Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VS Code Extension

In February 2026, versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension were published with unauthorized code that was not present in the public GitHub repository, leading to an investigation by Socket and a GitHub security advisory. These versions contained injected logic that executed local AI coding assistants in highly permissive modes to conduct system inspections and potentially create a GitHub repository using the collected data, reflecting a broader AI-powered bot campaign targeting open-source projects. The malicious code was designed to operate covertly, triggering when a workspace was opened in VS Code, and attempted to exfiltrate sensitive data by framing the activity as a legitimate forensic investigation. Although no public repositories were found with the exfiltrated data, the incident highlighted a new form of AI-assisted supply chain abuse, where malicious behavior is embedded in developer tools and executed by AI agents with access to the developer’s environment. The affected versions were eventually removed from OpenVSX, and the incident underscores the need for vigilance and enhanced monitoring of extension behavior to prevent similar threats.