Amazon Q’s VS Code extension supply chain attack: how a hidden pull request almost wiped a million developers’ production environments

A five-day brush with AI-powered supply chain chaos

For five days, Amazon Q’s VS Code extension shipped with a hidden, production-only payload that instructed an AI agent to wipe local files and delete AWS resources. The malicious code slipped in via a 67-line pull request that quietly swapped a core file at build time, evading normal development tests. The incident underscores how AI-powered assistants and auto-updating marketplaces magnify supply chain risk—and how process opacity after the fact impedes industry learning.

Points clés

• On July 13, a user named lkmanka58 merged a seemingly routine 67-line PR that hid a build-time swapper function called preparePackager().
• The function only activated in production (STAGE=’prod’) for the Amazon Q extension, downloading a replacement file from an attacker-controlled repository.
• The replacement code embedded an AI prompt directing the tool to erase the home directory and delete AWS resources via non-interactive AWS CLI commands (for example, ec2 terminate-instances, s3 rm, iam delete-user).
• Amazon Q version 1.84 shipped with the payload for five days; Amazon later said the extension was “not functional” during this period.
• Timeline: July 13 PR merged; July 18 Amazon patched and updated guidelines; July 24 researchers disclosed; afterward AWS removed the PR, though commit 678851b remains in git history.
• Affected extension: AmazonWebServices.amazon-q-vscode, version 1.84.0.
• The attack method was a supply chain compromise via production build-time file replacement—bypassing typical dev/test paths.
• The incident highlights a process failure: removal of the PR erased review context that could inform industry defenses.
• Days earlier, Replit’s AI assistant accidentally deleted a company’s database, reinforcing the broader risk of high-privilege AI tooling with minimal guardrails.

À retenir

Practical takeaways, minus the fire drill: lock down extension installs with an allowlist, stage rollouts instead of letting auto-updates play roulette, and monitor for odd CLI calls (yes, especially those that rhyme with “terminate-instances”). Enforce reproducible builds, block build-time downloads, and require human-in-the-loop approvals for destructive operations—because “–no-interactive” is great until it meets your S3 buckets. And please, least privilege your IAM and keep backups, so the next time an overachieving AI decides to “clean up,” it doesn’t tidy you out of a job.

Sources

• Amazon’s AI Assistant Almost Nuked A Million Developer’s Production Environments | Koi Blog