CVE-2026-28353 Overview
CVE-2026-28353 is a critical supply chain vulnerability affecting the Trivy Vulnerability Scanner VS Code extension. Version 1.8.12 of the extension, distributed via the OpenVSX marketplace, was compromised and contained malicious code designed to leverage local AI coding agents to collect and exfiltrate sensitive information. This represents a sophisticated supply chain attack that weaponizes AI development tools as an exfiltration vector.
Critical Impact
Compromised extension actively exfiltrates sensitive data by exploiting local AI coding agents, potentially exposing credentials, API keys, and proprietary source code from developer environments.
Affected Products
- Trivy VSCode Extension version 1.8.12 (OpenVSX marketplace distribution)
Discovery Timeline
- 2026-03-05 - CVE-2026-28353 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28353
Vulnerability Analysis
This vulnerability falls under CWE-506 (Embedded Malicious Code), representing a supply chain compromise where legitimate software was modified to include malicious functionality. The attack is particularly insidious because it targets developers who use AI coding assistants, leveraging the broad context access these tools typically have to source code, environment variables, and configuration files.
The compromised extension was designed to interact with local AI coding agents that developers commonly use for code completion and assistance. By exploiting the trust relationship between the AI agent and the developer's workspace, the malicious code could access and exfiltrate sensitive information that the AI agent had visibility into, including environment secrets, API tokens, and potentially proprietary code.
Root Cause
The root cause is a supply chain compromise of the Trivy VSCode Extension distribution on the OpenVSX marketplace. Malicious actors successfully injected code into version 1.8.12 of the extension, transforming a legitimate security tool into a data exfiltration mechanism. The attack specifically targeted environments with AI coding assistants, exploiting their elevated access to sensitive developer workspace data.
Attack Vector
The attack leverages network-based distribution through the OpenVSX marketplace. When developers install or update to the compromised version 1.8.12, the malicious payload is executed within the VS Code environment. The malware then identifies and interacts with local AI coding agents, using their context awareness to gather sensitive information before exfiltrating it to attacker-controlled infrastructure.
The attack requires no user interaction beyond the initial installation—once the compromised extension is active, it operates autonomously to harvest and transmit sensitive data. The use of AI agents as an intermediary makes this attack particularly dangerous, as these tools often have broad read access to workspace files, terminal history, and environment configurations.
Detection Methods for CVE-2026-28353
Indicators of Compromise
- Presence of Trivy VSCode Extension version 1.8.12 in VS Code installations
- Unusual network connections originating from VS Code processes to unknown external endpoints
- Unexpected interactions between extensions and AI coding agent APIs
- Anomalous file access patterns in developer workspaces, particularly targeting .env files, configuration directories, and credential stores
Detection Strategies
- Audit installed VS Code extensions and verify version numbers against known compromised versions (1.8.12)
- Monitor network traffic from development environments for unusual data exfiltration patterns
- Review extension installation logs and cross-reference with known good checksums from the official Aqua Security repository
- Implement endpoint detection rules for suspicious extension behavior interacting with AI coding tools
Monitoring Recommendations
- Enable detailed logging for VS Code extension activities and AI agent interactions
- Deploy network monitoring to detect data exfiltration attempts from developer workstations
- Establish baseline behavior for legitimate Trivy extension operations to identify anomalies
- Monitor for unauthorized access to sensitive files such as .env, AWS credentials, and SSH keys within development environments
How to Mitigate CVE-2026-28353
Immediate Actions Required
- Immediately uninstall Trivy VSCode Extension version 1.8.12 from all development environments
- Rotate all environment secrets, API keys, and credentials that may have been exposed
- Audit AI coding agent logs for unusual queries or data access patterns
- Review recent code commits and repository access for signs of unauthorized activity
- Scan development systems for additional indicators of compromise
Patch Information
The malicious artifact has been removed from the OpenVSX marketplace. Users should verify they are using a clean version of the extension from official sources. For additional details and verification steps, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable the Trivy VSCode Extension until a verified clean version can be confirmed
- Install extensions only from verified sources with validated checksums
- Implement network segmentation for development environments to limit potential exfiltration paths
- Consider running AI coding agents in sandboxed environments with limited access to sensitive credentials
- Enable extension verification and signing requirements where supported by the IDE
# Verify installed Trivy extension version and remove if compromised
code --list-extensions --show-versions | grep trivy
# If version 1.8.12 is found, uninstall immediately:
code --uninstall-extension aquasecurity.trivy-vulnerability-scanner
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
