CVE-2026-28353: Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.
criticalvulnerability
security
Summary
Trivy VSCode Extension version 1.8.12 (a tool that scans code for security weaknesses) was compromised with malicious code that could steal sensitive information by using local AI coding agents (AI tools running on a developer's computer). The malicious version has been removed from the marketplace where it was distributed.
Solution / Mitigation
Users are advised to immediately remove the affected artifact and rotate environment secrets (credentials and keys stored on their system).
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply ChainData Extraction
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-28353
First tracked: March 5, 2026 at 07:08 PM
Classified by LLM (prompt v3) · confidence: 85%