Hackers Infiltrate Amazon’s AI Coding Agent with Destructive System Commands

A sophisticated supply chain attack targeting Amazon’s Q extension for Visual Studio Code successfully embedded malicious system prompts designed to wipe users’ local files and AWS cloud resources, exposing critical vulnerabilities in AI development tool security.

The compromised version 1.84.0 briefly contained destructive commands that could have granted attackers unprecedented access to developer environments and cloud infrastructure before Amazon quietly patched the vulnerability.

The security breach originated from a deceptively simple attack vector involving Amazon’s open-source repository management.

According to 404 Media’s investigation, an unauthorized individual successfully submitted a malicious pull request from an unprivileged GitHub account and unexpectedly received admin-level credentials to Amazon’s codebase.

The attacker described their actions as exposing Amazon’s “AI security theater,” highlighting fundamental weaknesses in the company’s code review processes.

The malicious code injection occurred on July 13, with Amazon publishing the compromised release just four days later on July 17, apparently unaware of the embedded threat.

This timeline reveals a concerning gap in Amazon security scanning capabilities, particularly given the extension’s widespread adoption among developers who integrate AI assistants directly into their coding workflows.

Amazon’s AI Coding Agent

The injected malicious prompt contained explicit instructions for the AI agent to “clean a system to a near-factory state” and systematically “delete file-system and cloud resources.”

The embedded code specifically targeted user home directories while avoiding hidden directories, creating a systematic approach to data destruction.

More alarmingly, the prompt included detailed AWS CLI commands designed to devastate cloud infrastructure, including aws –profile <profile_name> ec2 terminate-instances for destroying virtual machines, aws –profile <profile_name> s3 rm for emptying storage buckets, and aws –profile <profile_name> iam delete-user for removing user accounts.

The malicious code was programmed to maintain deletion logs at /tmp/CLEANER.LOG and execute continuously until task completion.

Security analysts noted that while the prompt was technically malformed and unlikely to execute successfully in practice, its presence demonstrated how easily AI agents could be weaponized for destructive purposes.

Cloud security expert Corey Quinn emphasized that with fewer than a million installations, even a single vulnerable workstation could potentially cause significant damage across interconnected development environments.

Transparency and Future AI Security

Amazon responded to the breach by immediately removing version 1.84.0 from the Visual Studio Marketplace and releasing a patched version 1.85.0 without issuing a public security advisory.

This approach effectively erased the compromised release from the extension’s official history, though it raises questions about transparency in handling AI security incidents.

The company’s official statement emphasized that “security is our top priority” and confirmed that “no customer resources were impacted,” while noting that the attacker’s credentials have been revoked.

A subsequent AWS security bulletin advised users to uninstall the rogue version and verify they are running version 1.85.0 or later.

This incident represents part of a broader trend of attacks targeting AI development tools, highlighting the growing supply chain risks as organizations increasingly grant AI agents permission to execute shell commands and access cloud credentials.

Security experts warn that prompt-based tampering may become a preferred attack vector for adversaries seeking lateral movement or high-visibility security demonstrations, necessitating more robust validation mechanisms for AI-integrated development environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.