CRITICAL🇵🇱 Wersja polska

CVE-2026-28353

CVSS 10.0v4.0pub. 2026-03-05upd. 2026-04-28

Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified.

🤖 AI Analysis
How it works

Trivy extension version 1.8.12 was compromised and contained embedded malicious code (CWE-506: Embedded Malicious Code). The malicious code used a local AI agent to encode and collect and exfiltrate sensitive data, such as environment secrets, from the user's machine. The compromised package was available through the OpenVSX marketplace.

Impact

Attackers could gain access to sensitive information stored in the user environment, including secrets and credentials, and subsequently exfiltrate them to an external server.

Mitigation & patch

The compromised extension version 1.8.12 must be removed immediately. Additionally, immediate rotation of all environment secrets and credentials available on machines where the vulnerable version was installed is required. The malicious artifact has been removed from the OpenVSX marketplace. A secure version of the extension should be downloaded according to the manufacturer's references.

Who is affected

Trivy Vulnerability Scanner (VS Code extension) version 1.8.12 distributed by the OpenVSX marketplace

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References