Skip to content

# ASI Tracker: Add CVE-2026-28353 - Trivy VSCode Extension Agentic Supply Chain Compromise#824

Open
arshi016 wants to merge 2 commits into
OWASP:mainfrom
arshi016:asi-tracker-add-cve-2026-28353
Open

# ASI Tracker: Add CVE-2026-28353 - Trivy VSCode Extension Agentic Supply Chain Compromise#824
arshi016 wants to merge 2 commits into
OWASP:mainfrom
arshi016:asi-tracker-add-cve-2026-28353

Conversation

@arshi016
Copy link
Copy Markdown

@arshi016 arshi016 commented Apr 12, 2026

ASI Tracker: Add CVE-2026-28353 - Trivy VSCode Extension Agentic Supply Chain Compromise

Key Changes:

  • Adds one new entry to the ASI Agentic Exploits & Incidents Tracker

Summary

Adds the March 2026 Trivy VSCode Extension supply chain compromise (CVE-2026-28353, CVSS 4.0 base score 10.0) to the Agentic Exploits & Incidents tracker.

Why this incident belongs in the tracker

This is a publicly documented, in-the-wild incident where an AI coding agent was weaponized as an autonomous exfiltration channel, not just a traditional supply chain compromise that happened to involve an AI-adjacent tool. The NVD description explicitly states the malicious code was "designed to leverage local AI coding agent to collect and exfiltrate sensitive information."

The incident was filed under CWE-506 (Embedded Malicious Code), a classification that captures the payload delivery but omits the agentic exploit primitive, specifically, that the AI coding assistant's legitimate capabilities (file access, code analysis, context gathering) were repurposed as the exfiltration mechanism. This mis-classification pattern is relevant to the ASI initiative's goal of distinguishing agentic threats from traditional LLM classifications.

ASI mapping rationale

  • ASI01 (Agent Behaviour Hijack) : the coding agent's goals were hijacked to serve as an exfiltration channel
  • ASI02 (Tool Misuse & Exploitation) : the agent's legitimate file-access and code-analysis tools were misused for data collection
  • ASI04 (Agentic Supply Chain Vulnerabilities) : supply chain compromise via marketplace extension distribution
  • ASI05 (Unexpected Code Execution (RCE)) : the payload achieved code execution on developer workstations

Scope

  • One new row added at the top of the tracker table (most recent entry).
  • No other changes.

@arshi016
ASI tracker: add CVE-2026-28353 Trivy VSCode Extension agentic supply…
6cdf9dd 
… chain compromise

Adds the March 2026 Trivy VSCode Extension supply chain compromise to
the Agentic Exploits & Incidents tracker. The incident is notable as a
publicly documented in-the-wild case where an AI coding agent was
weaponized as an autonomous exfiltration channel. CVSS 4.0 base score
10.0. Mapped to ASI01, ASI02, ASI04, and ASI05.
@arshi016
Fix date, add vendor/discoverer links, improve impact specificity
ac34974 
- Date corrected from Mar 2026 to Feb 2026 (exposure window Feb 27-28)
- Added Aqua Security vendor advisory (GHSA-8mr6-gf9x-j8qg)
- Added Socket.dev analysis as discoverer link
- Impact summary now names the five targeted AI CLIs (Claude, Codex,
  Gemini, Copilot, Kiro), the prompt injection mechanism, and the
  permissive-mode bypass of human-in-the-loop controls
- Added affected versions (v1.8.12-1.8.13) and exposure window
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guerilla7 guerilla7 Awaiting requested review from guerilla7 guerilla7 is a code owner

@hoeg hoeg Awaiting requested review from hoeg hoeg is a code owner

@itskerenkatz itskerenkatz Awaiting requested review from itskerenkatz itskerenkatz is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arshi016