Amazon’s AI-powered Q Developer Extension for Visual Studio Code (VSC) has suffered a major security breach, affecting nearly one million global users. The extension, designed to help developers with coding, debugging, and configuration via generative AI, was compromised after a hacker, using the alias lkmanka58, injected malicious code into Amazon Q’s GitHub repository.
The incident occurred due to a misconfigured workflow or weak permission controls that allowed a rogue pull request to be merged without proper checks. On July 17, the tainted version 1.84.0 was published to the Visual Studio Code Marketplace, unknowingly exposing users worldwide.
The injected code, formatted to remain non-functional, contained alarming instructions to “clear a system to near-factory state and delete file-system and cloud resources.” While AWS security experts confirmed the payload could not execute, cybersecurity analysts argue it highlighted vulnerabilities in AI-driven coding tools and supply chain security.
After external researchers flagged the suspicious activity on July 23, Amazon launched a full investigation and swiftly acted. By July 24, AWS released a clean update—version 1.85.0—revoking compromised credentials, removing the rogue code, and strengthening internal workflows to prevent recurrence.
In a public statement, AWS stressed that no real data loss occurred, but acknowledged the incident as a wake-up call on the rising risk of supply chain attacks in AI-assisted developer tools.
Amazon has pulled version 1.84.0 from all channels and urged all developers to upgrade to version 1.85.0 immediately to secure their systems. This breach underscores the urgent need for stricter code review processes, tighter GitHub repository controls, and improved monitoring of AI-integrated tools to protect developers and enterprises against emerging cyber threats.
