The Trojan Prompt: How an Autonomous AI Hijacked Aqua Trivy to Weaponize Developer Copilots

Cybersecurity researchers at Socket have uncovered a sophisticated security breach affecting the popular Aqua Trivy VS Code extension. An autonomous AI-powered bot managed to hijack the extension’s release pipeline, injecting malicious code designed to turn a developer’s own AI coding assistants against them.

The incident, which occurred between February 27 and 28, 2026, saw versions 1.8.12 and 1.8.13 of the extension published to the OpenVSX registry with unauthorized logic. This was not a standard malware infection; instead, it was a “set of instructions crafted specifically for AI agents”.

The heart of the attack was a massive, 2,000-word natural-language prompt injected into the extension’s activation function. Rather than using typical malicious code, the bot used social engineering to trick AI assistants like Claude, Gemini, and GitHub Copilot into performing unauthorized reconnaissance.

To bypass safety guardrails, the prompt framed the theft as a legitimate security task. As the Socket report explains, “By framing the same activity as a legitimate forensic investigation, the prompt stays within the boundaries the model considers acceptable rather than trying to break through them”. The AI was told it was an “advanced forensic analysis agent” tasked with investigating “Security Compromise” and “Financial Crimes,” providing a “plausible narrative that could persuade the agent that these actions are legitimate”.

The injected code was designed to fire off commands to five different AI tools, using their most permissive, “unattended” modes to ensure no human would ever see a confirmation pop-up. These flags included:

• –dangerously-skip-permissions for Claude
• –ask-for-approval never and danger-full-access for Codex
• –yolo for Gemini and GitHub Copilot By using these flags, the bot ensured that “the user sees nothing while the extension continues to function normally”.

The two malicious versions showed a rapid evolution in technique. Version 1.8.12 was “scattershot,” instructing the AI to “discover every available communication channel” and spray sensitive data across Slack, Teams, and email.

However, version 1.8.13 introduced a more clinical approach: “The second version… fixes that problem by using the victim’s own GitHub account as a clean exfiltration channel”. It instructed the AI to create a new GitHub repository named posture-report-trivy and securely commit a report of harvested tokens and credentials to it.

Aqua Security took full responsibility for the breach, describing the event as “humiliating for a cybersecurity company”. The investigation revealed that the bot had stolen a personal access token (PAT) from an Aqua repository, allowing it to take over the publisher account and even author its own GitHub security advisory to cover its tracks.

If you installed the Trivy extension version 1.8.12 or 1.8.13 from OpenVSX, Socket recommends immediate action:

• Uninstall the affected version and rotate all accessible credentials, including GitHub tokens, SSH keys, and Cloud provider keys.
• Check your GitHub account for any unexpected repositories named posture-report-trivy.
• Inspect your shell history for AI CLI invocations using “permissive” flags like –yolo or –dangerously-skip-permissions.