affected-customer count are illustrative. AEGIS's real-time IoC feed at `/v1/trust/iocs` is empty at GA — see the calm-at-GA contract in concept.md.*\n\n## Summary\n\nBetween **2026-05-28 18:42 UTC** and **2026-05-29 19:07 UTC**, AEGIS observed a substrate-fingerprint divergence affecting agents that had recently installed a patch version of an upstream LLM-client library. The library's patched transport made an additional outbound HTTPS request to an attacker-controlled host before forwarding the model response, exfiltrating the prompt + tool-call arguments. AEGIS flagged the fingerprint divergence within seconds of the first request, promoted a Managed Rule into `observe` mode at T+12s, and escalated the rule to `enforce` after the 24-hour FP-rate soak completed clean.\n\nThree customer agents were affected. No model output was modified by the attacker; the substrate breach was exfiltration-only. Affected customers were notified out-of-band via the operator-actionable webhook channel within four minutes of the first detection.\n\n## Timeline (all times UTC)\n\n| Time | Event |\n|------|-------|\n| 2026-05-28 18:42:11 | First request from an agent on the compromised patch. AEGIS substrate fingerprint diverges from the upstream-library baseline. |\n| 2026-05-28 18:42:23 | L0 substrate-anomaly signal fires; aggregator opens a bucket at `state=elevated`. |\n| 2026-05-28 18:42:38 | AEGIS sideband analyzer composes a candidate Managed Rule; auto-promotes to `observe` mode (T+12s after first detection). |\n| 2026-05-28 18:46:04 | Three customer agents touched; `advisory.published` channel queues operator-actionable notifications. |\n| 2026-05-29 18:42:38 | 24-hour soak completes with FP rate 0.0%; escalation cron flips Managed Rule to `enforce`. |\n| 2026-05-29 19:07:55 | Upstream library publishes a fixed release; AEGIS rule kept in `enforce` until the affected version range is fully drained. |\n\n## Detection mechanism\n\nAEGIS's L0 substrate-fingerprint detector hashes the canonical shape of the outbound model call (TLS fingerprint, header order, body framing, transport layer ordering of egress sockets) on every request. The reference baseline is pinned per upstream-library version. The compromised patch produced a new TLS fingerprint variant — the attacker's additional outbound socket — that did not match the baseline for the declared library version. The divergence is what tripped the substrate-anomaly bucket; no signature of the attacker payload itself was required.\n\nThis is the cross-tenant aggregate disclosure model in action: the substrate fingerprint identifies the *shape* of compromise, not any tenant's payload. Any tenant running the affected version triggered the same bucket, regardless of what they were doing with the model.\n\n## Remediation\n\n1. **Customer agents** — the affected three customers were notified and pinned to the prior library version pending the upstream fix.\n2. **Managed Rule** — pinned in `enforce` mode against the compromised version range. Customers on the fixed release pass cleanly; customers on the compromised range are blocked at the front door with a remediation pointer.\n3. **IoC feed** — the attacker domain and the divergent substrate fingerprint were added to the `/v1/trust/iocs` STIX feed (synthetic fixtures in this seed; real entries land when real campaigns close).\n\n## Lessons applied\n\n- **Substrate fingerprints are the right detection layer for supply-chain compromise.** Payload-signature detection would have required attacker cooperation (knowing the exfil schema in advance). Substrate divergence detected the *act* of compromise without needing the *content*.\n- **The 24-hour observe soak earned its keep.** At T+12s the rule was in `observe` (telemetry-only); only after a full FP-clean day did it escalate to `enforce`. No legitimate customer was blocked during diagnosis.\n- **Operator-actionable webhook is the right notification channel.** Three customers learned of the incident within four minutes — same surface AEGIS uses for every campaign disclosure.\n\n## Calm-at-GA contract\n\nThis is the only advisory on the list at GA, and it is marked synthetic. The `/v1/trust/iocs` feed returns an empty STIX bundle. When real campaigns close, they will appear here without the synthetic flag, and the IoC feed will carry their indicators. Until then, the system is telling the truth: it's quiet.\n","severity":"high","status":"published","published_at":"2026-05-23T18:33:18.68421+00:00","archived_at":null,"post_mortem_for_campaign_id":null,"synthetic":true,"created_by":"cdd87c51-db0d-4547-afad-42231fa9510a","created_at":"2026-05-23T18:33:18.68421+00:00","updated_at":"2026-05-23T18:33:18.68421+00:00"}],"limit":20,"offset":0}