Malicious Aqua Trivy VS Code Extension Published to OpenVSX After GitHub Token Compromise
Threat actors inserted unauthorized code into the Aqua Trivy VS Code extension distributed via the OpenVSX registry, with the tampered builds appearing as versions 1.8.12 and 1.8.13 under the aquasecurityofficial.trivy-vulnerability-scanner namespace. Reporting indicates the malicious code was not present in the public GitHub repository (versions up to 1.8.11 matched), and the injected logic was designed to weaponize locally installed AI coding assistants—invoking tools such as Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro CLI with permissive options—to perform host reconnaissance and collect data while running detached in the background and suppressing output to avoid user visibility.
Researchers tied the extension tampering to a broader automated campaign targeting GitHub Actions workflows, where insecure CI/CD configurations and overprivileged tokens can enable repository takeover and downstream supply-chain abuse. Socket.dev flagged the suspicious OpenVSX extension behavior, while StepSecurity documented that the wider bot-driven GitHub Actions activity led to theft of a personal access token (PAT) and subsequent takeover of Aqua’s Trivy GitHub repository—providing the access needed to publish the modified extension. Separate reporting on the hackerbot-claw campaign described autonomous exploitation of misconfigured pull_request_target workflows to achieve runner RCE and exfiltrate write-capable GITHUB_TOKENs, reinforcing the same core risk: CI/CD token exposure and workflow misconfigurations can rapidly translate into codebase control and malicious artifact distribution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Reports expand Chaos Agent targets to Microsoft and Datadog repositories
Reporting published on 2026-03-14 said the GitHub Actions campaign tracked as 'Chaos Agent' targeted repositories associated with Microsoft and Datadog in addition to Aqua Security. This broadened the known scope of victims beyond the previously documented Aqua and avelino/awesome-go compromises.
GitHub suspends the hackerbot-claw account
The GitHub account used by the autonomous campaign, hackerbot-claw, was ultimately suspended. The reporting notes that the suspension did not address the broader underlying risk from widespread insecure workflow configurations.
Malicious Trivy versions removed and publishing token revoked
After disclosure on February 28, 2026, the malicious Trivy extension versions were removed from OpenVSX. Aqua also revoked the publishing token associated with the compromised extension release process.
Socket identifies malicious Trivy extension and alerts Aqua
Socket Security detected the unauthorized code in the OpenVSX Trivy extension shortly after the malicious releases and notified Aqua Security. The discovery linked the extension compromise to a broader campaign affecting GitHub Actions workflows.
Token theft enables takeover of Aqua's Trivy GitHub repository
According to StepSecurity's findings cited in the reporting, stolen tokens were used to compromise Aqua's Trivy GitHub repository. That access was then used to facilitate publication of the malicious OpenVSX extension versions.
Avelino/awesome-go repository compromised via 'Pwn Request' pattern
One confirmed incident in the campaign targeted avelino/awesome-go, where attacker-controlled code was executed through pull_request_target with target-repository privileges. This enabled theft of privileged tokens and subsequent compromise actions in the repository.
hackerbot-claw exploits insecure GitHub Actions workflows
In February 2026, the autonomous bot "hackerbot-claw" exploited insecure GitHub Actions configurations, especially pull_request_target misuse and unsanitized inputs, to gain code execution on GitHub-hosted runners across multiple repositories. The campaign exfiltrated tokens and used them for follow-on actions such as pushing commits, deleting releases, and modifying workflows.
Malicious Trivy extension versions uploaded to OpenVSX
Threat actors published tampered Aqua Trivy VS Code extension versions 1.8.12 and 1.8.13 to the OpenVSX registry on February 27-28, 2026. The builds contained unauthorized code absent from the public GitHub repository and were designed to abuse local AI coding assistants for reconnaissance and possible exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer SecretsThe Hacker Newsinfo@thehackernews.com (The Hacker News) - Tech Jacks Solutions
techjacksolutions.com
Open sourceThreat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Local Coding Tools
cybersecuritynews.com
Open sourceCyberattackers Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Coding Tools
gbhackers.com
Open sourcehackerbot-claw: GitHub Actions pull_request_target RCE - Upwind
upwind.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TeamPCP Compromised Trivy and Turned CI/CD Pipelines Into Credential Theft Channels
A supply-chain attack against Aqua Security’s **Trivy** ecosystem let attackers publish malicious artifacts and hijack GitHub Action tags, turning a widely used security scanner into a credential stealer. Reporting indicates the intrusion began with abuse of a misconfigured GitHub Actions workflow and theft of privileged credentials, followed by incomplete containment that left residual access in place. Attackers then poisoned **`aquasecurity/trivy-action`** by force-updating 75 of 76 tags, compromised **`setup-trivy`**, and published a backdoored **Trivy `v0.69.4`** release; later activity also pushed malicious Docker Hub images **`0.69.5`** and **`0.69.6`**. The malware harvested GitHub tokens, cloud credentials, SSH keys, Kubernetes secrets, Docker configs, and other CI/CD data from runners and developer environments, encrypted the loot, and exfiltrated it to attacker-controlled infrastructure or fallback GitHub repositories such as **`tpcp-docs`**. Researchers and vendor advisories linked the campaign to **TeamPCP** and described it as an expanding, multi-stage operation that also included a brief OpenVSX compromise of the Trivy VS Code extension, defacement of **44** repositories in Aqua Security’s internal **`aquasec-com`** GitHub organization, and follow-on compromises affecting Checkmarx tooling and the **LiteLLM** PyPI package. Aqua removed malicious artifacts, revoked tokens, restored safe references, and said commercial products were not affected, while GitHub and public advisories identified safe versions including **Trivy `0.69.2`/`0.69.3`**, **`trivy-action` `0.35.0`**, and **`setup-trivy` `0.2.6`**. U.S. CISA added **`CVE-2026-33634`** to the KEV catalog, and incident responders warned organizations that ran affected versions to assume full pipeline compromise, rotate all accessible secrets, audit workflow logs and GitHub activity, and pin GitHub Actions to immutable commit SHAs.
