CVE-2026-28353 identifies a critical supply chain compromise in the Trivy Vulnerability Scanner VS Code extension version 1.8.12, published by Aqua Security and distributed via the OpenVSX marketplace. The extension was found to contain embedded malicious code that leverages a local AI coding agent integrated within the developer environment to stealthily collect and exfiltrate sensitive information, including environment secrets and potentially other confidential data accessible to the extension. This malicious payload operates without requiring any user interaction, elevated privileges, or authentication, making it trivially exploitable by simply installing or updating to the affected version. The vulnerability is classified under CWE-506, which pertains to embedded malicious code, highlighting the supply chain attack vector. The compromised artifact has been removed from the marketplace, and no other versions or related artifacts have been identified as affected. The CVSS v4.0 score of 10.0 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. This incident underscores the risks of supply chain attacks in developer tooling, especially those integrating AI capabilities that may have broad access to code and environment data.

The impact of CVE-2026-28353 is severe for organizations worldwide, particularly those relying on the Trivy VS Code extension for vulnerability scanning in their software development lifecycle. The embedded malicious code can lead to the exfiltration of sensitive environment secrets, credentials, and potentially proprietary source code, resulting in significant confidentiality breaches. Integrity and availability of the development environment may also be compromised if the malicious code alters or disrupts normal extension functionality. The attack requires no user interaction or elevated privileges, increasing the risk of widespread exploitation. Organizations could face intellectual property theft, unauthorized access to internal systems, and subsequent lateral movement within networks. This vulnerability also damages trust in supply chain security for developer tools, potentially impacting broader software supply chains. The absence of known exploits in the wild currently limits immediate widespread damage, but the critical severity demands urgent remediation to prevent future exploitation.

To mitigate CVE-2026-28353, organizations should immediately uninstall the Trivy VS Code extension version 1.8.12 and verify that no other versions or related artifacts are installed. Users must rotate all environment secrets, API keys, and credentials that may have been exposed through the compromised extension to prevent unauthorized access. Implement strict code signing and integrity verification for all third-party extensions and dependencies before installation. Employ runtime monitoring and anomaly detection for unusual outbound network traffic from developer environments to detect potential data exfiltration. Restrict the use of AI coding agents or extensions with broad environment access unless they come from fully trusted sources and have undergone thorough security review. Educate developers on supply chain risks and encourage the use of isolated or sandboxed environments for testing new tools. Maintain up-to-date inventories of all development tools and extensions to quickly identify and respond to compromised components. Finally, monitor official vendor channels and security advisories for patches or updates addressing this vulnerability.