A hacker infiltrated Amazon’s AI-powered coding assistant for Visual Studio Code, injecting a destructive system-wiping prompt into version 1.84.0 of the Amazon Q Developer Extension.
Although the payload was ultimately non-functional due to formatting errors, the breach exposes serious lapses in Amazon’s software supply chain security.
The incident was first reported by 404 Media. AWS published a security advisory shortly afterward, confirming the compromise and urging users to update to version 1.85.0 of the extension. The attacker, who claimed the goal was to expose “AI security theater,” submitted the malicious code directly to Amazon’s open-source GitHub repository, exploiting inadequate access controls.
Security researcher Michael Bargury reconstructed the incident timeline through GitHub Archive logs. The attack appears to have begun on July 13, 2025, when a user under the handle lkmanka58 submitted a commit that embedded a prompt instructing Amazon Q to delete local files and cloud infrastructure, posing as a system cleaning operation. This malicious payload was included in the scripts/extensionNode.bk file and funneled into production via a downloader script that triggered only in production environments, evading automated testing.
The hacker’s prompt included commands instructing the AI to:
- Wipe the local home directory.
- Delete AWS cloud resources using AWS CLI commands (e.g., ec2 terminate-instances, s3 rm, iam delete-user).
- Log deletions to /tmp/CLEANER.LOG.
Bargury
The prompt was framed as a system maintenance directive, but would have initiated data destruction had it been successfully executed. AWS states the code was malformed and therefore did not pose an active threat, but it was nevertheless published in a signed release and downloaded by thousands of users. The malicious version 1.84.0 was released on July 17, 2025, and remained available for at least 48 hours before being pulled and replaced with version 1.85.0 on July 19.
Amazon Q is Amazon Web Services’ generative AI assistant designed to help developers code faster through natural language interactions, code generation, and explanation features. Integrated into Visual Studio Code, the extension has over 950,000 installations and is a core part of Amazon’s push into developer-facing AI tools, similar in intent to Microsoft’s GitHub Copilot.
According to 404 Media’s review, the attacker claimed they were granted administrative permissions through a pull request from a newly created account, implying an alarming breakdown in repository governance. However, Bargury’s search of GitHub’s event logs found no trace of this PR, leaving some questions unresolved about the attacker’s precise access pathway. Git commits show the attacker leveraged Amazon’s automation tooling and reused benign commit messages to obfuscate their actions.
Amazon did not publicly acknowledge the compromised release until after 404 Media’s reporting, and the company has since removed all traces of version 1.84.0 from GitHub. In its security bulletin, AWS emphasized that no customer environments or cloud resources were affected. The malicious code was “incorrectly formatted,” preventing execution, and all credentials involved in the tampering have been revoked.
Developers using Amazon Q should immediately upgrade to version 1.85.0, and any local or forked copies of version 1.84.0 should be deleted.
Leave a Reply