Developers are on high alert following a supply chain attack that emerged on March 2, 2026, targeting the Aqua Trivy VS Code extension found in the OpenVSX registry. The attack involved the insertion of unauthorized code into two specific versions, 1.8.12 and 1.8.13, uploaded in late February. These versions introduced malicious natural-language prompts designed to covertly exploit AI coding tools.
Compromised Versions and Their Impact
The Aqua Trivy vulnerability scanner, widely used in both enterprise and individual projects, was compromised in these versions, which included additional code absent from the public GitHub repository. This made the tampering difficult to detect using standard review processes. All versions up to 1.8.11 remained unaffected, aligning perfectly with the public repository.
Security researchers at Socket.dev detected this suspicious activity and linked it to a broader campaign targeting GitHub Actions workflows across major open-source projects. StepSecurity’s analysis revealed that the campaign led to the theft of a personal access token and the takeover of Aqua’s Trivy GitHub repository, enabling the attackers to push the compromised extension to OpenVSX.
Malicious Code and Its Stealthy Execution
Unlike traditional malware, the injected code did not install spyware or backdoors. Instead, it leveraged locally installed AI assistants like Claude, Codex, and GitHub Copilot CLI to conduct deep reconnaissance on the developer’s system. These tools operated in the background without user consent, gathering sensitive data such as credentials and tokens.
The extent of the impact varied with the version installed. Version 1.8.12 included a detailed prompt instructing the AI to scan for sensitive information and send it through various channels. Version 1.8.13 focused on collecting system information and uploading it to a GitHub repository named posture-report-trivy. Both versions were promptly removed on February 28 after the discovery was reported by Socket.dev.
Recommendations for Affected Developers
The malicious code was cleverly concealed within the workspace activation function, ensuring the extension operated normally while executing harmful commands. Techniques like code minification added layers of obfuscation, challenging detection by conventional security tools.
Developers who installed these compromised versions should take immediate action. It is crucial to uninstall the affected extension and verify version history for any traces of these releases. Additionally, developers should inspect their GitHub accounts for the posture-report-trivy repository and review recent activity for unexpected changes. Rotating credentials, including GitHub tokens and API keys, is advised, along with auditing local AI agent logs for unusual behavior.
For further updates and security guidance, follow us on Google News, LinkedIn, and X. Consider setting CSN as a preferred source in Google to stay informed.
