OWASP · arshi016 · Apr 12, 2026 · Apr 12, 2026
@@ -19,6 +19,7 @@ response should be discussed with the **CTI initiative** responsible for publish
 
 | Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis<br>(Vendor / CVE / Discoverer) |
 |------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
+|**Feb 2026**| **Trivy VSCode Extension Supply Chain Compromise (CVE-2026-28353)** | Compromised Trivy VSCode Extension (v1.8.12–1.8.13) distributed via OpenVSX marketplace injected a natural-language prompt targeting five locally installed AI coding assistants (Claude, Codex, Gemini, Copilot, Kiro), invoking each in its most permissive mode to bypass human-in-the-loop approval and exfiltrate environment secrets, credentials, and proprietary source code. CVSS 4.0 base score 10.0. Filed under CWE-506 (Embedded Malicious Code), a classification that captures the payload delivery but omits the agentic exploit primitive — the weaponization of AI coding assistants as autonomous exfiltration channels via prompt injection. Exposure window: Feb 27–28, 2026. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Aqua Security](https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)<br> • [Socket](https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension) |
 |**Dec 2025**| **Claude Skills Ransomware Deployment** | Cato Networks demonstrated that Claude's "Skills" plugin feature could deploy MedusaLocker ransomware by downloading, modifying, and re-uploading Skills with malicious code that executes autonomously. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • —<br> • —<br> • [Cato CTRL](https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/) |
 |**Dec 2025**| **Google Antigravity AI Data Wipe** | AI-powered IDE misinterpreted a cache-clearing instruction and issued a system-level delete command with quiet flag, wiping a developer's entire D: drive without confirmation, causing irreversible data loss. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Reddit](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)<br> • —<br> • — |
 |**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)<br> • — |