20260302-0807-socket.dev-cb38d | Perceptive Security

OpenVSX releases of Aqua Trivy 1.8.12 and 1.8.13 contained injected natural-language prompts that abuse local AI coding agents for system inspection and potenti…

Published:

2 March 2026 at 08:07:15

Alert date:

2 March 2026 at 10:01:23

Source:

socket.dev

Supply Chain & Dependencies, Security Tools

Malicious versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published to OpenVSX registry containing unauthorized AI agent execution code. The malicious extensions executed natural-language prompts through local AI coding assistants (Claude, Codex, Gemini, GitHub Copilot CLI, Kiro CLI) in highly permissive modes to perform system inspection and potential data exfiltration. Version 1.8.12 contained a sophisticated 2000-word forensic investigation prompt designed to collect sensitive data and exfiltrate through multiple channels, while version 1.8.13 focused on creating a GitHub repository named 'posture-report-trivy' to store collected system information. The attack was part of a broader AI-powered bot campaign targeting GitHub Actions workflows. The malicious versions were removed after Socket's investigation and notification.

Technical details

Malicious versions 1.8.12 and 1.8.13 of Aqua Trivy VS Code extension were published to OpenVSX registry. The malicious code executes inside the workspace activation function pl() and attempts to execute natural language prompts across five AI coding assistants (Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI) using highly permissive modes. Version 1.8.12 contained a 2000-word reconnaissance prompt designed to collect sensitive data and exfiltrate through multiple channels. Version 1.8.13 used a more targeted approach to create a GitHub repository named 'posture-report-trivy' and commit findings. The malicious code runs detached background processes with silent error handling to avoid detection.

Mitigation steps:

Uninstall affected versions 1.8.12 or 1.8.13 immediately
Verify extension version history to confirm installation of malicious versions
Check for unexpected GitHub repositories named 'posture-report-trivy'
Review recent GitHub activity including repository creation and commits
Inspect shell history for AI CLI invocations with permissive flags
Rotate credentials accessible during exposure window including GitHub tokens, cloud provider credentials, SSH keys, API tokens
Audit local AI agent logs for unusual prompts or automated execution
Monitor for suspicious file artifacts like REPORT.MD containing credential listings

Affected products:

Aqua Trivy VS Code Extension versions 1.8.12 and 1.8.13
Claude Code CLI
Codex CLI
Gemini CLI
GitHub Copilot CLI
Kiro CLI
GitHub CLI

Related CVE's:

Related threat actors:

AI-powered bot campaign

HackerBot Claw

IOC's:

pkg:vscode/aquasecurityofficial/trivy-vulnerability-scanner@1.8.12?repository_url=https://open-vsx.org, pkg:vscode/aquasecurityofficial/trivy-vulnerability-scanner@1.8.13?repository_url=https://open-vsx.org, REPORT.MD file creation, GitHub repository named 'posture-report-trivy', claude -p --dangerously-skip-permissions --add-dir /, codex exec --ask-for-approval never --sandbox danger-full-access, gemini prompt --yolo --no-stream, copilot --autopilot --yolo -p, kiro-cli chat -a --no-interactive, gh repo create, gh auth token, Detached background processes spawning upon VS Code workspace opening, child_process.spawn with shell: true, detached: true, stdio: ignore

This article was created with the assistance of AI technology by Perceptive.