diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
index f59c55e5..d49109b8 100644
--- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
+++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
@@ -19,6 +19,7 @@ response should be discussed with the **CTI initiative** responsible for publish
| Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) |
|------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
+|**Feb 2026**| **Trivy VSCode Extension Supply Chain Compromise (CVE-2026-28353)** | Compromised Trivy VSCode Extension (v1.8.12–1.8.13) distributed via OpenVSX marketplace injected a natural-language prompt targeting five locally installed AI coding assistants (Claude, Codex, Gemini, Copilot, Kiro), invoking each in its most permissive mode to bypass human-in-the-loop approval and exfiltrate environment secrets, credentials, and proprietary source code. CVSS 4.0 base score 10.0. Filed under CWE-506 (Embedded Malicious Code), a classification that captures the payload delivery but omits the agentic exploit primitive — the weaponization of AI coding assistants as autonomous exfiltration channels via prompt injection. Exposure window: Feb 27–28, 2026. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • [Aqua Security](https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)
• [Socket](https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension) |
|**Dec 2025**| **Claude Skills Ransomware Deployment** | Cato Networks demonstrated that Claude's "Skills" plugin feature could deploy MedusaLocker ransomware by downloading, modifying, and re-uploading Skills with malicious code that executes autonomously. | • ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • —
• —
• [Cato CTRL](https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/) |
|**Dec 2025**| **Google Antigravity AI Data Wipe** | AI-powered IDE misinterpreted a cache-clearing instruction and issued a system-level delete command with quiet flag, wiping a developer's entire D: drive without confirmation, causing irreversible data loss. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Reddit](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)
• —
• — |
|**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)
• — |