Primary

Context

Trivy Vulnerability Scanner OpenVSX Extension Malicious Code Injection Vulnerability

Vulnerability

A vulnerability has been identified in the Trivy Vulnerability Scanner VS Code extension, specifically in version 1.8.12, which was distributed through the OpenVSX marketplace. This version was compromised and included malicious code intended to exploit the local AI coding agent, allowing for the collection and exfiltration of sensitive information. Users of this affected version are recommended to remove it immediately and rotate their environment secrets. The malicious extension has been removed from the marketplace, and no other affected versions have been found.

Impact

The vulnerability allows for the unauthorized collection and exfiltration of sensitive information by leveraging the local AI coding agent.

Remediation

Users are advised to remove the affected version of the Trivy VSCode Extension and rotate their environment secrets.

Added: Mar 5, 2026, 8:18 PM

Updated: Mar 5, 2026, 8:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

3.8

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

3.8

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Trivy Vulnerability Scanner OpenVSX Extension Malicious Code Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating