Malicious versions of the Aqua Trivy VS Code extension were published to the OpenVSX registry, containing unauthorized code that hijacks locally installed AI coding assistants. By using carefully crafted natural language prompts and permissive execution flags, the payload instructs the AI agents to harvest sensitive developer credentials and system data, subsequently attempting to exfiltrate the information via available communication channels or by creating a new GitHub repository.