Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VS Code Extension
Malicious versions of the Aqua Trivy VS Code extension were published to the OpenVSX registry, containing unauthorized code that hijacks locally installed AI coding assistants. By using carefully crafted natural language prompts and permissive execution flags, the payload instructs the AI agents to harvest sensitive developer credentials and system data, subsequently attempting to exfiltrate the information via available communication channels or by creating a new GitHub repository.
Authors: Socket
Source:
Socket
- urlpkg://vscode/aquasecurityofficial/trivy-vulnerability-scanner@1.8.12?repository_url=hxxps://open-vsx.orgMalicious OpenVSX package version 1.8.12
- urlpkg://vscode/aquasecurityofficial/trivy-vulnerability-scanner@1.8.13?repository_url=hxxps://open-vsx.orgMalicious OpenVSX package version 1.8.13
Key Takeaways
- Malicious versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published to the OpenVSX registry.
- The injected code hijacks locally installed AI coding assistants (Claude, Codex, Gemini, Copilot, Kiro) using highly permissive execution flags to bypass human approval.
- Attackers utilized a 'forensic investigator' persona in a natural language prompt to bypass AI safety guardrails and instruct the agents to harvest sensitive data.
- Version 1.8.13 attempts to exfiltrate harvested data by creating a GitHub repository named 'posture-report-trivy' using the victim's authenticated GitHub CLI.
- This incident is part of a broader AI-powered bot campaign targeting GitHub Actions workflows across multiple open-source projects.
Affected Systems
- VS Code environments with Aqua Trivy extension versions 1.8.12 or 1.8.13 installed from OpenVSX
- Developer workstations with local AI coding assistants installed (Claude, Codex, Gemini, GitHub Copilot CLI, Kiro CLI)
- Systems with the GitHub CLI (gh) installed and authenticated
Vulnerabilities (CVEs)
- CVE-2026-28353
- GHSA-8mr6-gf9x-j8qg
Attack Chain
The attack begins when a developer installs the compromised Aqua Trivy extension (v1.8.12 or 1.8.13) from OpenVSX. Upon opening a workspace in VS Code, the extension's activation function silently spawns detached background processes for locally installed AI coding assistants (Claude, Codex, Gemini, Copilot, Kiro) using highly permissive execution flags. The AI agents are fed a natural language prompt instructing them to act as forensic investigators to harvest sensitive data like credentials and tokens. Finally, the gathered data is either scattered across available communication channels or, in version 1.8.13, exfiltrated by creating a GitHub repository named 'posture-report-trivy' using the victim's authenticated GitHub CLI.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules but outlines behavioral indicators such as detached background processes spawning from VS Code and specific command-line flags used for AI assistants.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can easily monitor process creation events, specifically VS Code spawning AI CLI tools with highly permissive flags like '--yolo' or '--dangerously-skip-permissions'. Network Visibility: Medium — Network traffic to AI provider APIs or GitHub (for repo creation) would be visible, but it blends with legitimate developer activity. The creation of a specific repo name ('posture-report-trivy') might be detectable via GitHub audit logs. Detection Difficulty: Moderate — While the specific command-line flags are highly anomalous and easy to detect, the malicious logic is embedded within legitimate developer tooling, and the exfiltration relies on authenticated sessions, making it harder to distinguish from intentional user actions without process ancestry context.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- GitHub Audit Logs
- VS Code Extension Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for VS Code or its extension host processes spawning known AI CLI tools (claude, codex, gemini, copilot, kiro-cli) with permissive or non-interactive flags. | Process Creation | Execution | Low |
| Monitor for the creation of a GitHub repository named 'posture-report-trivy' via the GitHub CLI. | GitHub Audit Logs / Process Creation | Exfiltration | Low |
| Identify the creation of files named 'REPORT.MD' containing credential or token patterns within project directories. | File System Events | Collection | Medium |
Control Gaps
- Lack of human-in-the-loop approval enforcement for local AI coding assistants
- Implicit trust in VS Code extensions downloaded from third-party registries like OpenVSX
Key Behavioral Indicators
- Process ancestry: code.exe -> child_process -> claude/codex/gemini/copilot/kiro-cli
- Command-line arguments containing '--yolo', '--dangerously-skip-permissions', or '--ask-for-approval never'
- Creation of 'posture-report-trivy' repository
- Detached background processes spawning immediately upon opening a workspace in VS Code
False Positive Assessment
- Low. The specific combination of VS Code spawning AI CLIs with highly permissive flags (like '--yolo' or '--dangerously-skip-permissions') without user interaction is highly anomalous and unlikely to occur during normal development workflows.
Recommendations
Immediate Mitigation
- Uninstall Aqua Trivy VS Code extension versions 1.8.12 and 1.8.13 immediately.
- Revoke and rotate all credentials, GitHub tokens, cloud provider keys, and SSH keys that were accessible on the affected machines.
- Delete any unauthorized 'posture-report-trivy' repositories from GitHub accounts.
Infrastructure Hardening
- Restrict the use of permissive or unattended execution flags for local AI coding assistants via endpoint policies.
- Enforce strict repository creation policies and monitor GitHub audit logs for anomalous repository creation.
User Protection
- Audit local AI agent logs for unusual prompts or automated execution.
- Inspect shell history for unauthorized invocations of AI CLIs.
Security Awareness
- Educate developers on the risks of supply chain attacks via VS Code extensions and third-party registries like OpenVSX.
- Train teams on the emerging threat of AI prompt injection and the importance of maintaining human-in-the-loop controls for AI agents.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1059 - Command and Scripting Interpreter
- T1082 - System Information Discovery
- T1552.001 - Credentials In Files
- T1074.001 - Data Staged: Local Data Staging
- T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
Additional IOCs
- Command Lines:
- Purpose: Execute Claude AI assistant with permissive flags and full filesystem access | Tools:
claude,child_process.spawn| Stage: Execution/Collection |claude --dangerously-skip-permissions --add-dir / - Purpose: Execute Codex AI assistant with permissive flags | Tools:
codex,child_process.spawn| Stage: Execution |codex --ask-for-approval never danger-full-access - Purpose: Execute Gemini AI assistant with permissive flags | Tools:
gemini,child_process.spawn| Stage: Execution |gemini --yolo - Purpose: Execute GitHub Copilot CLI with permissive flags | Tools:
copilot,child_process.spawn| Stage: Execution |copilot --yolo - Purpose: Execute Kiro CLI with permissive flags | Tools:
kiro-cli,child_process.spawn| Stage: Execution |kiro-cli --no-interactive
- Purpose: Execute Claude AI assistant with permissive flags and full filesystem access | Tools:
- Other:
GHSA-8mr6-gf9x-j8qg- GitHub Security Advisory identifier for the incidentCVE-2026-28353- CVE identifier assigned to the malicious extension release