From 6cdf9dd60252fc9d76a1c078938aa39617000d54 Mon Sep 17 00:00:00 2001 From: Arshi Chadha Date: Sun, 12 Apr 2026 14:27:07 -0700 Subject: [PATCH 1/2] ASI tracker: add CVE-2026-28353 Trivy VSCode Extension agentic supply chain compromise Adds the March 2026 Trivy VSCode Extension supply chain compromise to the Agentic Exploits & Incidents tracker. The incident is notable as a publicly documented in-the-wild case where an AI coding agent was weaponized as an autonomous exfiltration channel. CVSS 4.0 base score 10.0. Mapped to ASI01, ASI02, ASI04, and ASI05. --- .../ASI_Agentic_Exploits_Incidents.md | 1 + 1 file changed, 1 insertion(+) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index f59c55e5..dd1dafd2 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -19,6 +19,7 @@ response should be discussed with the **CTI initiative** responsible for publish | Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| +|**Mar 2026**| **Trivy VSCode Extension Supply Chain Compromise (CVE-2026-28353)** | Malicious code distributed through the OpenVSX marketplace via a compromised Trivy VSCode extension leveraged a local AI coding agent to collect and exfiltrate sensitive developer information. CVSS 4.0 base score 10.0. Filed under CWE-506 (Embedded Malicious Code), a classification that omits the agentic exploit primitive — the weaponization of the AI coding assistant as an autonomous exfiltration channel. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • —
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)
• — | |**Dec 2025**| **Claude Skills Ransomware Deployment** | Cato Networks demonstrated that Claude's "Skills" plugin feature could deploy MedusaLocker ransomware by downloading, modifying, and re-uploading Skills with malicious code that executes autonomously. | • ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • —
• —
• [Cato CTRL](https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/) | |**Dec 2025**| **Google Antigravity AI Data Wipe** | AI-powered IDE misinterpreted a cache-clearing instruction and issued a system-level delete command with quiet flag, wiping a developer's entire D: drive without confirmation, causing irreversible data loss. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Reddit](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)
• —
• — | |**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)
• — | From ac349740cbeefad12474780d41c7c5fb49b53396 Mon Sep 17 00:00:00 2001 From: Arshi Chadha Date: Sun, 12 Apr 2026 14:42:06 -0700 Subject: [PATCH 2/2] Fix date, add vendor/discoverer links, improve impact specificity - Date corrected from Mar 2026 to Feb 2026 (exposure window Feb 27-28) - Added Aqua Security vendor advisory (GHSA-8mr6-gf9x-j8qg) - Added Socket.dev analysis as discoverer link - Impact summary now names the five targeted AI CLIs (Claude, Codex, Gemini, Copilot, Kiro), the prompt injection mechanism, and the permissive-mode bypass of human-in-the-loop controls - Added affected versions (v1.8.12-1.8.13) and exposure window --- .../ASI_Agentic_Exploits_Incidents.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index dd1dafd2..d49109b8 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -19,7 +19,7 @@ response should be discussed with the **CTI initiative** responsible for publish | Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -|**Mar 2026**| **Trivy VSCode Extension Supply Chain Compromise (CVE-2026-28353)** | Malicious code distributed through the OpenVSX marketplace via a compromised Trivy VSCode extension leveraged a local AI coding agent to collect and exfiltrate sensitive developer information. CVSS 4.0 base score 10.0. Filed under CWE-506 (Embedded Malicious Code), a classification that omits the agentic exploit primitive — the weaponization of the AI coding assistant as an autonomous exfiltration channel. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • —
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)
• — | +|**Feb 2026**| **Trivy VSCode Extension Supply Chain Compromise (CVE-2026-28353)** | Compromised Trivy VSCode Extension (v1.8.12–1.8.13) distributed via OpenVSX marketplace injected a natural-language prompt targeting five locally installed AI coding assistants (Claude, Codex, Gemini, Copilot, Kiro), invoking each in its most permissive mode to bypass human-in-the-loop approval and exfiltrate environment secrets, credentials, and proprietary source code. CVSS 4.0 base score 10.0. Filed under CWE-506 (Embedded Malicious Code), a classification that captures the payload delivery but omits the agentic exploit primitive — the weaponization of AI coding assistants as autonomous exfiltration channels via prompt injection. Exposure window: Feb 27–28, 2026. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • [Aqua Security](https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)
• [Socket](https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension) | |**Dec 2025**| **Claude Skills Ransomware Deployment** | Cato Networks demonstrated that Claude's "Skills" plugin feature could deploy MedusaLocker ransomware by downloading, modifying, and re-uploading Skills with malicious code that executes autonomously. | • ASI04 (Agentic Supply Chain Vulnerabilities)
• ASI05 (Unexpected Code Execution (RCE)) | • —
• —
• [Cato CTRL](https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/) | |**Dec 2025**| **Google Antigravity AI Data Wipe** | AI-powered IDE misinterpreted a cache-clearing instruction and issued a system-level delete command with quiet flag, wiping a developer's entire D: drive without confirmation, causing irreversible data loss. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Reddit](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)
• —
• — | |**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)
• — |