TL;DR
- Trivy VS Code extension version 1.8.12 contained malicious code distributed via OpenVSX marketplace
- The code exploited local AI coding agents to steal environment secrets and credentials
- CVSS 10.0 severity—critical vulnerability requiring immediate remediation
- Any business using this extension must rotate all exposed credentials immediately
The Attack: A Supply Chain Compromise Hiding in Plain Sight
On March 5, 2026, CVE-2026-28353 was published, revealing a critical supply chain compromise in the Trivy Vulnerability Scanner VS Code extension [1]. Trivy, a popular open-source tool by Aqua Security used to detect vulnerabilities in container images and codebases, had its version 1.8.12 distributed through the OpenVSX marketplace with embedded malicious code [2].
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →This isn't a vulnerability where attackers find a flaw in existing code. This is attackers inserting malicious code into a trusted tool—fundamentally different and far more dangerous. The malicious artifact has since been removed from the marketplace, and no other versions have been identified as affected [3].
How the Malicious Code Worked: Targeting AI Coding Agents
The embedded code was specifically designed to exploit local AI coding agents integrated with the extension environment [4]. AI coding agents—tools like GitHub Copilot, Cursor, and similar automated development assistants—have access to your codebase, environment variables, and execution context. This malware leveraged that access to stealthily collect sensitive information including:
- Environment secrets (API keys, database credentials)
- Authentication tokens
- Proprietary code snippets
- Configuration data [5]
The stolen data was then exfiltrated to an attacker-controlled endpoint. The attack requires no user interaction, privileges, or authentication, and operates remotely over the network [6]. A CVSS 4.0 score of 10.0 reflects its critical severity across confidentiality, integrity, and availability impacts [7].
Related: AI Agents Are Exposing Business Credentials Online
Why Supply Chain Attacks Are Every Business's Nightmare
Supply chain attacks bypass traditional security models because they compromise trusted tools rather than attacking systems directly. When your developers install a VS Code extension from a legitimate marketplace, they're not attacking your network—they're extending it with trusted code [8].
This is the modern equivalent of a trojan horse. The tool you use to find vulnerabilities in your code became the vulnerability itself. The malicious code operated within developer workstations, bypassing network defenses and endpoint protections designed to catch external threats [9].
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The Specific Risk to SMBs Using AI Development Tools
Small and medium businesses adopting AI coding tools to boost productivity are specifically exposed to this threat class. AI agents require broad access to function effectively—they read files, execute commands, and integrate with your development environment. This access is exactly what makes them powerful and dangerous when compromised [10].
Flashpoint's 2026 Global Threat Intelligence Report notes that AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025, as criminals rapidly develop malicious frameworks targeting AI infrastructure [11].
Immediate Actions for Every Business Using Trivy
1. Identify and Remove the Compromised Extension Immediately
Check all developer workstations and build environments for Trivy VS Code extension version 1.8.12. Uninstall it immediately. Don't wait for a scheduled update cycle—this is critical severity [12].
2. Rotate All Potentially Exposed Credentials
Assume all environment secrets, API keys, and tokens exposed during the period the compromised extension was installed are now in attacker hands. Rotate them systematically:
- Cloud provider credentials (AWS, Azure, GCP)
- Database connection strings
- API tokens for third-party services
- SSH keys and deployment credentials [13]
3. Audit Access Logs for Signs of Exfiltration
Review network traffic and access logs from the timeframe the extension was installed. Look for anomalous connections to unknown endpoints or data transfers that don't match normal patterns [14].
4. Implement Extension Verification Policies
This attack highlights the need for supply chain security in development workflows. Before installing any extension or dependency:
- Verify the publisher's identity
- Check installation counts and review history
- Monitor for unusual update patterns
- Consider using a private extension registry with vetted approval processes [15]
5. Restrict Egress from Developer Machines
Network egress filtering can detect or block unauthorized connections potentially used for exfiltration. Developer machines shouldn't be able to connect to arbitrary endpoints without oversight [16].
The Broader Trend: AI Tools Are the New Attack Surface
This isn't isolated to Trivy. As businesses integrate AI coding agents, automated testing tools, and development infrastructure, the attack surface expands. Every tool with access to your codebase is a potential exfiltration channel [17].
The Trivy compromise demonstrates the convergence of two threat vectors:
- Traditional supply chain attacks (compromised developer tools)
- AI infrastructure exploitation (targeting coding agents)
Related: AI Attacks Are Now Stealing Your Data in 72 Minutes
FAQ
Only if you installed version 1.8.12 of the Trivy VS Code extension from OpenVSX. Other versions and distribution channels are not affected. However, you should audit your environment to confirm which version is installed and take action if 1.8.12 is present [18].
Yes. The malware was designed to collect environment secrets and credentials. Assume any credential present during the period the extension was installed is compromised. This is an inconvenient but necessary security measure [19].
Yes, but with verification. Open-source remains essential for modern development. The solution isn't to abandon tools but to implement supply chain security: verify publisher identity, monitor updates, and maintain an inventory of installed extensions. Consider private extension registries for businesses with strict security requirements [20].
The investigation is ongoing, but supply chain compromises typically occur through credential theft, account takeover, or malicious contribution by a compromised maintainer. This underscores the importance of multi-factor authentication, credential security, and rigorous code review processes for all software distribution channels [21].
References
[1] OffSec Radar, "CVE-2026-28353: CWE-506: Embedded Malicious Code in aquasecurity trivy-vscode-extension," OffSec Threat Radar, March 5, 2026. [Online]. Available: https://radar.offseq.com/threat/cve-2026-28353-cwe-506-embedded-malicious-code-in--facddd89
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] Ibid.
[6] Ibid.
[7] Ibid.
[8] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security
[9] OffSec Radar, "CVE-2026-28353," 2026.