May 6, 2026
TigerJack Malicious VSCode and OpenVSX Extensions Steal Code and Mine Cryptocurrency
Security researchers have uncovered a coordinated campaign by the threat actor group TigerJack, which targets developers by publishing malicious extensions on both Microsoft's Visual Studio Code (VSCode) Marketplace and the OpenVSX registry. The campaign involves at least 11 different extensions distributed across multiple publisher accounts, with some extensions accumulating over 17,000 downloads before being removed from the official VSCode Marketplace. Despite removal from Microsoft's platform, these extensions remain active and available on the OpenVSX marketplace, which is used by alternative VSCode-compatible editors such as Cursor and Windsurf. The malicious extensions serve various purposes, including exfiltrating developers' source code, mining cryptocurrency using the host's resources, and maintaining persistent remote access. For example, the 'C++ Playground' extension registers a listener to capture and exfiltrate C++ source code in near real-time, while the 'HTTP Format' extension secretly runs a CoinIMP cryptominer in the background, consuming the host's processing power without restrictions. Some variants of the extensions are capable of fetching and executing remote JavaScript code, allowing TigerJack to dynamically update their payloads and potentially deploy additional threats such as credential stealers, ransomware, or API-harvesting scripts. The campaign demonstrates a high level of persistence, with TigerJack repeatedly re-uploading the same malicious code under new names and accounts after takedowns. The extensions are designed to appear as legitimate developer tools, increasing the likelihood of installation by unsuspecting users. The use of OpenVSX as a distribution channel poses a significant risk, as it is less regulated than Microsoft's marketplace and serves as the default for several popular IDEs. Researchers from Koi Security have been actively tracking the campaign and have highlighted the ongoing threat posed by these extensions, especially given their ability to maintain remote control and adapt their functionality without requiring updates. The campaign underscores the risks associated with third-party extension marketplaces and the importance of vetting and monitoring developer tools for malicious behavior. The technical sophistication of the extensions, particularly their ability to execute remote code and evade detection, raises concerns about long-term supply chain compromise within the developer ecosystem. Organizations and individual developers are advised to review installed extensions, monitor for suspicious activity, and prioritize security hygiene when sourcing tools from community-driven marketplaces. The continued presence of these extensions on OpenVSX, despite removal from the official VSCode Marketplace, highlights the challenges in fully eradicating such threats from the software supply chain. Security experts warn that the campaign is ongoing, with TigerJack actively seeking new ways to distribute their malicious payloads and compromise developer environments.
Mar 21, 2026
Open VSX Registry Supply-Chain Attack Spreads GlassWorm via Compromised VSCode Extensions
A supply-chain compromise of the **Open VSX Registry** led to malicious updates being pushed to legitimate Visual Studio Code extensions after attackers gained access to a developer’s publishing credentials (likely via a leaked token or other unauthorized access). Reporting indicates four established extensions from the `oorzc` publisher were trojanized and distributed via Open VSX before being removed, with prior legitimate adoption measured in the tens of thousands of downloads and subsequent exposure affecting downstream developer environments. The injected payload delivered the **GlassWorm** malware/loader, which executes via obfuscated JavaScript embedded in the extension and includes environment checks (notably avoiding execution on **Russian-locale** systems). Technical details describe a multi-stage loader with capabilities aligned to credential and data theft, including macOS credential and cryptocurrency wallet targeting, and use of techniques such as **EtherHiding** to retrieve command-and-control infrastructure dynamically; defenders are advised to identify and remove affected extension versions and review developer endpoints for signs of compromise and credential/token leakage.
Mar 21, 2026