All Battlecards

REFLEX Battlecards

Attack scenarios and defense strategies organized by the REFLEX framework.

Supply Chain & Dependencies

• Dependency Confusion Attacks
• NPM Supply Chain Attack
• Abandoned Package Hijack
• Registry Namespace Collisions
• Lockfile and SemVer Range Abuse

Python Ecosystem

• Python and pip Supply Chain Issues (1)
• Python and pip Supply Chain Issues (2)
• Python and pip Supply Chain Issues (3)
• Python and pip Supply Chain Issues (4)

Java Ecosystem

• Java and Maven Gradle Dependency Risks (1)
• Java and Maven Gradle Dependency Risks (2)
• Java and Maven Gradle Dependency Risks (3)
• Java and Maven Gradle Dependency Risks (4)

JavaScript & Node.js

• Node.js and npm Dependency Sprawl
• npm Worm Shai-Hulud

Other Languages

• Go Modules Dependency Risks
• Rust Crates Supply Chain

AI/ML Security

• AI Cost Amplification Attacks
• AI Dependency Typosquatting
• AI Service Abuse (1)
• AI Service Abuse (2)
• AI in CI CD Pipelines
• Adversarial Input Attacks
• Data Poisoning Attacks (1)
• Data Poisoning Attacks (2)
• Data Poisoning Attacks (3)
• Dataset Supply Chain Attacks
• LLM Tooling Misuse
• Model Exfiltration and Theft
• Model Provenance and Evaluation Bypass
• Model Supply Chain Metadata Leaks
• Poisoned AI ML Models
• Prompt Injection in AI Systems

CI/CD Security

• Branch Protection and Codeowner Gaps
• Build Cache and Artifact Poisoning
• CircleCI and Travis Token Theft
• Cloud Metadata and SSRF in Builds
• Dev Container Post-Create Hooks
• Docker Socket and Privileged Builds
• GitHub Actions Workflow Poisoning
• GitHub OIDC Misconfiguration
• GitLab CI Runner Attacks
• Jenkins CI CD Compromise

Developer Environment

• Advanced Envvar Abuse
• Browser-Based Dev Tool Exposure
• Developer Review Fatigue and Social Engineering
• Environment Variable Poisoning
• Exposed Secrets in Code and Config
• IDE Telemetry and Extension Exfiltration
• Malicious IDE Plugins
• SSH Agent and TOFU Weaknesses

Infrastructure & Deployment

• Archive and Installer Tricks
• CDN and Mirror Substitution
• curl | bash Installer Attacks
• DNS Attacks
• Kubernetes Misconfigurations
• Packer Build Script Risks
• Terraform Module Attacks

Social Engineering & Human Factors

• Homoglyph and Trojan Source Attacks
• License and Policy Bombs
• Maintainer Account Takeover
• Phishing Developers

Supply Chain Integrity

• Provenance and SBOM Tampering
• Submodule and Vendored Code Drift

---

Total: 64 Battlecards | Each battlecard follows the REFLEX framework: Reconnaissance, Evaluation, Fortify, Limit, Expose, Exercise