Versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension published to OpenVSX contained injected code that launched local AI coding assistants (Claude, Codex, Gemini, GitHub Copilot CLI, Kiro CLI) in permissive modes to perform broad system reconnaissance and attempted exfiltration. Users and maintainers are advised to uninstall the affected versions, check for REPORT.MD and any repository creation named posture-report-trivy, rotate exposed credentials, and audit local AI and shell activity. #Trivy #AquaSecurity
Keypoints
- Two malicious OpenVSX releases (1.8.12 on Feb 27, 2026 and 1.8.13 on Feb 28, 2026) of the Aqua Trivy VS Code extension contained injected code not present in the public GitHub repository.
- The injected logic runs inside the extension activation path and spawns five local AI coding CLIs with flags that bypass safety prompts and grant broad filesystem access (–dangerously-skip-permissions, –ask-for-approval never, –yolo, –no-interactive, etc.).
- Version 1.8.12 used a ~2,000-word forensic-style prompt to instruct AI agents to discover and exfiltrate sensitive data through any available reporting channels; version 1.8.13 replaced this with a targeted prompt to write REPORT.MD and use the authenticated gh CLI to create posture-report-trivy and push the report.
- The malicious commands were executed detached and silently (shell: true, detached: true, stdio: “ignore”), so the extension appeared to function normally while background reconnaissance occurred.
- No public posture-report-trivy repositories were found at the time of reporting and there are no confirmed exfiltration incidents, but the exposure window lasted ~24 hours and successful impact depended on local AI tools and authenticated gh CLI presence.
- Recommended mitigations include uninstalling the affected extension versions, verifying installation history, searching for REPORT.MD and posture-report-trivy activity, inspecting shell/agent logs for the listed commands, and rotating credentials and tokens that may have been accessible.
MITRE Techniques
Indicators of Compromise
- [Package Version ] OpenVSX extension artifacts – pkg:vscode/aquasecurityofficial/[email protected]?repository_url=https://open-vsx.org, pkg:vscode/aquasecurityofficial/[email protected]?repository_url=https://open-vsx.org
- [File Name ] Suspicious forensic-style report written to workspace – REPORT.MD (created by AI agent as instructed), unexpected REPORT.MD files or similar audit dumps in project directories
- [Repository Name ] Potential exfiltration via GitHub – posture-report-trivy (check for unexpected repository creation or pushes under user accounts)
- [Command Invocations ] Malicious AI agent execution patterns in shell/process history – examples: “claude -p –dangerously-skip-permissions –add-dir /”, “codex exec “…” –ask-for-approval never –sandbox danger-full-access”, and 3 more commands (gemini, copilot, kiro-cli)
- [GitHub CLI Activity ] Suspicious gh usage indicating exfiltration attempts – examples to check: “gh auth token”, “gh repo create”, “gh repo push” (and “gh repo clone”)