What Happened
An attacker using inadequate access controls submitted a pull request that injected a prompt into Amazon's Q Developer coding agent instructing it to wipe the local filesystem and delete AWS resources like EC2, S3, and IAM. The malicious code shipped in the official marketplace release, version 1.84.0, of the VS Code extension. The attacker said the payload was deliberately made defective as a protest against 'AI security theater.'
Impact
The compromised build reached close to a million installations before AWS pulled it and released a patched 1.85.0, revoking and replacing the affected credentials. AWS stated no customer resources were harmed, but the incident showed how a single unreviewed contribution can arm an AI agent with destructive commands at scale.
How to Prevent This
- Require strict review and signing for all contributions before they reach production releases
- Restrict who can commit to and publish AI agent extensions with least-privilege access controls
- Scan agent prompts and system instructions for destructive commands prior to shipping
- Sandbox coding-agent execution so it cannot delete local files or cloud resources without approval
- Rotate build credentials promptly and audit the release pipeline for unauthorized changes