AI Agents Under Attack: Malicious VS Code Extension Hijacks Copilot and to Leak Sensitive Data + Video

Listen to this Post

Featured Image

Introduction:

A recent supply chain attack targeting the OpenVSX registry has compromised two versions (1.8.12 and 1.8.13) of the popular Aqua Trivy VS Code extension. The malicious releases injected hidden natural‑language prompts designed to trick local AI coding agents—such as GitHub Copilot, Amazon CodeWhisperer, and Anthropic —into executing dangerous commands. By abusing the “YOLO mode” (auto‑approve) of these agents, the prompts attempt to inspect the system and exfiltrate sensitive information. This incident underscores a new class of threats where AI assistants become unwitting vectors for data leakage.

Learning Objectives:

  • Understand the mechanics of the compromised Trivy extension and the injected prompt‑based attack.
  • Learn how to detect and remove malicious VS Code extensions across Linux and Windows.
  • Implement hardening techniques to prevent AI coding agents from being manipulated by hidden prompts.

You Should Know

  1. Anatomy of the Attack: Malicious Prompts Inside a Trusted Extension
    The attack leveraged two compromised versions of the Aqua Trivy VS Code extension published on OpenVSX. Hidden inside the extension code were specially crafted prompts targeting AI agents. These prompts instruct the AI to operate in YOLO mode—a setting where the agent automatically executes commands without user confirmation. The goal: force the AI to inspect local files, environment variables, or running processes and return sensitive data to an attacker‑controlled endpoint.

What the injected code did:

  • Added natural‑language instructions that appear as comments or strings, interpreted by AI agents as legitimate requests.
  • Triggered the AI to run system inspection commands (e.g., cat /etc/passwd, dir C:\Users\).
  • Attempted to send collected data via HTTP requests or embedded exfiltration logic.

Detection example (Linux/macOS):

 Check installed VS Code extensions with versions
code --list-extensions --show-versions | grep trivy
 Expected safe version: 1.8.11 or earlier

2. Identifying Compromised Extensions on Your System

If you use VS Code on Linux or Windows, you need to verify whether you have the affected versions installed. Use the VS Code command‑line interface to list all extensions.

On Linux / macOS:

 List all extensions with versions
code --list-extensions --show-versions

Check specifically for aqua-security.trivy
code --list-extensions --show-versions | grep aqua-security.trivy

On Windows (PowerShell):

 Assuming VS Code is in PATH
code --list-extensions --show-versions | Select-String trivy

If the output shows `[email protected]` or 1.8.13, your environment is affected. Also inspect the extension’s installation folder for suspicious files:
– Linux: `~/.vscode/extensions/aqua-security.trivy-`
– Windows: `%USERPROFILE%\.vscode\extensions\aqua-security.trivy-`

3. Manual Removal and Rollback to a Safe Version
Immediately remove the compromised extension and install a known safe version (e.g., 1.8.11) from a trusted source.

Uninstall via CLI:

 Uninstall the malicious version
code --uninstall-extension aqua-security.trivy

Install a specific safe version from the marketplace:

Unfortunately, the VS Code CLI does not directly support version pinning. Instead, download the VSIX file of version 1.8.11 from a trusted mirror (e.g., the official OpenVSX or GitHub releases) and install manually:

 Install from VSIX file
code --install-extension aqua-security.trivy-1.8.11.vsix

Verify integrity (Linux example):

 Compute SHA256 of the installed extension files
sha256sum ~/.vscode/extensions/aqua-security.trivy-1.8.11/ | sort
 Compare with official checksums from the publisher

4. Hardening AI Agents to Prevent Prompt Injection

AI coding agents often run with elevated trust. Disable YOLO mode and implement safeguards:

For GitHub Copilot:

  • Open VS Code settings (Ctrl+,) and search for github.copilot.advanced.
  • Ensure Debug overrides are not set to auto‑approve.
  • Set `github.copilot.enable` to false for untrusted workspaces.

