Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Malicious Trivy VS Code Extension 1.8.12 Supply-Chain Compromise

IdentifiersCVE-2026-28353CWE-506· Embedded Malicious Code

CVE-2026-28353 tracks a supply-chain compromise of the Trivy Vulnerability Scanner VS Code extension. According to the provided content, Trivy VSCode Extension version 1.8.12 distributed through the OpenVSX marketplace was compromised and shipped with malicious code. The implanted code was designed to leverage a locally installed AI coding agent to inspect the developer environment, collect sensitive information, and exfiltrate that data. Supporting reporting in the provided context states the broader incident involved abuse of local AI coding CLIs such as Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro, and that the malicious extension targeted developer workstations rather than production systems directly. The malicious artifact has since been removed from the marketplace, and the provided content states that no other affected artifacts were identified in the CVE record.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation exposes sensitive information present in the affected developer environment. Based on the provided content, the malicious extension was intended to collect and exfiltrate secrets and other sensitive data from systems where it was installed, potentially including environment secrets and data accessible to local AI coding agents. Additional reporting in the supplied context indicates the broader campaign targeted developer trust zones and could abuse authenticated local tooling, including AI coding assistants and, in some variants, the victim's authenticated GitHub CLI session, creating risk of credential theft, repository access abuse, and downstream compromise of development and CI/CD assets. The CVE context indicates high confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is complete, isolate affected developer workstations from sensitive resources where feasible, revoke or disable exposed tokens, and monitor for unauthorized use of GitHub, cloud, registry, and CI/CD credentials. Restrict or review use of local AI coding agents and authenticated developer CLIs on systems that installed the malicious extension, because the malicious logic was designed to leverage such tools for collection and exfiltration. More broadly, reduce marketplace supply-chain risk by pinning trusted extension sources, validating publisher provenance, limiting secret exposure on developer endpoints, and monitoring outbound activity from developer tooling.

Remediation

Patch, then assume compromise.

Immediately uninstall/remove the compromised Trivy VSCode Extension version 1.8.12 obtained from OpenVSX. Treat the affected host as exposed and rotate environment secrets and any credentials that may have been accessible from the developer environment at the time of installation, including tokens used for source control, cloud services, registries, and CI/CD where applicable. Verify that the malicious artifact is no longer present in the extension directory, review developer workstation and repository activity for unauthorized access or exfiltration, and reinstall only a known-good version from a trusted source after validating publisher integrity. The provided content states the malicious artifact has already been removed from the marketplace.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
snyk blogNews
Apr 29, 2026
Bun-Based Stealer Hits SAP CAP npm Packages | Snyk

A vulnerability/incident identified as CVE-2026-28353 involving the Trivy AI-agent compromise, where stolen tokens were used to publish a weaponized VS Code extension targeting multiple AI coding agents.

Read more
the hacker newsNews
Mar 14, 2026
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer SecretsThe Hacker Newsinfo@thehackernews.com (The Hacker News) - Tech Jacks Solutions

A compromise of the Trivy VS Code extension that weaponized locally installed AI coding CLIs as exfiltration channels in developer environments.

Read more
the hacker newsNews
Mar 11, 2026
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets

A supply-chain compromise affecting Aqua Security Trivy VS Code extension releases (versions 1.8.12 and 1.8.13) distributed via Open VSX, where injected logic abuses local AI coding assistants and (in 1.8.13) the victim’s authenticated GitHub CLI session to collect system information and exfiltrate it to a GitHub repository.

Read more
cvefeed high severityNews
Mar 5, 2026
CVE-2026-28353 - Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release

A supply-chain compromise of the Trivy Vulnerability Scanner VS Code extension (v1.8.12 distributed via OpenVSX) where the published artifact contained malicious code intended to leverage a local AI coding agent to collect and exfiltrate sensitive information.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-28353
NVD
nvd.nist.gov/vuln/detail/CVE-2026-28353
MITRE CWE · CWE-506
Embedded Malicious Code
github.com
github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg