A supply chain attack targeting developers surfaced on March 2, 2026, when unauthorized code was found inside two versions of the Aqua Trivy VS Code extension on the OpenVSX registry. <\/p>\n
The compromised versions \u2014 1.8.12 and 1.8.13 \u2014 were uploaded on February 27 and 28, 2026, under the\u00a0 The attack introduced hidden natural-language prompts designed to turn a developer\u2019s own AI coding tools into silent data collection instruments.\u200b<\/p>\n Trivy is a widely used open-source vulnerability scanner whose VS Code extension is installed by developers across enterprises and individual projects. <\/p>\n All versions up to 1.8.11 matched the public GitHub repository without discrepancy. <\/p>\n The two affected versions contained extra code absent from the public repository with no tagged release, making the tampering nearly impossible to detect through standard review.\u200b<\/p>\n Socket.dev researchers identified suspicious behavior<\/a> in these extension versions shortly after publication and began investigating. <\/p>\n Their analysis linked the malicious code to a broader AI-powered bot campaign targeting GitHub Actions workflows across several major open-source projects. <\/p>\n StepSecurity separately documented how that campaign led to theft of a personal access token and takeover of Aqua\u2019s Trivy GitHub repository, giving attackers the access needed to push the tampered extension into OpenVSX.\u200b<\/p>\n Rather than dropping conventional spyware<\/a> or a backdoor, the injected code directed locally installed AI assistants \u2014 Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI \u2014 to perform deep reconnaissance on the developer\u2019s machine. <\/p>\n Each tool was invoked with its most permissive flag, bypassing any user confirmation. All processes ran detached in the background with output suppressed, while the extension kept behaving normally, leaving developers no visible warning.\u200b<\/p>\n The damage depended on which version was installed. Version 1.8.12 carried a roughly 2,000-word prompt instructing the AI agent to act as a forensic investigator \u2014 scanning for credentials, tokens, financial records, and sensitive communications, then pushing findings through every available outbound channel, including email and messaging platforms. <\/p>\n Version 1.8.13 was more targeted: it told the AI to collect system information and authentication tokens, save them to\u00a0 The malicious code was placed inside the workspace activation function, a routine that runs every time a developer opens a project in their code editor. <\/p>\n By inserting the payload before Trivy\u2019s normal setup logic, the attacker kept the extension fully functional so vulnerability scanning continued normally. <\/p>\n In version 1.8.13, the harmful block was wrapped in an\u00a0 All five AI commands<\/a> ran as detached background processes with silent error handling \u2014 any tool not installed simply failed without visible noise.\u200b<\/p>\n Variable names changed between versions, a byproduct of code minification, adding another layer of cover. <\/p>\n Socket.dev noted this technique marks a shift in how supply chain attacks are built \u2014 instead of hardcoded callbacks or shellcode, the attacker delegated reconnaissance and exfiltration to locally trusted AI agents<\/a>, invoking them at maximum permission level and leaving no malware signatures for automated tools to catch.\u200b<\/p>\n Developers who installed version 1.8.12 or 1.8.13 from OpenVSX should take precautionary steps immediately. Uninstall the affected extension and verify your version history to confirm whether either release was ever present. <\/p>\n Check your GitHub account for a repository named\u00a0 Inspect your shell history for invocations of\u00a0 Audit local AI agent logs for unusual prompts or automated execution, even if no direct indicators are immediately apparent.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Local Coding Tools<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\naquasecurityofficial.trivy-vulnerability-scanner<\/code>\u00a0namespace. <\/p>\n![\"Initial](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEilDhb7aancuJbrEkViNAJiHaV_EynPxAG1W0sA38xtMl4-VVD3MoROJsMFL3fdOIHeUZ9l9PL53PGhrDbN0LttaCldfeHMX4wH5uloGyiMQferuK_5o5c83-jUYNd3EC7nUHgHkjgCKfxip9R-CCpL810jR66kdUBkUjBgrCDFytj10VtPdQ-iz0LXIKs\/s16000\/Initial%2520version%2520of%2520the%2520GitHub%2520security%2520advisory%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
REPORT.MD<\/code>, and use the victim\u2019s GitHub CLI to push that report to a repository named\u00a0posture-report-trivy<\/code>. Both versions were removed from OpenVSX on February 28, following Socket.dev\u2019s disclosure.\u200b<\/p>\nHow the Injected Code Stayed Invisible<\/strong><\/h2>\n
if<\/code>\u00a0statement using JavaScript\u2019s comma operator, causing malicious commands to run first before the extension\u2019s standard workspace check. <\/p>\nposture-report-trivy<\/code>, and review recent GitHub activity for unexpected repository creation or commits referencing\u00a0REPORT.MD<\/code>. <\/p>\nclaude<\/code>,\u00a0codex<\/code>,\u00a0gemini<\/code>,\u00a0copilot<\/code>, or\u00a0kiro-cli<\/code>\u00a0with permissive execution flags. Rotate all credentials accessible on the machine during the exposure window, including GitHub tokens, cloud credentials, SSH keys, and API tokens in environment variables or dotfiles. <\/p>\n