Compromised Amazon Q extension told AI to delete everything – and it shipped – Source: go.theregister.com

The official Amazon Q extension for Visual Studio Code (VS Code) was compromised to include a prompt to wipe the user’s home directory and delete all their AWS resources.

The bad extension was live on the VS Code marketplace for two days, though it appears that the intent was more to embarrass AWS and expose bad security rather than to cause immediate harm.

A commit to the Amazon Q part of the AWS toolkit for VS Code includes a script that downloads an additional file, saved as extensionNode.ts. The source for this file includes a prompt instructing an AI agent to delete all non-hidden files from the user’s home directory and then to “discover and use AWS profiles to list and delete cloud resources using AWS CLI commands.”

The script then passes this prompt to the Amazon Q CLI, including the arguments --trust-all-tools and --no-interactive.

According to a report, “a person who presented themselves as the hacker responsible” contacted 404 Media to explain that the wiper was designed to be defective, but was “a warning to see if they’d publicly own up to their bad security.”

The person claimed that they submitted a pull request to the AWS repository from “a random account with no existing access” and were given admin credentials. They said that AWS then released the compromised package “completely oblivious.”

Whether or not that report is correct, we can see the bad commit was indeed merged and released in version 1.84 of the extension on July 19, and reverted in version 1.85 published two days later. The changelog for 1.85 states: “Miscellaneous non-user-facing changes.”

AWS posted a security bulletin, which states:

• AWS goes full speed ahead on the AI agent train
• AWS previews Kiro IDE for developers who are over vibe coding
• Jilted AWS reckons VMware is now crusty like a mainframe
• AI and analytics converge in new generation Amazon SageMaker

This statement does not address the key issue of how the incident was allowed to happen. The consequences of unauthorized code in a popular AWS extension for VS Code could be calamitous. There are hints that the AWS SDK for .NET was compromised as well, though we have no details of this, and the AWS bulletin states that “no action is required for AWS SDK for .NET users.”

The malicious commit has the same title as a previously merged commit, though the code itself is not at all related. The commit is also obviously suspicious, downloading a file from somewhere on GitHub to overwrite another file in the package. The implication, perhaps, is that there is too much reliance on AI to check the security of the code, in this case badly, and not enough human checks. This line of thinking is encouraged by another remark attributed to the bad actor, that “ruthless corporations leave no room for vigilance among their overworked developers.”

AWS has recently laid off a number of workers and Amazon CEO Andy Jassy has stated in a memo to employees that AI is likely to “reduce our total corporate workforce as we get efficiency gains from using AI extensively across the company.”

Could such “efficiency gains” affect the security of official AWS tooling, as this latest incident implies? It is a disturbing possibility, considering that the company has historically maintained a strong security record.

AWS watcher Corey Quinn asked the key question: “What did Amazon’s internal review process for this repo actually look like?” and concluded that “it’s the same mess I called out back in 2022 when Azure’s security posture fell flat on its face: companies treating security like an afterthought until it explodes in public.” ®