A coordinated campaign running late February through early March 2026 hit developer environments on two fronts: five malicious Rust crates silently exfiltrated .env secrets from CI pipelines, while an AI-augmented GitHub Actions campaign compromised the Trivy VS Code extension and turned AI coding assistants into exfiltration channels. The Trivy compromise (CVE-2026-28353) marks the first documented weaponization of locally installed AI coding CLIs — including Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro — against developer environments. Organizations running CI/CD pipelines or AI coding assistants require immediate remediation action.
Both attack chains in this campaign share a deliberate strategic focus: target the developer environment, not the production network. Developers operate with elevated trust — cloud credentials, registry tokens, deployment keys, GitHub authentication — and their machines and CI pipelines typically lack the behavioral monitoring applied elsewhere. The five malicious Rust crates (chrono_anchor, dnp3times, time_calibrator, time_calibrators, time-sync) and the hackerbot-claw GitHub Actions campaign are assessed as separate operations, but they describe the same threat model: high-value secrets accessible from developer context, with minimal detection friction. This convergence is not coincidental.
The Rust crate campaign, attributed by Socket researcher Kirill Boychenko to a single threat actor based on consistent exfiltration methodology and the shared lookalike domain timeapis[.]io, relied on a simple but effective lure: posing as NTP utility libraries. Four crates exfiltrated .env files directly. The fifth, chrono_anchor, added obfuscation — exfiltration logic embedded in guard.rs, invoked through an ‘optional sync’ helper. Critically, the malware establishes no persistence. It triggers every time the CI workflow calls the crate. This is tactically deliberate: persistence mechanisms generate detection signals; repeated execution on developer demand does not. The packages have been removed from crates.io, but any project that pulled them during the exposure window should assume .env contents were transmitted to attacker infrastructure.
The hackerbot-claw campaign, tracked by Pillar Security as ‘Chaos Agent,’ operated February 21–28, 2026, and represents a materially higher threat tier. The attack method — fork repository, embed payload in branch name or CI script, submit a trivial pull request to trigger the workflow, harvest secrets — exploits the pull_request_target workflow permission model, a known and documented misconfiguration class in GitHub Actions. Targeted repositories included those belonging to Microsoft, Datadog, and Aqua Security. StepSecurity confirmed that in the Aqua Security case, a Personal Access Token was stolen and used for repository takeover. The subsequent injection of malicious code into Trivy VS Code extension versions 1.8.12 and 1.8.13 from Open VSX escalated impact significantly, converting the widely deployed security tool into an active exfiltration agent.
The version delta between 1.8.12 and 1.8.13 reveals active campaign iteration and is analytically significant. Version 1.8.12 used compromised AI coding CLIs to collect system data but scattered output across random channels — a design flaw that limited attacker collection. Version 1.8.13 corrected this by routing exfiltrated data to a GitHub repository named posture-report-trivy, using the victim’s own authenticated GitHub CLI session as the delivery mechanism. Socket noted that vague agent instructions in 1.8.13 may cause secrets to land in private repositories the attacker cannot access, suggesting the campaign had not fully stabilized at the time of detection. The iteration pattern supports Pillar Security’s assessment that hackerbot-claw is a human operator using an LLM as an execution layer — though this attribution has not been independently corroborated in available sources.
One analytical gap requires explicit flagging: this assessment draws from a single source (The Hacker News, citing Socket, StepSecurity, and Pillar Security). The downstream blast radius of the Trivy extension compromise remains unquantified — Aqua confirmed artifact removal and token revocation, but the number of affected developer machines is not disclosed. The zero-visibility problem identified by Eilon Cohen of Pillar Security is operationally real: most organizations have no runtime observability into what AI coding agents execute, what files they read, or what network connections they initiate. Pre-execution dependency scanning is insufficient against both attack chains here — both reached execution before detection. Runtime controls, outbound network monitoring from CI environments, and behavioral anomaly detection on developer machines are required complements to static package analysis.
- Rotate immediately: Any project that installed chrono_anchor, dnp3times, time_calibrator, time_calibrators, or time-sync from crates.io between late February and early March 2026 should treat all .env secrets, API keys, cloud credentials, and registry tokens as compromised and rotate them — assume exfiltration occurred.
- Remove Trivy VS Code extension versions 1.8.12 and 1.8.13 from all developer machines, check for unexpected repositories named posture-report-trivy in GitHub accounts, and rotate all environment secrets on machines where these versions ran alongside an authenticated GitHub CLI session (CVE-2026-28353).
- Audit GitHub Actions workflows for pull_request_target misconfigurations: this permission model allows forked repository code to run with write access and secret access. Restrict it to trusted contributors only and pin workflow actions to specific commit hashes, not mutable tags.
- Treat AI coding CLIs as privileged processes: define what file paths agents can read, what network connections they can initiate, and what commands they can execute — the same controls applied to other elevated software. Most organizations currently have no runtime observability into agent behavior.
- Static dependency scanning at install time is insufficient against this attack class. Both campaigns reached execution before detection. Controls must add outbound network monitoring from CI environments and behavioral anomaly detection on developer machines.
