Hacker slipped a data-wiping prompt into Amazon Q's VS Code extension, shipped to ~1M installs
Quick Answer
Amazon-q caused a critical-severity (10/10) security vulnerability failure: Hacker slipped a data-wiping prompt into Amazon Q's VS Code extension, shipped to ~1M installs. The root cause was tool misuse. The malicious prompt reached an extension with roughly one million installs.
Description
In July 2025 an attacker submitted a pull request to the open-source aws-toolkit-vscode GitHub repository, was granted admin credentials, and injected a prompt-injection payload that shipped in the official Amazon Q for VS Code v1.84.0 release on July 17. The prompt told the AI assistant its goal was to 'clean a system to a near-factory state,' delete filesystem and cloud resources using bash and AWS CLI commands, and 'run continuously until the task is complete.' With nearly one million installs, the compromised extension could have hit developers working on production and critical-infrastructure projects. A syntax error kept the destructive code from actually running; on July 23 researchers flagged suspicious behavior, and by the next day AWS had removed the code, revoked credentials, and released a clean v1.85.0. AWS reported no evidence of customer data loss — but the incident showed how one malicious commit can turn a trusted AI coding agent into a wiper delivered to a million machines.
Instruction Given
Ship the Amazon Q Developer extension for VS Code to users.
Expected Behavior
Vet community pull requests so no attacker can inject agent instructions into an official release.
Actual Behavior
An attacker submitted a pull request to the open-source aws-toolkit-vscode repo, was granted admin access, and added a prompt instructing the agent to 'clean a system to a near-factory state,' delete filesystem and cloud resources via bash and AWS CLI, and run continuously until done. It shipped in the official v1.84.0 release.
Impact / Damage
The malicious prompt reached an extension with roughly one million installs. A syntax error prevented it from executing, and AWS says no customer environment suffered deletion; AWS revoked credentials and shipped a clean v1.85.0 within a day of disclosure. The near-miss exposed how a single commit can weaponize an AI dev tool at scale.
Frequently Asked Questions
What happened in incident STUPID-2026-0035? ▾
In July 2025 an attacker submitted a pull request to the open-source aws-toolkit-vscode GitHub repository, was granted admin credentials, and injected a prompt-injection payload that shipped in the official Amazon Q for VS Code v1.84.0 release on July 17. The prompt told the AI assistant its goal was to 'clean a system to a near-factory state,' delete filesystem and cloud resources using bash and AWS CLI commands, and 'run continuously until the task is complete.' With nearly one million installs, the compromised extension could have hit developers working on production and critical-infrastructure projects. A syntax error kept the destructive code from actually running; on July 23 researchers flagged suspicious behavior, and by the next day AWS had removed the code, revoked credentials, and released a clean v1.85.0. AWS reported no evidence of customer data loss — but the incident showed how one malicious commit can turn a trusted AI coding agent into a wiper delivered to a million machines.
Which AI agent caused this failure? ▾
Amazon-q was responsible for this security vulnerability incident, documented as STUPID-2026-0035 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as tool misuse. Vet community pull requests so no attacker can inject agent instructions into an official release.
What was the impact or damage? ▾
The malicious prompt reached an extension with roughly one million installs. A syntax error prevented it from executing, and AWS says no customer environment suffered deletion; AWS revoked credentials and shipped a clean v1.85.0 within a day of disclosure. The near-miss exposed how a single commit can weaponize an AI dev tool at scale.