[10] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/
[11] Ibid.
[12] OffSec Radar, "CVE-2026-28353," 2026.
[13] Ibid.
[14] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
[15] OffSec Radar, "CVE-2026-28353," 2026.
[16] Ibid.
[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.
[18] OffSec Radar, "CVE-2026-28353," 2026.
[19] Ibid.
[20] CISA, "Software Supply Chain Security," 2025.
[21] OffSec Radar, "CVE-2026-28353," 2026.
Your development tools shouldn't be your weakest link. Book a free cybersecurity consultation at consult.lil.business and we'll help you secure your software supply chain.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A popular tool for programmers had a bad version that stole secret passwords
- The bad code was hidden inside a helpful extension called Trivy
- It specifically targeted AI coding assistants to steal information
- Any business using this tool needs to change all their passwords right now
What Is Trivy and Why Do Programmers Use It?
Imagine you have a robot helper that checks your homework for mistakes before you turn it in. Trivy is like that robot, but for computer programmers. It looks through their code to find security problems so they can fix them before bad guys find them first [1].
Programmers install Trivy as an extension in their coding software (called VS Code)—kind of like adding a new app to your phone. Extensions are supposed to be safe and helpful. But someone found a way to sneak bad code into version 1.8.12 of the Trivy extension [2].
It's like if someone replaced your homework-checking robot with a fake that secretly copies your work and sends it to strangers.
How Did the Bad Code Steal Secrets?
Here's where it gets tricky. Modern programming often uses AI assistants—like smart helpers that can write code, answer questions, and help programmers work faster [3]. These AI assistants need to see the code you're working on to help you.
The bad code in Trivy was designed to spy on these AI assistants. Every time the AI looked at the code to help, the bad code was also watching—stealing passwords, secret keys, and private information [4].
Think of it like this: imagine you have a study buddy who helps you with homework. But someone sneaks a tape recorder into your study buddy's bag. Now everything you say and write is being secretly recorded and sent to strangers.
Why This Is So Dangerous
This attack is scary for three big reasons:
1. It Came from a Trusted Tool
Programmers trusted Trivy to help them stay safe. They didn't expect it to be the thing attacking them. It's like trusting your locker to keep your backpack safe, but someone secretly cut a hole in the back [5].
2. It Stole Everything Important
The stolen secrets weren't just passwords—they were the keys to everything: cloud accounts, databases, private files. It's like someone stealing not just your house key, but your school locker, your diary, and your phone passcode all at once [6].
3. No One Noticed Right Away
This isn't like someone breaking a window. The bad code was quietly hiding in plain sight, doing its stealing without making any noise. That's why it's called a "supply chain attack"—it attacks the tools you trust, not your computer directly [7].
What Businesses Need to Do Right Now
If your business uses programming tools or has developers who code, here's what needs to happen:
1. Find and Remove the Bad Version
Check if version 1.8.12 of the Trivy extension is installed anywhere. If it is, remove it immediately—like finding a rotten apple and throwing it out before it spoils the whole bunch [8].
2. Change Every Password That Might Have Been Stolen
Every password, every secret key, every login that could have been seen while the bad code was running needs to be changed. It's a lot of work, but it's like changing all the locks on your house after losing your keys [9].
3. Check for Strange Activity
Look at the records of where your computers have been connecting. Are there connections to places you don't recognize? That might be the bad code sending your secrets to strangers [10].
4. Be Careful What You Install
Just because an extension is popular doesn't mean it's always safe. Check who made it, read reviews, and only install from sources you trust. It's like not accepting candy from strangers—you have to be careful about what you let into your computer [11].
The Big Lesson: Even Helpful Tools Can Be Tricky
The scary thing about this attack is that Trivy was supposed to help programmers stay safe. It was a tool designed to find security problems. But someone figured out how to turn it into a weapon [12].
This is happening more and more as we use AI and smart tools in everything we do. Every tool that has access to your information is like a door—and bad guys are always looking for doors they can sneak through [13].
FAQ
Yes, but not version 1.8.12. Other versions are safe. The bad version has been removed from the app store. If you update to a newer version, you're protected [14].
If your company has programmers who use VS Code and they installed the Trivy extension around March 2026, you need to check which version they have. Version 1.8.12 is the dangerous one [15].
Sometimes attackers want to steal secrets to sell them. Other times they want to break into systems later using the stolen passwords. And sometimes they just want to cause trouble. Whatever the reason, they're looking for ways to get into places they shouldn't be [16].
This attack specifically targeted programming tools. But the same idea—tricking people into installing bad software—happens with regular apps and games too. That's why you should only download from official sources and be careful with permissions [17].
References
[1] OffSec Radar, "CVE-2026-28353: CWE-506: Embedded Malicious Code in aquasecurity trivy-vscode-extension," OffSec Threat Radar, March 5, 2026. [Online]. Available: https://radar.offseq.com/threat/cve-2026-28353-cwe-506-embedded-malicious-code-in--facddd89
[2] Ibid.
[3] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/
[4] OffSec Radar, "CVE-2026-28353," 2026.
[5] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security
[6] OffSec Radar, "CVE-2026-28353," 2026.
[7] CISA, "Software Supply Chain Security," 2025.
[8] OffSec Radar, "CVE-2026-28353," 2026.
[9] Ibid.
[10] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
[11] OffSec Radar, "CVE-2026-28353," 2026.
[12] Ibid.
[13] Flashpoint, "Navigating 2026's Converged Threats," 2026.
[14] OffSec Radar, "CVE-2026-28353," 2026.
[15] Ibid.
[16] CISA, "Software Supply Chain Security," 2025.
[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.
Worried about your development tools? Book a free cybersecurity consultation at consult.lil.business—we'll help you build a secure development environment.
