Threat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Local Coding Tools

A supply chain attack targeting developers surfaced on March 2, 2026, when unauthorized code was found inside two versions of the Aqua Trivy VS Code extension on the OpenVSX registry.

The compromised versions — 1.8.12 and 1.8.13 — were uploaded on February 27 and 28, 2026, under the aquasecurityofficial.trivy-vulnerability-scanner namespace.

The attack introduced hidden natural-language prompts designed to turn a developer’s own AI coding tools into silent data collection instruments.​

Trivy is a widely used open-source vulnerability scanner whose VS Code extension is installed by developers across enterprises and individual projects.

All versions up to 1.8.11 matched the public GitHub repository without discrepancy.

The two affected versions contained extra code absent from the public repository with no tagged release, making the tampering nearly impossible to detect through standard review.​

Socket.dev researchers identified suspicious behavior in these extension versions shortly after publication and began investigating.

Their analysis linked the malicious code to a broader AI-powered bot campaign targeting GitHub Actions workflows across several major open-source projects.

StepSecurity separately documented how that campaign led to theft of a personal access token and takeover of Aqua’s Trivy GitHub repository, giving attackers the access needed to push the tampered extension into OpenVSX.​

Rather than dropping conventional spyware or a backdoor, the injected code directed locally installed AI assistants — Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI — to perform deep reconnaissance on the developer’s machine.

Each tool was invoked with its most permissive flag, bypassing any user confirmation. All processes ran detached in the background with output suppressed, while the extension kept behaving normally, leaving developers no visible warning.​

The damage depended on which version was installed. Version 1.8.12 carried a roughly 2,000-word prompt instructing the AI agent to act as a forensic investigator — scanning for credentials, tokens, financial records, and sensitive communications, then pushing findings through every available outbound channel, including email and messaging platforms.

Version 1.8.13 was more targeted: it told the AI to collect system information and authentication tokens, save them to REPORT.MD, and use the victim’s GitHub CLI to push that report to a repository named posture-report-trivy. Both versions were removed from OpenVSX on February 28, following Socket.dev’s disclosure.​

How the Injected Code Stayed Invisible

The malicious code was placed inside the workspace activation function, a routine that runs every time a developer opens a project in their code editor.

By inserting the payload before Trivy’s normal setup logic, the attacker kept the extension fully functional so vulnerability scanning continued normally.

In version 1.8.13, the harmful block was wrapped in an if statement using JavaScript’s comma operator, causing malicious commands to run first before the extension’s standard workspace check.

All five AI commands ran as detached background processes with silent error handling — any tool not installed simply failed without visible noise.​

Variable names changed between versions, a byproduct of code minification, adding another layer of cover.

Socket.dev noted this technique marks a shift in how supply chain attacks are built — instead of hardcoded callbacks or shellcode, the attacker delegated reconnaissance and exfiltration to locally trusted AI agents, invoking them at maximum permission level and leaving no malware signatures for automated tools to catch.​

Developers who installed version 1.8.12 or 1.8.13 from OpenVSX should take precautionary steps immediately. Uninstall the affected extension and verify your version history to confirm whether either release was ever present.

Check your GitHub account for a repository named posture-report-trivy, and review recent GitHub activity for unexpected repository creation or commits referencing REPORT.MD.

Inspect your shell history for invocations of claude, codex, gemini, copilot, or kiro-cli with permissive execution flags. Rotate all credentials accessible on the machine during the exposure window, including GitHub tokens, cloud credentials, SSH keys, and API tokens in environment variables or dotfiles.

Audit local AI agent logs for unusual prompts or automated execution, even if no direct indicators are immediately apparent.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.