Amazon Q extension shipped a destructive prompt

Jul 2025

A rogue contributor successfully snuck a prompt into the Amazon Q VS Code extension that told the assistant to wipe local machines and AWS resources before AWS quietly yanked the release.

Incident Details

Perpetrator:Security/AI Product

Severity:Catastrophic

Blast Radius:VS Code update could have erased developer environments and AWS accounts before anyone noticed the tainted build.

Tech Stack

Amazon Q DeveloperAWS Toolkit for VS CodeVS Code MarketplaceAWS CLI

References

ZDNET: Hacker slips malicious command into Amazon Q ↗DevOps.com: When AI assistants turn against you ↗