Amazon Q extension prompt injection

Amazon Web Services pulled its Amazon Q Developer extension for Visual Studio Code from the Visual Studio Code Marketplace in late July 2025 after discovering that an unknown attacker had slipped a destructive prompt-injection payload into the extension's source tree and watched it ship to users in version 1.84.0. A syntax error in the injected code kept it from running.

Amazon Q Developer is the agentic coding assistant Amazon bundles into VS Code and JetBrains IDEs. It can read and write files on the developer's machine and, when configured with AWS credentials, take actions against the user's AWS account. The extension reports close to one million installations across the marketplace.

According to AWS's AWS-2025-015 security bulletin, the entry point was a GitHub token configured in an AWS CodeBuild project that had been granted broader repository permissions than it needed. AWS said the finding came out of a related CodeBuild investigation tracked as AWS-2025-016. The attacker used the token to commit directly into the open-source aws/aws-toolkit-vscode repository, where the change rode through the normal release pipeline into 1.84.0 on the marketplace.

Rather than a conventional binary payload, the injected content was framed as instructions for the assistant itself. Researchers at ReversingLabs, who later wrote up the incident, said the prompt was crafted to direct the agent to delete local files, wipe cloud data, and remove the logs of its own activity. None of that ran. AWS Security said the malicious code "was unsuccessful in executing due to a syntax error," and that no services or customer environments were changed as a result.

AWS published AWS-2025-015 on July 23, 2025 and updated it on July 25, revoked and replaced the leaked CodeBuild credential, scrubbed the malicious commit, delisted 1.84.0 from distribution, and released 1.85.0. Because the inert payload remained on disk for anyone who had already installed 1.84.0, AWS told customers to uninstall the affected version outright and update, including any forked or derivative copies. The incident has also been cataloged as CVE-2025-8217 and GHSA-7g7f-ff96-5gcw.

Motive

Malicious

Attribution

Group

Cause

Compromised Credentials

Transitive

No

Actor

Third Party

• Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)aws.amazon.com
• Malicious script injected into Amazon Q Developer for Visual Studio Code Extensiongithub.com
• How AWS averted an AI supply chain disasterreversinglabs.com
• Amazon Q VS Code Prompt Injection Supply Chain Attack - 2025github.com