A sophisticated supply chain attack has been uncovered, targeting developers by exploiting the OpenVSX registry to inject malicious code into popular VS Code extensions. The attack, first identified on March 2, 2026, involved unauthorized code being embedded within two versions of the Aqua Trivy VS Code extension, versions 1.8.12 and 1.8.13, uploaded between February 27 and 28, 2026. These compromised versions were designed to turn developers’ own AI coding tools into covert data collection instruments without their knowledge.
Trivy, a widely recognized open-source vulnerability scanner in use across numerous enterprises and individual projects, has a VS Code extension that is a common tool for developers. While all versions of the extension prior to 1.8.12 precisely matched the corresponding public GitHub repository, the two tainted versions contained extraneous code not present in the official repository and lacked any associated tagged release. This absence of a clear release marker made the tampering significantly harder to detect through standard security reviews, highlighting a concerning new tactic in software supply chain compromises.
Threat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts
Researchers at Socket.dev detected unusual activity within these extension versions shortly after their publication and initiated an investigation. Their findings linked the malicious code to a larger, AI-driven bot campaign that was targeting GitHub Actions workflows across several prominent open-source projects. Concurrently, StepSecurity documented how this campaign led to the theft of a personal access token and a subsequent takeover of Aqua’s Trivy GitHub repository. This unauthorized access provided the threat actors with the necessary permissions to upload the manipulated extension to the OpenVSX registry.
Instead of deploying traditional malware such as spyware or backdoors, the injected code was engineered to operate discreetly with locally installed AI assistants. These included popular tools like Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI. The malware instructed these AI tools to conduct deep reconnaissance on the developer’s machine, utilizing their most permissive flags to bypass user confirmation. Crucially, all these operations ran as detached background processes with suppressed output, maintaining the illusion that the extension was functioning normally and leaving developers unaware of any suspicious activity.
The extent of the potential damage varied between the two compromised versions. Version 1.8.12 contained a detailed prompt, approximately 2,000 words long, instructing the AI agent to function as a forensic investigator. This involved scanning for sensitive information including credentials, access tokens, financial records, and private communications. The gathered data was then slated for exfiltration through any available outbound channels, such as email and messaging platforms.
Version 1.8.13, while also malicious, adopted a more focused approach. Its instructions directed the AI to collect system information and authentication tokens, save them into a file named REPORT.MD, and then utilize the victim’s GitHub CLI to push this report to a repository specifically named ‘posture-report-trivy’. Both of these malicious versions were promptly removed from the OpenVSX registry on February 28, following the disclosure by Socket.dev and the subsequent actions by Aqua Security.
How the Injected Code Remained Undetected
The malicious code was strategically placed within the workspace activation function of the extension. This specific routine is designed to execute every time a developer opens a project in their code editor. By inserting the harmful payload before the extension’s standard setup logic, the attackers ensured that the Aqua Trivy extension remained fully operational, continuing its intended vulnerability scanning functions without interruption, thereby masking the presence of the malicious code.
In version 1.8.13, the injected malicious block was cleverly concealed within an `if` statement employing JavaScript’s comma operator. This allowed the harmful commands to be executed first, preceding the extension’s standard workspace checks. This technique is a novel approach in supply chain attacks, moving beyond conventional methods like hardcoded callbacks or shellcode. Instead, the attackers leveraged trusted AI agents, commanding them with maximum permissions to undertake reconnaissance and data exfiltration, circumventing automated detection tools that typically search for malware signatures.
Further obscuring the malicious activity, variable names were altered between the two versions as a result of code minification, adding another layer of obfuscation. Socket.dev highlighted that this method represents a significant evolution in attack vectors, as it relies on the inherent trust developers place in their local AI tools, turning them into unwitting accomplices in data theft. The AI commands were executed as detached background processes with built-in error handling, meaning any uninstalled AI tool would simply fail without generating visible errors, making detection even more challenging.
Developers who may have installed versions 1.8.12 or 1.8.13 of the Aqua Trivy extension from OpenVSX are strongly advised to take immediate precautionary measures. It is recommended to uninstall the affected extension and meticulously review your version history to confirm if either of these releases was ever present on your system. Subsequently, you should inspect your GitHub account for any repositories named ‘posture-report-trivy’ and examine recent GitHub activity for unexpected repository creations or commits referencing ‘REPORT.MD’.
It is also crucial to scrutinize your shell history for any invocations of AI tools such as ‘claude’, ‘codex’, ‘gemini’, ‘copilot’, or ‘kiro-cli’ accompanied by permissive execution flags. Additionally, all credentials that were accessible on the machine during the potential exposure window should be promptly rotated. This includes GitHub tokens, cloud credentials, SSH keys, and API tokens stored in environment variables or dotfiles. Finally, it is advisable to audit the logs of your local AI agents for any unusual prompts or automated executions, even in the absence of immediately apparent direct indicators of compromise.