Skip to content
Public Threat Feed

The attack happens in the wild first.

A detection standard that only lives in a spec is worth nothing. ATR scanned 96,096 real skills, flagged 1,302 as risky, confirmed 552 as malware, and documented the actors behind them.

The list and the rules are public under MIT — anyone can query, cite, and verify them.

1,302
flagged
552
confirmed malware
957
CRITICAL
339
HIGH
Known Threat Actors
Click for full profile

ATR tracks the people who write the attacks, not just the rules that catch them. The three actors below surfaced in a single scan — distributing malicious skills disguised as wallet tools, image generators, and business assistants across public registries. Each profile carries the actual evidence: C2 addresses, archive passwords, naming patterns, the mapped ATLAS technique. What is observed in the wild becomes a detection rule that flows back into the standard.

ATR Verified Whitelist
VERIFIED

The same ruleset proves what is clean. These skills passed the latest ATR 768-rule scan with zero CRITICAL / HIGH findings — one auditable standard that flags the malicious and vouches for the benign.

jhillin8/healthy-eating
2,847 dl
ATR Scanned - No Issues
jhillin8/daily-motivation
2,060 dl
ATR Scanned - No Issues
epwhesq/virtually-us
1,833 dl
ATR Scanned - No Issues
ivangdavila/philosophy
893 dl
ATR Scanned - No Issues
ivangdavila/english
843 dl
ATR Scanned - No Issues
ivangdavila/polish
738 dl
ATR Scanned - No Issues
ivangdavila/spanish
710 dl
ATR Scanned - No Issues
ivangdavila/estonian
669 dl
ATR Scanned - No Issues
ivangdavila/hebrew
667 dl
ATR Scanned - No Issues
afengzi/market-news
665 dl
ATR Scanned - No Issues
ivangdavila/vietnamese
665 dl
ATR Scanned - No Issues
ivangdavila/hindi
658 dl
ATR Scanned - No Issues
ivangdavila/dutch
657 dl
ATR Scanned - No Issues
ivangdavila/slovak
648 dl
ATR Scanned - No Issues
ivangdavila/lithuanian
637 dl
ATR Scanned - No Issues
ivangdavila/catalan
635 dl
ATR Scanned - No Issues
ivangdavila/irish
634 dl
ATR Scanned - No Issues
ivangdavila/latvian
625 dl
ATR Scanned - No Issues
ivangdavila/portuguese
624 dl
ATR Scanned - No Issues
ivangdavila/hungarian
615 dl
ATR Scanned - No Issues
ivangdavila/italian
614 dl
ATR Scanned - No Issues
Full Blacklist
1,302

Every flagged skill lives in one machine-readable blacklist.json — each entry carries the rule it hit and the evidence behind it. Any CI, registry, or agent framework can pull it directly: no signup, no key, no toll.

This list is generated from open ATR ecosystem scans,
built on the MIT-licensed rules.
A flag is a signal, not a verdict —
check the rule it hit and judge for yourself.
Think we got one wrong? Open a GitHub Issue; we review it in the open.

Threat Cloud is an optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it.