Amazon Q extension for VS Code reportedly injected with ‘wiper’ prompt

Amazon Web Services’ Amazon Q extension for Visual Studio Code reportedly contained a wiper-style prompt injection planted by a hacker last week, according to 404 Media.

Someone taking responsibility for planting the injection told 404 Media they submitted a pull request to the open-source aws-toolkit-vscode GitHub repository on July 13, 2025, and were subsequently given “admin credentials on a silver platter.”  

They then reportedly added a prompt injection that was included in the official release of Amazon Q for VS Code version 1.84.0 on July 17.

The Amazon Q extension for Visual Studio Code (VS Code) allows developer to connect their integrated development environment (IDE) with the Amazon Q AI-powered coding assistant and has been installed more than 964,000 times since it was added to the VS Code Marketplace, according to its Marketplace page.

The prompt, which its creator claims was designed to be ineffective, tells the AI assistant its goal is to “clean a system to a near-factory state and delete file-system and cloud resources.”

It further provides instructions to “run continuously until the task is complete,” clear configuration files and directories using bash commands and delete cloud resources using Amazon Web Servies (AWS) command line interface (CLI) commands.

“When a malicious actor can inject wiping commands into a coding assistant and have those commands deployed to end users, it exposes a critical blind spot. Security teams need visibility not just into what agents say, but what they do,” Zenity Chief Technology Officer and Co-founder Michael Bargury told SC Media in an email.

The hacker stated their goal was to “Expose their ‘AI’ security theater” and plant “A wiper designed to be defective as a warning to see if they’d publicly own up to their bad security,” 404 Media said in its article published Wednesday morning.

In a security update published Wednesday evening, AWS said it responded to a report from security researchers that “a potentially unapproved code modification was attempted” in the extension.

“Once we were made aware of the issue, we immediately revoked and replaced the credentials, removed the unapproved code from the codebase, and subsequently released Amazon Q Developer Extension version 1.85 to the marketplace,” the update states.

AWS said customers must update to version 1.85 to resolve the issue and ensure any forked or derivative version is also patched.  

“Security is our top priority. We quickly mitigated an attempt to exploit a known issue in two open source repositories to alter code in the Amazon Q Developer extension for VS Code and confirmed that no customer resources were impacted,” an AWS spokesperson said in a statement provided to SC Media. “We have fully mitigated the issue in both repositories. No further customer action is needed for the AWS SDK for .NET or AWS Toolkit for Visual Studio Code repositories.”

AI-generated code increasingly a concern

The incident highlights the growing attack surface presented by AI tools and agents, including AI-powered coding assistants.

A 2024 GitHub developer survey found that about 97% of respondents said they have used generative AI both in and outside of work. A Cloudsmith report published last month found that 42% of AI-using developers said at least of half of their codebase is AI-generated. This is despite 79.2% of respondents to Cloudsmith’s survey saying they believe AI will exacerbate malware threats in the open-source ecosystem.

A proof-of-concept exploit targeting the GitHub Copilot and Cursor AI coding assistants was also demonstrated by Pillar Security earlier this year, showing how a malicious rules file containing hidden prompt injections could add security vulnerabilities and other harmful code to developers’ projects.

“The problem is especially severe when applications digest untrusted inputs and so are required to perform ‘free-text validation’ automatically, without human-in-the-loop. Those situations, as well as this supply chain attack, call us to develop guardrails that detect such prompt injection attacks automatically, so even if a certain extension gets polluted, the guardrail serves as another layer of protection inside the IDE, or inside any other AI agent,” Itay Ravia, head of Aim Labs at Aim Security, told SC Media in an email.

Bargury added that the incident shows that AI agent security “can no longer be optional.”

“As noted by the hacker, this is a demonstration of the fact that these coding agents run privileged on your laptop and you are not in control,” Bargury said.