Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was distributed via OpenVSX marketplace was compromised and contained malicious code designed to leverage local AI coding agent to collect and exfiltrate sensitive information. Users using the affected artifact are advised to immediately remove it and rotate environment secrets. The malicious artifact has been removed from the marketplace. No other affected artifacts have been identified.
Trivy extension version 1.8.12 was compromised and contained embedded malicious code (CWE-506: Embedded Malicious Code). The malicious code used a local AI agent to encode and collect and exfiltrate sensitive data, such as environment secrets, from the user's machine. The compromised package was available through the OpenVSX marketplace.
Attackers could gain access to sensitive information stored in the user environment, including secrets and credentials, and subsequently exfiltrate them to an external server.
The compromised extension version 1.8.12 must be removed immediately. Additionally, immediate rotation of all environment secrets and credentials available on machines where the vulnerable version was installed is required. The malicious artifact has been removed from the OpenVSX marketplace. A secure version of the extension should be downloaded according to the manufacturer's references.
Trivy Vulnerability Scanner (VS Code extension) version 1.8.12 distributed by the OpenVSX marketplace
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X