For generic AI assistants:

  • Use a dedicated, sandboxed environment (e.g., Docker container) for AI‑assisted coding.
  • Restrict network access from the AI process.
  • Monitor AI output for unexpected commands (e.g., using `auditd` on Linux).

Linux: Audit AI agent processes with `auditd`:

 Install auditd
sudo apt install auditd -y
 Watch for file reads by the extension host
sudo auditctl -w /home/user/.vscode/extensions -p rwa -k vscode_extension
 Check logs
sudo ausearch -k vscode_extension

5. Strengthening Extension Supply Chain Security

Prevent similar attacks by adopting strict extension management policies.

Use only signed extensions:

  • In VS Code, enable `extensions.autoUpdate` only for trusted publishers.
  • Regularly audit installed extensions:
    code --list-extensions > extensions_backup.txt
    
  • Compare with a known good baseline using diff.

Verify extension signatures (if available):

Some publishers sign their VSIX files. Use `openssl` or `vsce` to validate:

 Example with vsce (if you have the vsix)
npx vsce ls aqua-security.trivy-1.8.11.vsix

Use a private extension gallery or proxy:

  • Deploy an internal OpenVSX registry and mirror only approved extensions.
  • Block public registries at the network level for development machines.
  1. Incident Response: What to Do If You Suspect Data Leakage
    If you used the compromised extension, assume that sensitive data may have been exposed.

Immediate steps:

  1. Rotate all secrets stored in environment variables, `.env` files, or code comments.
  2. Check outbound network connections from your development machine:

– Linux: `sudo netstat -tupn | grep ESTABLISHED`
– Windows: `netstat -an | find “ESTABLISHED”`
3. Scan for suspicious processes that may have been spawned by the AI agent:

ps aux | grep -E "copilot||codex"

Forensic analysis:

  • Examine VS Code logs: `~/.config/Code/logs/` (Linux) or `%APPDATA%\Code\logs\` (Windows).
  • Use `grep` to search for the malicious prompts:
    grep -r "YOLO" ~/.vscode/extensions/aqua-security.trivy-1.8.12/
    
  1. Future‑Proofing: Monitor AI Agent Activity with Behavioral Analytics
    The attack highlights the need for real‑time monitoring of AI agent behavior.

Implement custom detection rules:

  • Use endpoint detection and response (EDR) tools to flag when a process spawned by an AI agent attempts to access sensitive files.
  • For Linux, deploy eBPF‑based tools like Tracee or Falco to detect anomalous system calls.

Example Falco rule to detect AI agent file reads:

- rule: AI Agent Reading Passwd File
desc: detect AI agents accessing /etc/passwd
condition: >
proc.name in (copilot, node) and
evt.type=open and
fd.name=/etc/passwd
output: "AI agent read passwd file (user=%user.name command=%proc.cmdline)"
priority: WARNING

What Undercode Say

  • AI agents are now attack surfaces: The Trivy extension incident proves that AI coding assistants can be weaponized through hidden prompts. Security teams must treat AI tools as potential vectors for data exfiltration.
  • Extension vetting is critical: The OpenVSX registry, while convenient, lacks the rigorous validation of official marketplaces. Organizations should enforce strict extension allowlists and verify checksums before deployment.
  • YOLO mode is a liability: Auto‑approve features in AI agents dramatically increase risk. Disabling such modes and requiring manual confirmation for every operation is a fundamental safeguard.

The attack exploited trust—both in a popular extension and in the AI agents themselves. As AI becomes embedded in development workflows, we must extend security boundaries to include these intelligent components. Regularly audit your extensions, monitor AI behavior, and prepare for a new wave of supply chain threats that speak the language of machines.

Prediction

In the coming year, we will see a surge in attacks targeting AI‑assisted development environments. Attackers will craft prompts that not only extract data but also modify code, inject backdoors, or manipulate AI‑generated output to introduce vulnerabilities. Defenders will respond with AI‑aware security tools, behavior‑based monitoring, and hardened sandboxes. The line between malicious code and malicious natural language will blur, forcing a fundamental shift in how we secure software supply chains.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Thomas Roccia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky